Play框架中的跨站点脚本和Web参数篡改预防

Question

启动我们的第一个使用Play框架构建的http://wwww.trademango.com公开alpha版本。我曾经历过Web参数篡改尝试是由某人或某事（即机器人）制作的。这些尝试现在已经持续了一段时间。我们正在考虑提高我们的安全性。我想知道是否有人有经验将owsap和Playframework等工具集成在一起。我想得到一些社区反馈，了解其他人对此类攻击的反应。

以下是几个Web参数篡改尝试的实际操作：

    @69mkklokf
    Internal Server Error (500) for request GET /supplier/:q/:page?q=:supplierUUID

    Execution exception (In {module:common-model}/app/models/services/ID.java around line 46)
    NumberFormatException occured : For input string: ""

    play.exceptions.JavaExecutionException: For input string: ""
        at play.mvc.ActionInvoker.invoke(ActionInvoker.java:231)
        at Invocation.HTTP Request(Play!)
    Caused by: java.lang.NumberFormatException: For input string: ""
        at java.lang.NumberFormatException.forInputString(NumberFormatException.java:65)
        at java.lang.Long.parseLong(Long.java:450)
        at java.lang.Long.valueOf(Long.java:508)
        at models.services.ID.base36ToUUID(ID.java:46)
        at controllers.Application.supplier(Application.java:177)
        at play.mvc.ActionInvoker.invokeWithContinuation(ActionInvoker.java:548)
        at play.mvc.ActionInvoker.invoke(ActionInvoker.java:502)
        at play.mvc.ActionInvoker.invokeControllerMethod(ActionInvoker.java:478)
        at play.mvc.ActionInvoker.invokeControllerMethod(ActionInvoker.java:473)
        at play.mvc.ActionInvoker.invoke(ActionInvoker.java:161)
        ... 1 more
    22 Mar 2012 07:20:57,270 ERROR play:570 - 

    @69mkklokg
    phpmyadmin.translators.html action not found

    Action not found
    Action phpmyadmin.translators.html could not be found. Error raised is Controller controllers.phpmyadmin.translators not found

    play.exceptions.ActionNotFoundException: Action phpmyadmin.translators.html not found
        at play.mvc.ActionInvoker.getActionMethod(ActionInvoker.java:590)
        at play.mvc.ActionInvoker.resolve(ActionInvoker.java:85)
        at Invocation.HTTP Request(Play!)
    Caused by: java.lang.Exception: Controller controllers.phpmyadmin.translators not found
        ... 3 more
    22 Mar 2012 10:13:16,611 ERROR play:570 - 

    @69mkklokh
    nice ports,.Trinity.txt.bak action not found

    Action not found
    Action nice ports,.Trinity.txt.bak could not be found. Error raised is Controller controllers.nice ports,.Trinity.txt not found

    play.exceptions.ActionNotFoundException: Action nice ports,.Trinity.txt.bak not found
        at play.mvc.ActionInvoker.getActionMethod(ActionInvoker.java:590)
        at play.mvc.ActionInvoker.resolve(ActionInvoker.java:85)
        at Invocation.HTTP Request(Play!)
    Caused by: java.lang.Exception: Controller controllers.nice ports,.Trinity.txt not found
        ... 3 more

Answer 1

我建议删除'catch all'路线

# Catch all  
*       /{controller}/{action}                  {controller}.{action}

删除它，并显式映射所有控制器和操作。