英文:
How to avoid XSS in this asp.net code, url : http://localhost/Tiles/ShowPage.aspx?u=javascript:alert(1234)?
问题
当在浏览器中使用此URL时,会弹出警报。
我添加了“javascript:alert(1234)”部分,实际上是其他内容。
客户要求避免XSS类型的攻击(比如javascript:alert(1234))。
我对此非常陌生,抱歉可能问得很幼稚:
这个URL究竟是在项目中的哪里调用的,我不知道是在ShowPage.aspx还是其他地方。
我知道我只需要使用下面的代码来避免XSS,但不知道在哪里使用它!
HttpUtility.HtmlEncode(http://localhost/Tiles/ShowPage.aspx?u=javascript:alert(1234));
提前感谢。
英文:
When this url is used in browser , an alert comes out .
http://localhost/Tiles/ShowPage.aspx?u=javascript:alert(1234)
I added "javascript:alert(1234)" part , it was spmething else .
The customer asked to avoid XSS kind of attck (like javascript:alert(1234))
I am very new to this, sorry it maybe lame to ask :
Where exacly this url is called in project, I dont know if it is in ShowPage.aspx or some where else.
I know I just need to use the code below to avoid XSS , but don't know where to use it!
HttpUtility.HtmlEncode(http://localhost/Tiles/ShowPage.aspx?u=javascript:alert(1234));
Thx in advance .
答案1
得分: 1
这是一个庞大的话题,远远超出了像SO这样的简单问答论坛。
你没有展示网页中的标记(也许是空白的并且默认的,或者你没有任何标记 - 但即使这个信息也非常重要)。
在这里,你需要基本的asp.net技能。那么,你说你不知道上面的内容来自哪里是什么意思?你输入一些JavaScript代码,而它被允许执行。
更糟糕的是,你甚至都没有提到你在使用哪个框架版本。
然而,鉴于你没有包含一些基本信息,这告诉我你在这方面的技能水平远远不够。
不过,假设你使用的是.NET 4.x框架和Web Forms(但是,再次强调,我们在这方面一无所知),那么我会检查Web配置文件:
<system.web>
<httpRuntime targetFramework="4.8" requestValidationMode="4.8"/>
这应该防止你的"注入"示例代码起作用,但正如我所说,脚本注入和网站安全是一个完整的职业领域,通常需要有多年经验的人来处理。
不过,正如我之前指出的,由于提供的信息如此"脆弱",而且更糟糕的是,你认为这些简单的细节在这里不是必需的?
我们真的需要更多的细节。
默认情况下,JavaScript不应该能够运行。如果查询URL参数接受该输入并在页面上显示它(例如作为标记),那么JavaScript将会运行。
在大多数情况下,asp.net已经内置了防止此类注入的保护措施。
假设我们有一个简单的文本框和以下标记:
<h3>请输入一些文本</h3>
<asp:TextBox ID="TextBox1" runat="server" TextMode="MultiLine" Height="148px" Width="407px">
</asp:TextBox>
<br />
<br />
<asp:Button ID="Button1" runat="server" Text="提交" CssClass="btn" OnClick="Button1_Click" />
<br />
<br />
<h3>您输入了</h3>
<asp:Label ID="Label1" runat="server" Text=""></asp:Label>
以及后台代码:
Protected Sub Button1_Click(sender As Object, e As EventArgs)
Label1.Text = TextBox1.Text
End Sub
所以,现在我们有这个:
问题现在是,用户的输入被"显示"并且"注入"到页面中,包括我键入的JavaScript。
为了防止上述情况发生,请确保页面上不包含以下内容:
<%@ Page Language="vb" AutoEventWireup="false" CodeBehind="WebForm4.aspx.vb"
Inherits="TestWeb.WebForm4"
ValidateRequest="false"
%>
所以,让我们从页面中删除上述的ValidateRequest = false。
现在,当我们尝试这样做时,我们会得到:
通常情况下,页面不应允许用户输入被重新显示。因为如果我们接受用户输入,并"只是显示"用户输入的内容,那么用户可以包括标记,甚至更糟糕的是,包括脚本代码。
尽管我从页面中删除了验证请求,但你应该在Web配置文件中全局启用这个,而不是在每个页面中。
因此,你应该在Web配置文件中有以下内容(但通常默认情况下已经启用):
<system.web>
<httpRuntime targetFramework="4.8" requestValidationMode="4.8" />
结果,即使输入以下内容:
<b>这是粗体文本</b>
都会触发错误,并且页面不会允许后台提交。
在你的示例中,在URL中直接键入了一些JavaScript代码,但通常情况下,只有当页面上的标记采用URL参数并将其原始未经触及的值显示在页面上时,脚本才会运行。
英文:
this is a massive topic, and way beyond a simple Q+A forum like SO.
You don't show the markup in that web page (maybe it is blank and defaulted, and you don't have any markup - but EVEN that information was BEYOND important.
You need basic asp.net skills here. So, what do you mean you don't know where the above is coming from? You typing in some js code, and it is being allowed.
Worse yet? You don't even bother to mention what framework version you are using here.
However, given that you NOT included some basic information here? That tells me you are in way beyond your skill levels here.
However, assuming say .net 4.x framework, and web forms (but ,again, we are clueless here), then I would check the web config:
<system.web>
<httpRuntime targetFramework="4.8" requestValidationMode="4.8"/>
This should prevent your example "injection" example code from working, but as I stated, script injection and web site security is a WHOLE career path, and generally requires someone with years of experience in this area.
But then again, as noted, with such "feeble" information provided here, and worse being that you think such simple details are not required here?
We really do need more details here.
That JavaScript should not be able to run by default. now if that query URL parameter takes that input and displays that on the page (say as markup), then the JavaScript will run.
In most cases, asp.net already has protection built in against such injection.
Say we have a simple text box and markup like this:
<h3>Please enter some text</h3>
<asp:TextBox ID="TextBox1" runat="server" TextMode="MultiLine" Height="148px" Width="407px">
</asp:TextBox>
<br />
<br />
<asp:Button ID="Button1" runat="server" Text="Submit" CssClass="btn"
OnClick="Button1_Click" />
<br />
<br />
<h3>You entered</h3>
<asp:Label ID="Label1" runat="server" Text="">
</asp:Label>
And code behind:
Protected Sub Button1_Click(sender As Object, e As EventArgs)
Label1.Text = TextBox1.Text
End Sub
So, now we have this:
So, the issue is now input by a user is "displayed" and INJECTED into the page. Including that of javaScript I type in.
So, to prevent the above, then make sure on the page, we do NOT have this:
<%@ Page Language="vb" AutoEventWireup="false" CodeBehind="WebForm4.aspx.vb"
Inherits="TestWeb.WebForm4"
ValidateRequest="false"
%>
So, lets remove the above ValidateRequest = false from that page.
So, now when we try this, we get:
So, as a general rule, a page should not allow USER input to be re-displayed. Since if we take user input, and "just display" what the user typed in, then the user can include markup, and VERY much worse, include script code.
Now, while I removed the validate request from the page, you should enable this "system" wide, and not per page in web config.
Thus you should have this in web confige (but, it is enabled by default anyway).
eg this:
<system.web>
<httpRuntime targetFramework="4.8" requestValidationMode="4.8" />
As a result, then even typing in say
<b>This is bold text</b>
That will trigger a error, and the page post-back will not be allowed.
In your example, in the url, some JavaScript code is typed in directly, but as a general rule, that script should not run unless the markup on the page is taking that URL parameter and displaying that raw un-touched value into the page for display.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论