I just don't know what to think anymore. It seems like the people who made javascript went out of their way to allow it to be written a million different ways so hackers can have a field day.
我只是不知道该怎么想。似乎制作javascript的人不顾一切地允许它以百万种不同的方式编写,因此黑客可以有一个实地日。
I finally got my white list up by using html agility pack. It should remove
我终于通过使用html敏捷包获得了我的白名单。它应该删除
<scrpit></script>
As it is not in my white list plus any onclick,onmouse and etc.
因为它不在我的白名单加上任何onclick,onmouse等。
However now it seems you can write javascript in the attribute tags.
但是现在看来你可以在属性标签中编写javascript。
<IMG SRC="javascript:alert('hi');">
and since I allow SRC attributes my white list can't help me on this. So I came up with the idea to go through all valid attributes at the end and look inside them.
由于我允许SRC属性,我的白名单无法帮助我。所以我提出了在最后查看所有有效属性并查看它们内部的想法。
So it would find all my allowed attributes for every html tag( so src,href and etc).
所以它会找到每个html标签的所有允许属性(所以src,href等)。
I then found the innertext and put it to lowercase. I then did a index check on this string for "javascript".
然后我找到了innertext并把它放到小写字母。然后我对此字符串进行了“javascript”的索引检查。
If an index was found I started at that index and removed every character from that index on. So in the above case the attribute would be left with Src="".
如果找到索引,我从该索引开始并从该索引中删除每个字符。因此,在上述情况下,属性将保留为Src =“”。
Now it seems that is not good enough since you can do something like
现在它似乎不够好,因为你可以做类似的事情
java script jav ascript
java脚本jav ascript
and probably a space between every letter.
并且可能是每个字母之间的空格。
So I don't know how to stop it. If it was just a space between java and script then I could just write a simple regex that did not care how many spaces between. But if it is really that you can put a space or tab or whatever after each letter then I have no clue.
所以我不知道如何阻止它。如果它只是java和脚本之间的空间,那么我可以写一个简单的正则表达式,它不关心它们之间有多少空格。但如果确实你可以在每个字母之后放一个空格或标签或其他什么,那么我就不知道了。
Then to top it off you can do all these other great ways too
然后,最重要的是,你也可以做所有这些其他好方法
<IMG SRC=javascript:alert('XSS')> // will work apparently
<IMG SRC=javascript:alert('XSS')> // will work apparently
<IMG SRC="jav ascript:alert('XSS');"> // will work apparently
<IMG SRC="jav	ascript:alert('XSS');">// will work apparently
<IMG SRC="jav
ascript:alert('XSS');"> // will work apparently
<IMG SRC="jav
ascript:alert('XSS');"> // will work apparently
http://ha.ckers.org/xss.html
I know this is for some cross scripting attack( I am not making an XSS asp.net mvc does a good job of this already) but I don't see why it can't be use for other things like like in all those examples it makes alerts so it could be used for something else.
我知道这是针对一些交叉脚本攻击(我没有制作XSS asp.net mvc已经很好地完成了这个)但是我不明白为什么它不能用于其他所有这些例子中的东西它会发出警报,因此可以用于其他事情。
So I have no clue how to check and remove any of these.
所以我不知道如何检查和删除任何这些。
I am using C# but I don't know how to stop any of these and don't know of anything in C# that could help me out.
我正在使用C#,但我不知道如何阻止任何这些,并且不知道C#中的任何可以帮助我的东西。
2 个解决方案
#1
6
Seems you want to clean out javascript, and for that there is in fact a nice solution for you in C#/.Net.
似乎你想要清理javascript,为此你在C#/ .Net中实际上有一个很好的解决方案。
Download Microsoft Web Protection Library from CodePlex.
从CodePlex下载Microsoft Web Protection Library。
If you run your html fragment thru Microsoft.Security.Application.AntiXss.GetSafeHtmlFragment(html) then you will end up with this output:
如果你通过Microsoft.Security.Application.AntiXss.GetSafeHtmlFragment(html)运行你的html片段,那么你将得到这个输出:
<img src=""> // will work apparently
<img src=""> // will work apparently
<img src=""> // will work apparently
<img src="">// will work apparently
<img src=""> // will work apparently
<img src=""> // will work apparently
All script cleaned out.
清除了所有脚本。
#2
0
make a page say redir Now after form submission take all src attribute's value and replace it with redir?src=theExactValueHere now that redir program First downloads the value of GET parameter src (Which is eventually the actual src attribute's Value) from serverside and then Forward's the Content as it is including the exact same MIME/type it can also do some Checking on the attribute's value and then Header Redirection too.
创建一个页面说redir现在在表单提交后取所有src属性的值并用redir替换它?src = theExactValueHere现在redir程序首先从服务器端下载GET参数src的值(最终是src属性的实际值)然后转发到内容,因为它包括完全相同的MIME /类型,它也可以做一些检查属性的值,然后也是标题重定向。
There are even more ways But I think This would be simplest and Reliable too.
还有更多的方法但我认为这也是最简单和可靠的。
#1
6
Seems you want to clean out javascript, and for that there is in fact a nice solution for you in C#/.Net.
似乎你想要清理javascript,为此你在C#/ .Net中实际上有一个很好的解决方案。
Download Microsoft Web Protection Library from CodePlex.
从CodePlex下载Microsoft Web Protection Library。
If you run your html fragment thru Microsoft.Security.Application.AntiXss.GetSafeHtmlFragment(html) then you will end up with this output:
如果你通过Microsoft.Security.Application.AntiXss.GetSafeHtmlFragment(html)运行你的html片段,那么你将得到这个输出:
<img src=""> // will work apparently
<img src=""> // will work apparently
<img src=""> // will work apparently
<img src="">// will work apparently
<img src=""> // will work apparently
<img src=""> // will work apparently
All script cleaned out.
清除了所有脚本。
#2
0
make a page say redir Now after form submission take all src attribute's value and replace it with redir?src=theExactValueHere now that redir program First downloads the value of GET parameter src (Which is eventually the actual src attribute's Value) from serverside and then Forward's the Content as it is including the exact same MIME/type it can also do some Checking on the attribute's value and then Header Redirection too.
创建一个页面说redir现在在表单提交后取所有src属性的值并用redir替换它?src = theExactValueHere现在redir程序首先从服务器端下载GET参数src的值(最终是src属性的实际值)然后转发到内容,因为它包括完全相同的MIME /类型,它也可以做一些检查属性的值,然后也是标题重定向。
There are even more ways But I think This would be simplest and Reliable too.
还有更多的方法但我认为这也是最简单和可靠的。