你如何避免ASP.Net(MVC)中的XSS漏洞?

时间:2022-04-26 04:14:20

I recently noticed that I had a big hole in my application because I had done something like:

我最近注意到我的应用程序中有一个大洞,因为我做过类似的事情:

<input type="text" value="<%= value%>" />

I know that I should have used Html.Encode, but is there any way to do that for all values, without having to do it explicitly?

我知道我应该使用Html.Encode,但有没有办法为所有值做到这一点,而不必明确地做到这一点?

5 个解决方案

#1

22  

There's a few ways:

有几种方法:

  • Use the <%: %> syntax in ASP.NET MVC2 / .NET 4.0. (Which is just syntactic sugar for Html.Encode())
  • 使用ASP.NET MVC2 / .NET 4.0中的<%:%>语法。 (这只是Html.Encode()的语法糖)
  • Follow the directions laid out by Phil Haack where it details using the Anti-XSS library as the 'default' encoding engine for ASP.NET.
  • 按照Phil Haack的说明进行操作,详细说明使用Anti-XSS库作为ASP.NET的“默认”编码引擎。

#2

9  

Watch this video from Scott Hanselman and Phil Haack. They cover XSS, CSRF, JSON Hijacking specifically with ASP.Net MVC.

观看Scott Hanselman和Phil Haack的视频。它们涵盖了XSS,CSRF,JSON Hijacking,特别是ASP.Net MVC。

#3

7  

In ASP.Net 4.0 or later, always use <%: ... %> instead of <%= ... %> ... it does the HTML encoding for you.

在ASP.Net 4.0或更高版本中,始终使用<%:...%>而不是<%= ...%> ...它会为您执行HTML编码。

Scott Gu's explanation.

Scott Gu的解释。

Having done that, it's fairly straightforward to grep your code for <%= regularly as a security precaution.

完成后,作为安全预防措施,定期grep您的代码<%=非常简单。

Also, are you using the Microsoft Anti-XSS library?

另外,您使用的是Microsoft Anti-XSS库吗?

#4

2  

Syntax for HTML encoding

HTML编码的语法

  1. <%: model.something %> syntax in WebForms

    WebForms中的<%:model.something%>语法

  2. It is automatic in Razor i.e. @model.something will auto encode automatically no need to do anything to encode.

    它在Razor中是自动的,即@ model.something将自动自动编码,无需进行任何编码操作。

  3. MVC3 HTML Helper methods return the encoded string automatically. e.g. Html.Label will return the encoded string

    MVC3 HTML Helper方法自动返回编码的字符串。例如Html.Label将返回编码的字符串

More about cross site scripting

有关跨站点脚本的更多信息

http://thirum.wordpress.com/2013/10/24/how-asp-net-mvc-prevents-cross-site-scriptingxss-attack/

http://thirum.wordpress.com/2013/10/24/how-asp-net-mvc-prevents-cross-site-scriptingxss-attack/

#5

1  

Potentially Dangerous HTML Tags:

可能危险的HTML标签:

While not an exhaustive list, the following commonly used HTML tags could allow a malicious user to inject script code:

虽然不是详尽的列表,但以下常用的HTML标记可能允许恶意用户注入脚本代码:

<applet>
<body>
<embed>
<frame>
<script>
<frameset>
<html>
<iframe>
<img>
<style>
<layer>
<link>
<ilayer>
<meta>
<object>

An attacker can use HTML attributes such as src, lowsrc, style, and href in conjunction with the preceding tags to inject cross-site scripting. For example, the src attribute of the tag can be a source of injection, as shown in the following examples.

攻击者可以使用HTML属性(如src,lowsrc,style和href)与前面的标记一起注入跨站点脚本。例如,标记的src属性可以是注入源,如以下示例所示。

<img src="javascript:alert('hello');">
<img src="java&#010;script:alert('hello');">
<img src="java&#X0A;script:alert('hello');">

An attacker can also use the tag to inject a script by changing the MIME type as shown in the following.

攻击者还可以通过更改MIME类型来使用标记注入脚本,如下所示。

<style TYPE="text/javascript">
  alert('hello');
</style>

#1

22  

There's a few ways:

有几种方法:

  • Use the <%: %> syntax in ASP.NET MVC2 / .NET 4.0. (Which is just syntactic sugar for Html.Encode())
  • 使用ASP.NET MVC2 / .NET 4.0中的<%:%>语法。 (这只是Html.Encode()的语法糖)
  • Follow the directions laid out by Phil Haack where it details using the Anti-XSS library as the 'default' encoding engine for ASP.NET.
  • 按照Phil Haack的说明进行操作,详细说明使用Anti-XSS库作为ASP.NET的“默认”编码引擎。

#2

9  

Watch this video from Scott Hanselman and Phil Haack. They cover XSS, CSRF, JSON Hijacking specifically with ASP.Net MVC.

观看Scott Hanselman和Phil Haack的视频。它们涵盖了XSS,CSRF,JSON Hijacking,特别是ASP.Net MVC。

#3

7  

In ASP.Net 4.0 or later, always use <%: ... %> instead of <%= ... %> ... it does the HTML encoding for you.

在ASP.Net 4.0或更高版本中,始终使用<%:...%>而不是<%= ...%> ...它会为您执行HTML编码。

Scott Gu's explanation.

Scott Gu的解释。

Having done that, it's fairly straightforward to grep your code for <%= regularly as a security precaution.

完成后,作为安全预防措施,定期grep您的代码<%=非常简单。

Also, are you using the Microsoft Anti-XSS library?

另外,您使用的是Microsoft Anti-XSS库吗?

#4

2  

Syntax for HTML encoding

HTML编码的语法

  1. <%: model.something %> syntax in WebForms

    WebForms中的<%:model.something%>语法

  2. It is automatic in Razor i.e. @model.something will auto encode automatically no need to do anything to encode.

    它在Razor中是自动的,即@ model.something将自动自动编码,无需进行任何编码操作。

  3. MVC3 HTML Helper methods return the encoded string automatically. e.g. Html.Label will return the encoded string

    MVC3 HTML Helper方法自动返回编码的字符串。例如Html.Label将返回编码的字符串

More about cross site scripting

有关跨站点脚本的更多信息

http://thirum.wordpress.com/2013/10/24/how-asp-net-mvc-prevents-cross-site-scriptingxss-attack/

http://thirum.wordpress.com/2013/10/24/how-asp-net-mvc-prevents-cross-site-scriptingxss-attack/

#5

1  

Potentially Dangerous HTML Tags:

可能危险的HTML标签:

While not an exhaustive list, the following commonly used HTML tags could allow a malicious user to inject script code:

虽然不是详尽的列表,但以下常用的HTML标记可能允许恶意用户注入脚本代码:

<applet>
<body>
<embed>
<frame>
<script>
<frameset>
<html>
<iframe>
<img>
<style>
<layer>
<link>
<ilayer>
<meta>
<object>

An attacker can use HTML attributes such as src, lowsrc, style, and href in conjunction with the preceding tags to inject cross-site scripting. For example, the src attribute of the tag can be a source of injection, as shown in the following examples.

攻击者可以使用HTML属性(如src,lowsrc,style和href)与前面的标记一起注入跨站点脚本。例如,标记的src属性可以是注入源,如以下示例所示。

<img src="javascript:alert('hello');">
<img src="java&#010;script:alert('hello');">
<img src="java&#X0A;script:alert('hello');">

An attacker can also use the tag to inject a script by changing the MIME type as shown in the following.

攻击者还可以通过更改MIME类型来使用标记注入脚本,如下所示。

<style TYPE="text/javascript">
  alert('hello');
</style>
标签:

相关文章