How To: Prevent Cross-Site Scripting in ASP.NET
来源:互联网 发布:php虚拟空间 编辑:程序博客网 时间:2024/05/22 00:42
这篇文章讨论了,如何在ASP.Net防止Cross-Site Scipting攻击。有些地方还是值得借鉴的。
http://msdn.microsoft.com/en-us/library/ms998274.aspx
两条基本原则:
1)限制输入
2)加密输出
主要步骤:
- Step 1. Check that ASP.NET request validation is enabled.
- Step 2. Review ASP.NET code that generates HTML output.
- Step 3. Determine whether HTML output includes input parameters.
- Step 4. Review potentially dangerous HTML tags and attributes.
- Step 5. Evaluate countermeasures.
1)加密 HTML 输出(Response.Write),用HttpUtility.HtmlEncode/Decode。把一些特殊的字符进行安全的转换。
转换原则如下:
The less-than character (< ) is converted to < .
The greater-than character (> ) is converted to > ; .
The ampersand character (& ) is converted to & ; .
The double-quote character (" ) is converted to " ; .
Any ASCII code character whose code is greater-than or equal to 0x80 is converted to &#<number> , where <number> is the ASCII character value.
例如:Response.Write(HttpUtility.HtmlEncode(Request.Form["name"]));
2)加密URL输出(Response.Redirect),用HttpUtility.URLEncode/Decode。比如:
< 和 > 分别被编码为 %3c 和 %3e。
例如:Response.Redirect( HttpUtility.UrlEncode(urlString));
3)过滤用户的输入
A.在Page的Attribute添加ValidationRequest=False,禁止Asp.NET的输入验证机制。
B.当要输出到HTML叶面时,把用户输入的内容用Html.Encode加密,避免恶意脚本执行。比如:<script>alert("attacking!")</script>
C.使用StringBuilder,调用Replace来Remove HTML Element的输出。比如支持<b>,<i>。
<%@ Page Language="C#" ValidateRequest="false" %>
<script runat="server">
void submitBtn_Click(object sender, EventArgs e)
{ // Encode the string input
StringBuilder sb = new StringBuilder( HttpUtility.HtmlEncode(htmlInputTxt.Text));
// Selectively allow <b> and <i>
sb.Replace("<b>", "<b>");
sb.Replace("</b>", " ");
sb.Replace("<i>", "<i>");
sb.Replace("</i>", "");
Response.Write(sb.ToString()); }
</script>
4.Use the innerText Property Instead of innerHTML
// Using InnerText renders the content safe–no need to HtmlEncode
Welcome1.InnerText = "Hello, " + User.Identity.Name;
// Using InnerHtml requires the use of HtmlEncode to make it safe
Welcome2.InnerHtml = "Hello, " + Server.HtmlEncode(User.Identity.Name);
- How To: Prevent Cross-Site Scripting in ASP.NET
- Using Content Security Policy to Prevent Cross-Site Scripting (XSS)
- 登陆Oracle EBS的Form遇到问题Internet Explorer has modified this page to help prevent cross-site scripting
- How To Query Cross-Site Lists In DataFormWebPart
- how to prevent multiple login for same user in asp.net
- cross site scripting attack
- Anti-Cross Site Scripting
- Cross-site Scripting (XSS)
- Cross-site Scripting (XSS)
- Cross-site scripting(XSS)
- XSS Cross Site Scripting
- Preventing Cross-site Scripting Attacks--In Your Web Applications
- DotText Cross-Site Scripting Vulnerability
- DOM Based Cross Site Scripting
- Preventing Cross-site Scripting Attacks
- XSS (Cross-Site-Scripting)笔记
- XSS (Cross-Site-Scripting)笔记
- XSS(Cross Site Scripting)攻击
- the process with ubuntu 9.10
- web.xml文件的作用和基本配置
- 手机渠道模式进化论
- 最近正在读SQL COOKBOOK 笔记连载中
- 接口与抽象类的区别(转)
- How To: Prevent Cross-Site Scripting in ASP.NET
- php中pack与unpack
- PC套件真难使,以后不买诺基亚了
- [最著名]的国外Java网站
- C++有两个以上默认实参时的小问题
- DIJIYA迪吉亚 小牛踏踏车--- 踏出乐活新运动 ---
- 用PHP收发邮件
- 入侵简单思路
- “基于关键字匹配的文本过滤系统”配置文件的设计和实现(C/C++源码)