发表新帖
发表新帖

How do you avoid XSS vulnerabilities in ASP.Net (MVC)?

后端 未结
关注
5 1926
庸人自扰
庸人自扰 2020-11-28 11:25

I recently noticed that I had a big hole in my application because I had done something like:

\" />
相关标签:
5条回答
  • 庸人自扰
    2020-11-28 11:38

    Watch this video from Scott Hanselman and Phil Haack. They cover XSS, CSRF, JSON Hijacking specifically with ASP.Net MVC.

    0 讨论(0)
  • 再見小時候
    2020-11-28 11:40

    Potentially Dangerous HTML Tags:

    While not an exhaustive list, the following commonly used HTML tags could allow a malicious user to inject script code:

    <applet>
<body>
<embed>
<frame>
<script>
<frameset>
<html>
<iframe>
<img>
<style>
<layer>
<link>
<ilayer>
<meta>
<object>

    An attacker can use HTML attributes such as src, lowsrc, style, and href in conjunction with the preceding tags to inject cross-site scripting. For example, the src attribute of the tag can be a source of injection, as shown in the following examples.

    <img src="javascript:alert('hello');">
<img src="java&#010;script:alert('hello');">
<img src="java&#X0A;script:alert('hello');">

    An attacker can also use the tag to inject a script by changing the MIME type as shown in the following.

    <style TYPE="text/javascript">
  alert('hello');
</style>
    0 讨论(0)
  • 星月不相逢
    2020-11-28 11:51

    There's a few ways:

    • Use the <%: %> syntax in ASP.NET MVC2 / .NET 4.0. (Which is just syntactic sugar for Html.Encode())
    • Follow the directions laid out by Phil Haack where it details using the Anti-XSS library as the 'default' encoding engine for ASP.NET.
    0 讨论(0)
  • 无人及你
    2020-11-28 11:52

    Syntax for HTML encoding

    1. <%: model.something %> syntax in WebForms

    2. It is automatic in Razor i.e. @model.something will auto encode automatically no need to do anything to encode.

    3. MVC3 HTML Helper methods return the encoded string automatically. e.g. Html.Label will return the encoded string

    More about cross site scripting

    http://thirum.wordpress.com/2013/10/24/how-asp-net-mvc-prevents-cross-site-scriptingxss-attack/

    0 讨论(0)
  • 死守一世寂寞
    2020-11-28 11:57

    In ASP.Net 4.0 or later, always use <%: ... %> instead of <%= ... %> ... it does the HTML encoding for you.

    Scott Gu's explanation.

    Having done that, it's fairly straightforward to grep your code for <%= regularly as a security precaution.

    Also, are you using the Microsoft Anti-XSS library?

    0 讨论(0)
 看不清?
提交回复
热议问题