Prevent Cross site scripting attack in asp.net C#

早过忘川 提交于 2020-01-06 20:59:49

问题


Below is the code for which I got checkmarx report stating that its vulnerable to stored XSS.it says the data layer gets data from the database, for the dt element. This element’s value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in aspx page.

<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False" OnRowCancelingEdit="GridView1_RowCancelingEdit" 
 OnRowEditing="GridView1_RowEditing" OnRowUpdating="GridView1_RowUpdating" OnRowDeleting="GridView1_OnRowDeleting"  OnPageIndexChanging="GridView1_PageIndexChanging" Width ="1000px" class="grid">
 <Columns>   
    <asp:TemplateField HeaderText="User Name">   
        <ItemTemplate>   
            <asp:Label ID="lbl_Name" runat="server" Text='<%#Eval("Uname") %>'></asp:Label>   
        </ItemTemplate>   
        <EditItemTemplate>   
            <asp:TextBox ID="txt_Name" runat="server" Text='<%#Eval("Uname") %>'></asp:TextBox>   //this is the line vulnerable to XSS
        </EditItemTemplate>   
    </asp:TemplateField>       
</Columns>

code behind

    DataTable dt = new DataTable();
    try
    {
        SqlConnection con = new SqlConnection(conn);
        con.Open();
        SqlDataAdapter adapt = new SqlDataAdapter("Select Uid,Uname,Utype,Uemail,ClientName,ProjectName,Ulog from usrtable where ClientName=@clientname and Utype=@Normal, con);
  adapt.SelectCommand.Parameters.AddWithValue("@clientname", clientname); 
 adapt.SelectCommand.Parameters.AddWithValue("@Normal", "Normal");        
   adapt.Fill(dt);
        con.Close();
    } 



if (dt.Rows.Count > 0)
{
    GridView1.DataSource = dt;
    GridView1.DataBind();
}

Should I encode all the column values which am passing to item template or is it any other line of code vulnerable. If its html encoding, how do I achieve it. Kindly guide me through this issue.


回答1:


To prevent XSS when using TemplateField on .NET Frameworks 4.0 or older I use Microsoft Web Protection Library on the aspx page. On .NET Framework 4.5 is already integrate on the Frameworks there is no more need for library.

Frameworks 4.0 or older.

<ItemTemplate>
<asp:Label ID="Name" runat="server" 
     Text='<%#Microsoft.Security.Application.Encoder.HtmlEncode(Eval("Name").ToString()) %>'> 
</asp:Label>

Frameworks 4.5

<ItemTemplate>
<asp:Label ID="Name" runat="server" 
     Text='<%#System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(Eval("Name").ToString(),true) %>'> 
</asp:Label>

This will encode your label when they rendered. Use it only for the ItemTemplate, EditItemTemplate render has html input text and it will be encoded by the framework by default.




回答2:


To prevent the XSS you could add a server side CustomValidator (to prevent javascript validation bypass) associated with the textbox and setup the domain logic.

Edit (OP edited): You would also want to use parametrized queries to avoid SQL errors (user introducing single quotes and breaking the SQL) and SQL Injection.

Edit: The validator should check for malicious/unallowed html/js/css code. Not an expert on XSS, but you can have a look at OWAS for good guidelines. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet



来源:https://stackoverflow.com/questions/43586189/prevent-cross-site-scripting-attack-in-asp-net-c-sharp

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!