问题
Below is the code for which I got checkmarx report stating that its vulnerable to stored XSS.it says the data layer gets data from the database, for the dt element. This element’s value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in aspx page.
<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False" OnRowCancelingEdit="GridView1_RowCancelingEdit"
OnRowEditing="GridView1_RowEditing" OnRowUpdating="GridView1_RowUpdating" OnRowDeleting="GridView1_OnRowDeleting" OnPageIndexChanging="GridView1_PageIndexChanging" Width ="1000px" class="grid">
<Columns>
<asp:TemplateField HeaderText="User Name">
<ItemTemplate>
<asp:Label ID="lbl_Name" runat="server" Text='<%#Eval("Uname") %>'></asp:Label>
</ItemTemplate>
<EditItemTemplate>
<asp:TextBox ID="txt_Name" runat="server" Text='<%#Eval("Uname") %>'></asp:TextBox> //this is the line vulnerable to XSS
</EditItemTemplate>
</asp:TemplateField>
</Columns>
code behind
DataTable dt = new DataTable();
try
{
SqlConnection con = new SqlConnection(conn);
con.Open();
SqlDataAdapter adapt = new SqlDataAdapter("Select Uid,Uname,Utype,Uemail,ClientName,ProjectName,Ulog from usrtable where ClientName=@clientname and Utype=@Normal, con);
adapt.SelectCommand.Parameters.AddWithValue("@clientname", clientname);
adapt.SelectCommand.Parameters.AddWithValue("@Normal", "Normal");
adapt.Fill(dt);
con.Close();
}
if (dt.Rows.Count > 0)
{
GridView1.DataSource = dt;
GridView1.DataBind();
}
Should I encode all the column values which am passing to item template or is it any other line of code vulnerable. If its html encoding, how do I achieve it. Kindly guide me through this issue.
回答1:
To prevent XSS when using TemplateField on .NET Frameworks 4.0 or older I use Microsoft Web Protection Library on the aspx page. On .NET Framework 4.5 is already integrate on the Frameworks there is no more need for library.
Frameworks 4.0 or older.
<ItemTemplate>
<asp:Label ID="Name" runat="server"
Text='<%#Microsoft.Security.Application.Encoder.HtmlEncode(Eval("Name").ToString()) %>'>
</asp:Label>
Frameworks 4.5
<ItemTemplate>
<asp:Label ID="Name" runat="server"
Text='<%#System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(Eval("Name").ToString(),true) %>'>
</asp:Label>
This will encode your label when they rendered. Use it only for the ItemTemplate, EditItemTemplate render has html input text and it will be encoded by the framework by default.
回答2:
To prevent the XSS you could add a server side CustomValidator (to prevent javascript validation bypass) associated with the textbox and setup the domain logic.
Edit (OP edited): You would also want to use parametrized queries to avoid SQL errors (user introducing single quotes and breaking the SQL) and SQL Injection.
Edit: The validator should check for malicious/unallowed html/js/css code. Not an expert on XSS, but you can have a look at OWAS for good guidelines. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet
来源:https://stackoverflow.com/questions/43586189/prevent-cross-site-scripting-attack-in-asp-net-c-sharp