ASP.NET中的HTML标记注入 [英] HTML Tag injection in asp.net

问题描述

我的安全团队针对以下代码报告了一个html标签注入安全问题

My security team reported one html tag injection security issue for the below code

 function ClosePopUp(objBhID) {
        var pageName = window.location.pathname;
        var modalPopupBehavior = $find(objBhID);
        if (modalPopupBehavior != null && modalPopupBehavior != 'undefined') {
            modalPopupBehavior.hide();
        }
        if (objBhID == 'bhThankMsg' && pageName == '/Projects/Comm.aspx') {
            var objPartnerID = '<%=Request.QueryString["partnerid"]%>';
            if (objPartnerID != 'undefined' && objPartnerID != null && objPartnerID != '') {
                window.location = '/Projects/Comm.aspx?Id=<%=Request.QueryString["ID"]%>&partnerid=<%=Request.QueryString["partnerid"]%>';                
            }
            else {
                window.location = '/Projects/Comm.aspx?Id=<%=Request.QueryString["ID"]%>';
            }
        }
    }

我的安全团队报告了以下问题

My security team reported the below issue

HTML标记注入漏洞. HTML标记注入用于辅助跨站点请求伪造和针对第三方网站的网络钓鱼攻击，并且通常可以兼作跨站点脚本漏洞.建议包括实施安全编程技术，以确保正确过滤用户提供的数据，并对所有用户提供的数据进行编码，以防止插入的脚本以可以执行的格式发送给最终用户.

HTML tag injection vulnerabilities were identified on this web application. HTML tag injections are used to aid in Cross-Site Request Forgeries and phishing attacks against third-party web sites, and can often double as Cross-Site Scripting vulnerabilities. Recommendations include implementing secure programming techniques that ensure proper filtration of user-supplied data, and encoding all user supplied data to prevent inserted scripts being sent to end users in a format that can be executed.

我的要求是我不想让任何用户或黑客注入不必要的数据，如何实现这一目标?

My requirement is i don't want to allow any user or hacker to inject unnecessary data, how to achieve this ?

推荐答案

尽管在这种情况下，其他答案也适用于URL，因为内置的URL编码碰巧对html和Javascript转义字符进行编码，但这并不是一个完整的解决方案用于在Javascript中使用动态服务器端值.因此，我将答案发布在这里，因此希望没有人陷入使用错误编码的陷阱，并产生一些不安全的东西.

Although the other answer will work in this case for URLs, because the built in URL encoding happens to encode html and Javascript escape characters, this is not a complete solution for using dynamic server-side values within Javascript. Therefore I post my answer here so hopefully no one falls into the trap of using the wrong encoding and produces something insecure.

OWASP规则是 /p>

除字母数字字符外，请转义所有少于的字符 带有\ xHH格式的256，以防止切换出数据值 到脚本上下文或另一个属性中.请勿使用任何 转义"\"之类的快捷方式，因为引号字符可能会匹配 由首先运行的HTML属性解析器提供.这些逃逸 快捷方式也容易受到逃脱"攻击的攻击，其中 攻击者发送"，而易受攻击的代码将其变成 启用报价.

Except for alphanumeric characters, escape all characters less than 256 with the \xHH format to prevent switching out of the data value into the script context or into another attribute. DO NOT use any escaping shortcuts like \" because the quote character may be matched by the HTML attribute parser which runs first. These escaping shortcuts are also susceptible to "escape-the-escape" attacks where the attacker sends \" and the vulnerable code turns that into \" which enables the quote.

但是，一个更简单，更简单的解决方案是永远不要将服务器端数据放在任何脚本标记或启用脚本的属性中.使用HTML5数据属性，然后可以将编码的数据HTML插入到更安全的HTML上下文中.

However, an easier, and imo simpler solution is to never put server-side data within any script tag or script enabled attribute at all. Use HTML5 data attributes, then you can insert your data HTML encoded into a safer HTML context.

我看到您似乎正在使用JQuery.为什么不执行以下操作，则可以使用内置的ASP.NET编码功能?

I see you appear to be using JQuery. Why not do the following, then you can use the built-in ASP.NET encoding functions?

<div id="myDynamicData" data-partnerId="<%=Server.HTMLEncode(Request.QueryString["partnerid"])%>" data-id="<%=Server.HTMLEncode(Request.QueryString["id"]%>)" />

或者简单地

<div id="myDynamicData" data-partnerId="<%:Request.QueryString["partnerid"]%>" data-id="<%:Request.QueryString["id"]%>" />

在.NET的较新版本上.

on newer versions of .NET.

您的代码将变为:

function ClosePopUp(objBhID) {
        var pageName = window.location.pathname;
        var modalPopupBehavior = $find(objBhID);
        if (modalPopupBehavior != null && modalPopupBehavior != 'undefined') {
            modalPopupBehavior.hide();
        }
        if (objBhID == 'bhThankMsg' && pageName == '/Projects/Comm.aspx') {
            var objPartnerID = $('#myDynamicData').data('partnerId');
            var id = $('#myDynamicData').data('id');
            if (objPartnerID) {
                window.location = '/Projects/Comm.aspx?Id=' + encodeURIComponent(id) + '&partnerid=' + encodeURIComponent(objPartnerID);                
            }
            else {
                window.location = '/Projects/Comm.aspx?Id=' + encodeURIComponent(id);
            }
        }
    }

这篇关于ASP.NET中的HTML标记注入的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！