使用WebAPI时停止XSS [英] Stopping XSS when using WebAPI
问题描述
我有一个接受的控制器
public class MyModel
{
[MaxLength(400)]
public string Message { get; set; }
}
我有一个WebApi发布操作
public HttpResponseMessage Post(MyModel viewModel)
{
if (!ModelState.IsValid)
return new HttpResponseMessage(HttpStatusCode.BadRequest);
...
}
然后采取行动.
由于内容是用javascript写的,而不是直接在视图中写出的确切内容,因此也没有关于危险内容的asp.net警告.
我想防御XSS.此刻我正在做
HttpUtility.HtmlEncode(Regex.Replace(p.Message, @"<[^>]*>", String.Empty))
在获取"操作中. (从使用C#正则表达式删除HTML标签)
我应该使用Asp.Net内置的保护吗?有什么属性可以装饰我的模型?
我注意到了这个 http://stephenwalther.com/archive/2012/06/25/announcing-the-june-2012-release-of-the-ajax-control-toolkit.aspx ,但请点击对 http://wpl.codeplex.com/的审查似乎非常糟糕.
由于您的代码目前处于运行状态,因此用户可以注入不使用脚本标签的JavaScript.
有常见列表可以使用的XSS漏洞./p>
现在,您接受一个字符串",而您解析出的只是HTML标记.不幸的是,有很多不依赖HTML的XSS攻击.
例如,将以下内容添加到Firefox中的GET请求中:%22onmouseover=prompt%28%29//将允许该人注入JavaScript.
您最好的选择是使用来自Microsoft的AntiXss库,并特别对GET和POST的参数进行编码请求.
(我必须去上班,但是稍后我将发布更多有关执行此操作的代码).
I have a controller which accepts
public class MyModel
{
[MaxLength(400)]
public string Message { get; set; }
}
I have a WebApi Post Action
public HttpResponseMessage Post(MyModel viewModel)
{
if (!ModelState.IsValid)
return new HttpResponseMessage(HttpStatusCode.BadRequest);
...
}
And a get action.
Since the content is written out by javascript rather than directly in a view the exact content was getting written out, also no asp.net warnings about dangerous content kicked in.
I want to protect against XSS. At the moment I am doing
HttpUtility.HtmlEncode(Regex.Replace(p.Message, @"<[^>]*>", String.Empty))
in the Get action. (Taken some code from Using C# regular expressions to remove HTML tags)
Is there any protection built in to Asp.Net I should be using? Are there any attributes I can decorate my model with?
I noticed this http://stephenwalther.com/archive/2012/06/25/announcing-the-june-2012-release-of-the-ajax-control-toolkit.aspx but clicking through to http://wpl.codeplex.com/ is seems to be very badly reviewed.
As your code stands right now, a user could just inject JavaScript that doesn't use a script tag.
There is a common list of XSS vulnerabilities that could be used.
Right now you accept a 'string', and all you parse out are HTML tags. Unfortunately, there are a lot of XSS attacks that dont' rely on HTML.
For instance, adding the following to a GET Request in Firefox: %22onmouseover=prompt%28%29// will allow the person to inject JavaScript.
Your best bet is to use the AntiXss library from Microsoft, and specifically encode the parameters for GET and POST requests.
(I have to head to work, but I'll post more code later on how to do this).
这篇关于使用WebAPI时停止XSS的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
