跨站点脚本漏洞 [英] cross-site scripting vulnerability

问题描述

如何防止在应用扫描中返回的跨站点脚本安全问题为高漏洞。

请参阅下面的扫描结果：

实体：参数：ctl00 $ ContentPlaceHolder1 $ TabContainer1 $ TabPanel3 $ txtSearches 
风险： 可能 窃取或操纵客户会话和 Cookie，可能会使用 to 冒充合法的用户，
允许黑客   view  或  alter  用户记录，和  执行交易 as  用户 
 Fi x：从 用户输入过滤掉危险字符 

 ctl00％24ContentPlaceHolder1％24TabContainer1％24TabPanel3％24txtSearches = 1234   />％uff1cscript％uff1ealert％uff081312％uff09％uff1c / script％uff1e  

获得后扫描结果我将正则表达式验证添加到txtSearches文本框以阻止非字母数字输入并重新启动应用程序但又返回了相同的漏洞。

解决方案

ContentPlaceHolder1

TabContainer1

TabPanel3

How to prevent cross-site scripting security issues which returned in app scan as high vulnerability.
See the scan result below:

Entity: Parameter:ctl00$ContentPlaceHolder1$TabContainer1$TabPanel3$txtSearches
Risk(s): It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user,
allowing the hacker to view or alter user records, and to perform transactions as that user
Fix: Filter out hazardous characters from user input

ctl00%24ContentPlaceHolder1%24TabContainer1%24TabPanel3%24txtSearches=1234"/>%uff1cscript%uff1ealert%uff081312%uff09%uff1c/script%uff1e

After got the scan result I added regular expression validation to txtSearches textbox to block non-alphanumeric inputs and rescaned the application but again returned the same vulnerability.

解决方案

ContentPlaceHolder1

TabContainer1

TabPanel3

这篇关于跨站点脚本漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！