在asp.net中验证XPath查询以避免XPath-Injection [英] Validate a XPath query in asp.net to avoid XPath-Injection

问题描述

hi
我正在创建一个示例登录应用程序，它将验证所有有效用户，但是，我将用户名和密码存储在xml文件中。我的代码适用于有效凭证以及无效凭证，如xpath注入代码'或'1'='1。我正在敲打我的头来克服这个问题我已经通过了XPathDocument，XPathNavigator，XPathExpression，XPathNodeIterator，但仍然是相同的输出。请建议我在没有任何第三方dll的情况下如何做。

hi I am creating a sample login application which will authenticate all the valid users but, I am storing my username and passwords in a xml file. My code is working for valid credential as well as invalid credential like xpath injection code ' or '1' = '1. I am banging my head to overcome this I have gone through XPathDocument, XPathNavigator, XPathExpression, XPathNodeIterator but still the same output. Please suggest me how would I do without any third party dll.

推荐答案

嗨Prafulla，



如果你可以拒绝在你存储的字符串中使用撇号，这将是一个前期的解决方案。



当然首选的解决方案是使用变量，用于SQL注入以及不太知道的XPath注入。



Read\watch更多关于注入

XPath Injection Exploitation [ ^ ]

如何防止在.NET中注入XPath / XML [ ^ ]

SQL注入攻击和一些关于如何防范它们的技巧 [ ^ ]



祝你好运，

Edo

Hi Prafulla,

If you can deny usage of apostrophe in the string that you store, that would be an up front solution.

The preferred solution of course is the usage of variables, this goes for SQL Injection as well as the less known XPath Injection.

Read\watch more about Injection
XPath Injection Exploitation[^]
How to prevent XPath/XML injection in .NET[^]
SQL Injection Attacks and Some Tips on How to Prevent Them[^]

Good luck,
Edo

这篇关于在asp.net中验证XPath查询以避免XPath-Injection的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！