处理安全性并避免使用用户输入的URL进行XSS的最佳方法 [英] Best way to handle security and avoid XSS with user entered URLs
问题描述
我们有一个高度安全的应用程序,我们希望允许用户输入其他用户会看到的URL.
We have a high security application and we want to allow users to enter URLs that other users will see.
这带来了XSS黑客攻击的高风险-用户可能输入其他用户最终执行的javascript.由于我们保存着敏感数据,因此绝不能发生这种情况至关重要.
This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it's essential that this never happens.
处理此问题的最佳做法是什么?仅凭任何一个安全白名单或转义模式就足够了吗?
What are the best practices in dealing with this? Is any security whitelist or escape pattern alone good enough?
关于重定向的任何建议(例如,在链接之前,警告页面上的此链接超出了我们的站点范围"消息)
Any advice on dealing with redirections ("this link goes outside our site" message on a warning page before following the link, for instance)
是否有一个论点根本不支持用户输入的链接?
Is there an argument for not supporting user entered links at all?
说明:
基本上我们的用户要输入:
Basically our users want to input:
stackoverflow.com
stackoverflow.com
并将其输出到另一个用户:
And have it output to another user:
<a href="http://stackoverflow.com">stackoverflow.com</a>
我真正担心的是他们在XSS hack中使用此功能. IE.他们输入:
What I really worry about is them using this in a XSS hack. I.e. they input:
alert('hacked!');
alert('hacked!');
因此其他用户获得此链接:
So other users get this link:
<a href="javascript:alert('hacked!');">stackoverflow.com</a>
我的示例只是为了解释这种风险-我很清楚javascript和URL是不同的东西,但是通过让它们输入后者,它们也许能够执行前者.
My example is just to explain the risk - I'm well aware that javascript and URLs are different things, but by letting them input the latter they may be able to execute the former.
您会惊奇地发现,用这个技巧可以破解多少个站点-HTML甚至更糟.如果他们知道处理链接,他们还知道清理<iframe>,<img>和聪明的CSS引用吗?
You'd be amazed how many sites you can break with this trick - HTML is even worse. If they know to deal with links do they also know to sanitise <iframe>, <img> and clever CSS references?
我正在一个高度安全的环境中工作-一次XSS黑客攻击可能给我们造成非常高的损失.我很高兴我可以制作一个Regex(或使用迄今为止的出色建议之一),以排除我能想到的所有内容,但这足够了吗?
I'm working in a high security environment - a single XSS hack could result in very high losses for us. I'm happy that I could produce a Regex (or use one of the excellent suggestions so far) that could exclude everything that I could think of, but would that be enough?
推荐答案
如果您认为URL不能包含代码,请再三考虑!
If you think URLs can't contain code, think again!
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
阅读并哭泣.
这是我们在堆栈溢出时的处理方式:
Here's how we do it on Stack Overflow:
/// <summary>
/// returns "safe" URL, stripping anything outside normal charsets for URL
/// </summary>
public static string SanitizeUrl(string url)
{
return Regex.Replace(url, @"[^-A-Za-z0-9+&@#/%?=~_|!:,.;\(\)]", "");
}
这篇关于处理安全性并避免使用用户输入的URL进行XSS的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
