防止ASP.NET C#中的跨站点脚本攻击 [英] Prevent Cross site scripting attack in asp.net C#

问题描述

下面是我收到的checkmarx报告的代码，指出该代码易受存储的XSS攻击.它说数据层从dt元素的数据库中获取数据.然后，该元素的值将流经代码，而不会被 经过正确过滤或编码，最终在aspx页中显示给用户.

Below is the code for which I got checkmarx report stating that its vulnerable to stored XSS.it says the data layer gets data from the database, for the dt element. This element’s value then flows through the code without being properly filtered or encoded and is eventually displayed to the user in aspx page.

<asp:GridView ID="GridView1" runat="server" AutoGenerateColumns="False" OnRowCancelingEdit="GridView1_RowCancelingEdit" 
 OnRowEditing="GridView1_RowEditing" OnRowUpdating="GridView1_RowUpdating" OnRowDeleting="GridView1_OnRowDeleting"  OnPageIndexChanging="GridView1_PageIndexChanging" Width ="1000px" class="grid">
 <Columns>   
    <asp:TemplateField HeaderText="User Name">   
        <ItemTemplate>   
            <asp:Label ID="lbl_Name" runat="server" Text='<%#Eval("Uname") %>'></asp:Label>   
        </ItemTemplate>   
        <EditItemTemplate>   
            <asp:TextBox ID="txt_Name" runat="server" Text='<%#Eval("Uname") %>'></asp:TextBox>   //this is the line vulnerable to XSS
        </EditItemTemplate>   
    </asp:TemplateField>       
</Columns>

后面的代码

    DataTable dt = new DataTable();
    try
    {
        SqlConnection con = new SqlConnection(conn);
        con.Open();
        SqlDataAdapter adapt = new SqlDataAdapter("Select Uid,Uname,Utype,Uemail,ClientName,ProjectName,Ulog from usrtable where ClientName=@clientname and Utype=@Normal, con);
  adapt.SelectCommand.Parameters.AddWithValue("@clientname", clientname); 
 adapt.SelectCommand.Parameters.AddWithValue("@Normal", "Normal");        
   adapt.Fill(dt);
        con.Close();
    } 



if (dt.Rows.Count > 0)
{
    GridView1.DataSource = dt;
    GridView1.DataBind();
}

我应该对传递给项目模板的所有列值进行编码，还是对其他易受攻击的代码行进行编码?如果它是html编码，我该如何实现.请引导我解决此问题.

Should I encode all the column values which am passing to item template or is it any other line of code vulnerable. If its html encoding, how do I achieve it. Kindly guide me through this issue.

推荐答案

要在.NET Frameworks 4.0或更旧版本上使用TemplateField时阻止XSS，我使用 Microsoft Web保护库. 在.NET Framework 4.5上已经集成在Frameworks上，不再需要库.

To prevent XSS when using TemplateField on .NET Frameworks 4.0 or older I use Microsoft Web Protection Library on the aspx page. On .NET Framework 4.5 is already integrate on the Frameworks there is no more need for library.

Frameworks 4.0或更早版本.

Frameworks 4.0 or older.

<ItemTemplate>
<asp:Label ID="Name" runat="server" 
     Text='<%#Microsoft.Security.Application.Encoder.HtmlEncode(Eval("Name").ToString()) %>'> 
</asp:Label>

Frameworks 4.5

Frameworks 4.5

<ItemTemplate>
<asp:Label ID="Name" runat="server" 
     Text='<%#System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(Eval("Name").ToString(),true) %>'> 
</asp:Label>

这将在渲染标签时对您的标签进行编码.仅用于ItemTemplate，EditItemTemplate渲染具有html输入文本，默认情况下将由框架进行编码.

This will encode your label when they rendered. Use it only for the ItemTemplate, EditItemTemplate render has html input text and it will be encoded by the framework by default.

这篇关于防止ASP.NET C#中的跨站点脚本攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！