防止asp.net中的跨站点脚本攻击 [英] prevent cross site scripting attack in asp.net
问题描述
我在asp.net网络表单中有一个按数字搜索的页面.我要制作该页面,以便它可以防止任何跨站点脚本编写.
I have a search page by number in asp.net websform. I want to make the page so that it will prevent any cross site scripting .
有人可以向我推荐最好的解决方案吗??
Can anybody sugest me the best solution for this.?
推荐答案
MSDN文章如何:在ASP.NET中防止跨站点脚本编写" 对此进行了很多详细介绍.部分内容如下.
MSDN article "How To: Prevent Cross-Site Scripting in ASP.NET" goes into a lot of details on it. Partial content below.
步骤摘要
为防止跨站点脚本编写,请执行以下步骤:
步骤1.检查ASP.NET请求验证是否已启用.
步骤2.查看生成HTML输出的ASP.NET代码.
步骤3.确定HTML输出是否包含输入参数.
步骤4.查看潜在危险的HTML标签和属性.
步骤5.评估对策.
Summary of Steps
To prevent cross-site scripting, perform the following steps:
Step 1. Check that ASP.NET request validation is enabled.
Step 2. Review ASP.NET code that generates HTML output.
Step 3. Determine whether HTML output includes input parameters.
Step 4. Review potentially dangerous HTML tags and attributes.
Step 5. Evaluate countermeasures.
步骤1.检查是否已启用ASP.NET请求验证
默认情况下,在Machine.config中启用请求验证.验证当前在服务器的Machine.config文件中启用了请求验证,并且您的应用程序未在其Web.config文件中覆盖此设置.如下面的代码示例所示,检查validateRequest是否设置为true.
Step 1. Check That ASP.NET Request Validation Is Enabled
By default, request validation is enabled in Machine.config. Verify that request validation is currently enabled in your server's Machine.config file and that your application does not override this setting in its Web.config file. Check that validateRequest is set to true as shown in the following code example.
<system.web>
<pages buffer="true" validateRequest="true" />
</system.web>
您可以逐页禁用请求验证.除非必要,请检查您的页面是否不会禁用此功能.例如,如果页面包含旨在接受一系列HTML字符作为输入的自由格式富文本输入字段,则可能需要禁用该功能.有关如何安全处理此类页面的更多信息,请参见步骤5.评估对策.
You can disable request validation on a page-by-page basis. Check that your pages do not disable this feature unless necessary. For example, you may need to disable this feature for a page if it contains a free-format, rich-text entry field designed to accept a range of HTML characters as input. For more information about how to safely handle this type of page, see Step 5. Evaluate Countermeasures.
要测试是否已启用ASP.NET请求验证
-
创建一个禁用请求验证的ASP.NET页面.去做这个,设置ValidateRequest ="false",如下面的代码示例所示.
Create an ASP.NET page that disables request validation. To do this, set ValidateRequest="false", as shown in the following code example.
<%@页面语言="C#" ValidateRequest ="false"%>< html>< script runat ="server">void btnSubmit_Click(对象发送者,EventArgs e){//如果ValidateRequest为false,则显示'hello'//如果ValidateRequest为true,则ASP.NET返回一个异常Response.Write(txtString.Text);}</script><身体>< form id ="form1" runat ="server">< asp:TextBox id ="txtString" runat ="server"Text =< script> alert('hello');</script>"/>< asp:按钮id ="btnSubmit" runat =服务器"
OnClick ="btnSubmit_Click"Text =提交"/></form></body></html>
- 运行页面.它在消息框中显示"Hello",因为该脚本在txtString中传递并呈现为客户端脚本您的浏览器.
- 设置ValidateRequest ="true"或删除ValidateRequest页面属性,然后再次浏览到该页面.验证是否显示以下错误消息.
步骤2.查看生成HTML输出的ASP.NET代码
第3步.确定HTML输出是否包含输入参数
分析您的设计和页面代码,以确定输出是否包含任何输入参数.这些参数可以来自多种来源.以下列表包括常见的输入源:
Step 2. Review ASP.NET Code That Generates HTML Output
Step 3. Determine Whether HTML Output Includes Input Parameters
Analyze your design and your page code to determine whether the output includes any input parameters. These parameters can come from a variety of sources. The following list includes common input sources:
Form fields, such as the following.
Response.Write(name.Text);
Response.Write(Request.Form["name"]);
Query Strings
Response.Write(Request.QueryString["name"]);
Query strings, such as the following:
Response.Write(Request.QueryString["username"]);
Databases and data access methods, such as the following:
SqlDataReader reader = cmd.ExecuteReader();
Response.Write(reader.GetString(1));
Be particularly careful with data read from a database if it is shared by other applications.
Cookie collection, such as the following:
Response.Write(
Request.Cookies["name"].Values["name"]);
Session and application variables, such as the following:
Response.Write(Session["name"]);
Response.Write(Application["name"]);
第4步.检查潜在危险的HTML标签和属性第5步:评估对策
(©2015 Microsoft,使用条款)
(© 2015 Microsoft, Terms of use)
这篇关于防止asp.net中的跨站点脚本攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
