跨站点脚本编写-通过URL修改ASP.NET表单操作 [英] Cross-site scripting - ASP.NET form action being modified by URL

问题描述

在我们的Web应用程序(WebInspect)上进行安全扫描后，它报告了一些带有aspx页面的XSS漏洞.

After running a security scan across our web application (WebInspect), it has reported several XSS vulnerabilities with some aspx pages.

请求URL似乎可以更改表单操作.

The request URL seems to be able to change the form action.

示例

/Website/somepage.aspx/'+alert(1234)+'

表单操作已更改为

action="'+alert(1234)+'"

要排除我们的应用程序代码，我在默认的新Visual Studio Webform项目中尝试了此操作，并且允许这样做.

To rule out our application code, I tried this with the default new Visual Studio webform project and it allows the same.

如何防止这种情况发生?

How can this be prevented?

一直有人告诉我，未经验证的输入会反映到页面中，这是个坏消息.

I've always been told that un-validated input being reflected into the page is bad news.

推荐答案

只需在操作中添加一些内容，例如:

just put something in the action, something like this:

<form id="id_form" runat="server" action="Default.aspx">

如果未指定操作表单，则asp会填充您在最后一个斜杠旁边的URL中编写的此属性.如果您在那写东西，asp不会重写它.

When the action form is not specified asp fills this attribute with which you wrote in the URL next to the last slash. If you write something there asp doesn't rewrite this.

这篇关于跨站点脚本编写-通过URL修改ASP.NET表单操作的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！