如何防范 ASP.NET Core 中的 XSS? [英] How to protect against XSS in ASP.NET Core?

问题描述

在 ASP.NET 中我们有请求验证，但在 ASP.NET Core 中没有这样的东西.

In ASP.NET we had Request Validation but in ASP.NET Core there is no such thing.

我们如何才能以最佳方式保护 ASP.NET Core 应用程序免受 XSS 攻击?

How can we protect an ASP.NET Core app against XSS the best way?

请求验证消失:https://nvisium.com/resources/blog/2017/08/08/dude-wheres-my-request-validation.html- 这家伙推荐在 Models 上使用 RegEx，例如:

Request validation gone: https://nvisium.com/resources/blog/2017/08/08/dude-wheres-my-request-validation.html - this guy recommmends RegEx on Models like:

[RegularExpression(@"^[a-zA-Z0-9 -']*$", ErrorMessage = "Invalid characters detected")]
public string Name { get; set; }

...但这不适用于全球化/国际化，即非拉丁字符，如 æ、ø å 汉字.

...but that does not work for globalization/internationalization, i.e. non-latin characters like æ, ø å 汉字.

X-XSS 要做>有限:https://dotnetcoretutorials.com/2017/01/10/set-x-xss-protection-asp-net-core/ 像这样但只有有限的支持 afaik:

X-XSS to do >limited< XSS-protection: https://dotnetcoretutorials.com/2017/01/10/set-x-xss-protection-asp-net-core/ Like this but there is only limited support afaik:

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.Use(async (context, next) =>
    {
        context.Response.Headers.Add("X-Xss-Protection", "1");
        await next();
    });

    app.UseMvc();
}

来自 Microsoft 的文档已有两年历史:https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-2.1 并没有真正涵盖它.

The documentation from Microsoft is two years old: https://docs.microsoft.com/en-us/aspnet/core/security/cross-site-scripting?view=aspnetcore-2.1 and does not really cover it.

我正在考虑做一些简单的事情，例如:

I am thinking to do something simple like:

myField = myField.Replace('<','').Replace('>','').Replace('&','').Repl...;

• 关于所有数据提交 - 但似乎有点不稳定.

我已经向 Microsoft 提出了同样的问题，但我很想知道人们如何在现实生活中的应用程序中解决这个问题.

I have asked same question for Microsoft but I am interested to hear how people are solving this problem in real life applications.

更新:我们正在努力实现的目标:

在我们的应用程序中，我们有网络表单，人们可以在其中输入姓名、电子邮件、内容和类似内容.数据存储在数据库中，并将在前端系统和未来可能的其他系统(如 RSS 提要、JSON 等)上查看.一些表单包含富文本编辑器 (tinymce) 并允许用户标记他们的文本.恶意用户可以在字段中输入 <script>alert('evil stuff');</script>.在 ASP.NET Core 中的恶意字符到达数据库之前去除它的最佳方法是什么 - 我更喜欢恶意脚本根本不存储在数据库中.

In our application, we have webforms where people can input name, email, content and similar. The data is stored in a database and will be viewed on a frontend system and possibly other systems in the future (like RSS feeds, JSON, whatever). Some forms contain richtext editors (tinymce) and allows users to markup their texts. Malicious users could enter <script>alert('evil stuff');</script> in the fields. What is the best way to strip the evil characters in ASP.NET Core before it reaches the database - I prefer evil scripts not to be stored in the database at all.

我认为这样的事情可以工作:

I figured something like this could work:

const string RegExInvalidCharacters = @"[^&<>\""'/]*$";

[RegularExpression(RegExInvalidCharacters, ErrorMessage = "InvalidCharacters")]
public string Name { get; set; }

[RegularExpression(RegExInvalidCharacters, ErrorMessage = "InvalidCharacters")]
public string Content { get; set; }

...

推荐答案

防止存储/反射 XSS 的最佳方法之一是对输出进行 HTML 编码.您也可以在将其存储在 DB 之前进行编码.因为无论如何您都不需要这些字段的输出在 HTML 中.

One of the best ways in preventing stored/reflected XSS is to HTML-Encode the output. You may also encode before you store it in the DB. Since you don't need the output from these fields to be in HTML anyways.

使用正则表达式的解决方案并不总是有效.您在这里所做的是依赖黑名单.依赖白名单(在这种情况下您不需要)总是更好、更安全.或者如果可能的话对输出进行 HTML 编码.

The solution with the Regex won't always work. What you're doing here is that you are relying on a blacklist. It's always better and more secure to either rely on Whitelist (Which you don't need in this case). Or HTML-Encode the output if possible.

这篇关于如何防范 ASP.NET Core 中的 XSS?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！