我需要为ASP.NET 4网站的额外XSS安全? [英] Do I need extra XSS security for ASP.NET 4 websites?
问题描述
据我了解什么ASP.NET功能以及各种XSS测试我个人的测试,我发现我的ASP.NET 4网站不需要任何XSS prevention。
From what I understand about what ASP.NET does and my own personal testing of various XSS tests, I found that my ASP.NET 4 website does not require any XSS prevention.
你认为一个ASP.NET 4.0的网站需要添加任何XSS安全性比它的默认选项?我不能进入任何JavaScript或任何标记成,然后立即打印到页面上,我的文本字段。
Do you think that an ASP.NET 4.0 website needs any added XSS security than its default options? I cannot enter any javascript or any tags into my text fields that are then immediately printed onto the page.
推荐答案
的免责声明 - 这是基于什么可信输出是一个很偏执的定义,但是当涉及到网络安全,我不知道想你可太偏执了。的
从连接到下面的OWASP页面措施:不可信的数据最
往往来自HTTP请求,在URL的形式数据
参数,表单域,标题或饼干。但是来自数据
数据库,Web服务和其他来源常常是不可信
从安全角度来看。也就是说,它可能不是完美
验证。
Taken from the OWASP page linked to below: Untrusted data is most often data that comes from the HTTP request, in the form of URL parameters, form fields, headers, or cookies. But data that comes from databases, web services, and other sources is frequently untrusted from a security perspective. That is, it might not have been perfectly validated.
在大多数情况下,你如果你从任何来源接受输入,并输出至HTML需要更多的保护。这包括从文件,数据库等检索到的数据 - 不仅仅是你文本框等等。你可以有一个网站,是完全锁定,必须通过其他工具的人直接进入数据库,并能够插入恶意脚本。
In most cases, you do need more protection if you are taking input from ANY source and outputting it to HTML. This includes data retrieved from files, databases, etc - much more than just your textboxes. You could have a website that is perfectly locked down and have someone go directly to the database via another tool and be able to insert malicious script.
即使你从那里只有受信任的用户能够输入数据的数据库获取数据,你永远不知道是否可信用户无意中将一些恶意脚本从网站复制和粘贴。
Even if you're taking data from a database where only a trusted user is able to enter the data, you never know if that trusted user will inadvertently copy and paste in some malicious script from a website.
除非你绝对肯定相信,这将是在您的网站输出的任何数据,并有一个脚本,在不经意间(或恶意的攻击者或心怀不满的员工的情况下)把危险的数据到系统没有可能的方式,你应该清理所有输出。
Unless you absolutely positively trust any data that will be output on your website and there is no possible way for a script to inadvertently (or maliciously in case of an attacker or disgruntled employee) put dangerous data into the system, you should sanitize all output.
如果您有没有准备好,熟悉这里的信息:<一href=\"https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_$p$pvention_Cheat_Sheet\">https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_$p$pvention_Cheat_Sheet
If you haven't already, familiarize yourself with the info here: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
和通过网站上的其他已知的威胁以及
and go through the other known threats on the site as well.
在你错过它的情况下,href=\"http://wpl.$c$cplex.com/\"> Microsoft.AntiXss 库是一个很好的工具来
In case you miss it, the Microsoft.AntiXss library is a very good tool to have at your disposal. In addition to a better version of the HtmlEncode function, it also has nice features like GetSafeHtmlFragment() for when you WANT to include untrusted HTML in your output and have it sanitized. This article shows proper usage: http://msdn.microsoft.com/en-us/library/aa973813.aspx The article is old, but still relevant.
这篇关于我需要为ASP.NET 4网站的额外XSS安全?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
