使用用户输入的 URL 处理安全性和避免 XSS 的最佳方法 [英] Best way to handle security and avoid XSS with user entered URLs
问题描述
我们有一个高度安全的应用程序,我们希望允许用户输入其他用户会看到的 URL.
We have a high security application and we want to allow users to enter URLs that other users will see.
这会带来 XSS 黑客攻击的高风险 - 用户可能会输入另一个用户最终执行的 javascript.由于我们持有敏感数据,因此绝不能发生这种情况.
This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it's essential that this never happens.
处理这个问题的最佳做法是什么?任何安全白名单或转义模式就足够了吗?
What are the best practices in dealing with this? Is any security whitelist or escape pattern alone good enough?
关于处理重定向的任何建议(例如,在点击链接之前,警告页面上的此链接超出我们的网站"消息)
Any advice on dealing with redirections ("this link goes outside our site" message on a warning page before following the link, for instance)
是否存在根本不支持用户输入链接的论据?
Is there an argument for not supporting user entered links at all?
澄清:
基本上我们的用户想要输入:
Basically our users want to input:
stackoverflow.com
stackoverflow.com
并将其输出给另一个用户:
And have it output to another user:
<a href="http://stackoverflow.com">stackoverflow.com</a>
我真正担心的是他们在 XSS hack 中使用它.IE.他们输入:
What I really worry about is them using this in a XSS hack. I.e. they input:
alert('被黑了!');
alert('hacked!');
所以其他用户得到这个链接:
So other users get this link:
<a href="javascript:alert('hacked!');">stackoverflow.com</a>
我的例子只是为了解释风险 - 我很清楚 javascript 和 URL 是不同的东西,但是通过让他们输入后者,他们可能能够执行前者.
My example is just to explain the risk - I'm well aware that javascript and URLs are different things, but by letting them input the latter they may be able to execute the former.
您会惊讶于使用此技巧可以破坏多少个站点 - HTML 甚至更糟.如果他们知道处理链接,他们是否也知道清理 、
和巧妙的 CSS 引用?
You'd be amazed how many sites you can break with this trick - HTML is even worse. If they know to deal with links do they also know to sanitise <iframe>
, <img>
and clever CSS references?
我在一个高度安全的环境中工作 - 一次 XSS 黑客攻击可能会给我们带来非常高的损失.我很高兴我可以生成一个可以排除我能想到的所有内容的正则表达式(或使用迄今为止最好的建议之一),但这是否足够?
I'm working in a high security environment - a single XSS hack could result in very high losses for us. I'm happy that I could produce a Regex (or use one of the excellent suggestions so far) that could exclude everything that I could think of, but would that be enough?
推荐答案
如果您认为 URL 不能包含代码,请再想一想!
If you think URLs can't contain code, think again!
https://owasp.org/www-community/xss-filter-evasion-cheatsheet
读到这里,哭了.
以下是我们在 Stack Overflow 上的做法:
Here's how we do it on Stack Overflow:
/// <summary>
/// returns "safe" URL, stripping anything outside normal charsets for URL
/// </summary>
public static string SanitizeUrl(string url)
{
return Regex.Replace(url, @"[^-A-Za-z0-9+&@#/%?=~_|!:,.;()]", "");
}
这篇关于使用用户输入的 URL 处理安全性和避免 XSS 的最佳方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!