是什么使EN coderType到AntiXssEn codeR在MVC应用程序的好处? [英] What is the benefit to make encoderType to AntiXssEncoder in a MVC application?
问题描述
在什么.NET 4.5中新的一页,它说,你可以通过设置连接coderType使用AntiXssEn codeR类型。
的http://www.asp.net/aspnet/overview/aspnet-and-visual-studio-2012/whats-new#_Toc318097382
<的httpRuntime ...
EN coderType =System.Web.Security.AntiXss.AntiXssEn codeR,System.Web程序,版本= 4.0.0.0,文化=中性公钥= b03f5f7f11d50a3a/>
但是,什么是修改默认连接coderType?
好处感谢。
AntiXssEn codeR使用白名单的方式来确定恶意输入[输入,导致跨站脚本(XSS)。
在ASP.Net默认连接codeR采用黑名单的做法。
两者做所述数据输出的编码。从安全角度来看白名单为基础的方法应该始终pferred超过黑名单的方法识别恶意$ P $。
从的http://weblogs.asp.net/jongalloway/using-antixss-4-1-beta-as-the-default-en$c$cr-in-asp-net
- AntiXSS本质上更安全,由于使用白名单的方式。许多安全审计和认证要求你
使用白名单XSS连接codeR因为黑名单始终是潜在的
容易受到未知的攻击。
- 新版浏览器有更好的XSS过滤内置的,但也有中老年浏览器漏洞(例如UTF-7字符集开关)来
不会被检测到由ASP.NET默认连接codeR回升。
In the What’s New page of .Net 4.5, it said that you may set encoderType to use the AntiXssEncoder type. http://www.asp.net/aspnet/overview/aspnet-and-visual-studio-2012/whats-new#_Toc318097382
<httpRuntime ... encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />But what is the benefit to modify the default encoderType ?
Thanks.
解决方案AntiXssEncoder uses a whitelist approach to identify malicious inputs [Inputs that result in Cross Site Scripting (XSS)].
The default encoder in ASP.Net uses a blacklist approach.
Both do output encoding on the data. From a security standpoint a whitelist based approach should always be preferred over blacklist approach for identifying malice.
Excerpt from http://weblogs.asp.net/jongalloway/using-antixss-4-1-beta-as-the-default-encoder-in-asp-net
- AntiXSS is inherently more secure due to using a whitelist approach. Many security audits and certifications will require you to use a whitelist XSS encoder because a blacklist is always potentially vulnerable to unknown attacks.
- Newer browsers have better XSS filtering built in, but there are vulnerabilities in older browser (e.g. UTF-7 charset switch) which wouldn't be detected picked up by the ASP.NET default encoder.
这篇关于是什么使EN coderType到AntiXssEn codeR在MVC应用程序的好处?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
