数据URI和有潜在危险的Request的价值 [英] Data URI and a potentially dangerous Request.Path value

问题描述

我已经使用数据URI这个CSS属性的尝试：

I have tried using a Data URI with this CSS property:

background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAAA9JREFUeNpiYGBg8AUIMAAAUgBOUWVeTwAAAABJRU5ErkJggg==");

和当地正常工作。
然而，当我调试的文件出现在镀铬失踪。如果我试图找到它，我得到：（：）从客户端检测到有潜在危险的Request的值。

And locally it works fine. However, when I am debugging the file appears missing in chrome. If I try to navigate to it, I get: A potentially dangerous Request.Path value was detected from the client (:).

所以，很显然我的应用程序认为URI此图像可疑。

So obviously my application considers the URI for this image suspicious.

我如何得到它显示？
我试着用轻松的验证：

How do I get it to show? I tried relaxing the validation using:

<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
<pages validateRequest="false"></pages>

在理想情况下，我不会想放松的规则太多，只够得到这些数据URI图像加载。

Ideally I wouldn't want to relax the rules too much, only enough to get these data URI images loading.

推荐答案

我敢打赌，应用考虑，因为BASE-64连接codeD URI的请求可疑。在BASE-64编码的恶意URL是被攻击者的共同战略通过剥离和/或逃避网址前端的过滤器来获得URL和掩盖任何人读取code的请求。 XSS攻击通常通过获取这些URI存储在数据库中的一个完成，提供回给其他用户。

I would bet that the application considers the request suspicious because of the Base-64 encoded URI. Encoding malicious URLs in Base-64 is a common strategy by attackers to get URLs through front end filters that strip and/or escape URLs, and to obscure the request from any humans reading the code. XSS attacks are commonly done by getting one of these URIs stored in a database and served back to other users.

由于XSS这些天的高风险的，我会毫不犹豫地禁用检查。如果可以，只需使用非恩codeD URI。如果你不能，你应该问自己为什么。如果您正试图通过混淆的URI来增强安全性，知道这是很琐碎的攻击者去code。它的不的任何形式的加密，只是用​​不同的方式来重新present数据。

Because of the high risks of XSS these days, I would hesitate to disable the check. If you can, just use a non-encoded URI. If you can't, you should ask yourself why. If you are trying to enhance security by obfuscating the URI, do know that this is very trivial for an attacker to decode. It is not any form of encryption, just a different way to represent data.

这篇关于数据URI和有潜在危险的Request的价值的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！