建立“出口” 使用经典 ASP 的页面避免了主要的跨站点脚本陷阱
我正在更新我工作的公司维护的许多子站点所使用的经典 ASP 网页。
该页面的目的是通知用户他们将离开“我们的”网站并前往另一个网站。 这基本上是一个免责声明,但由于资源限制和时间限制,我无法将免责声明添加到我们管理的每个网站中。
这就是问题的症结所在。 当前代码从查询字符串中提取一个变量,以在新窗口中创建“继续”链接。 这显然会以跨站点脚本的形式产生许多问题。
如何处理此更新以消除大多数(如果不是全部)使用 vbScript/ASP 的跨站点脚本问题。
我正在使用的代码如下。
<%@ Language = vbScript %>
<% Option Explicit %>
<%
Dim strLink
strLink = Request.QueryString("site")
strLink = Replace(strLink, "<", "<")
strLink = Replace(strLink, ">", ">")
strLink = Replace(strLink, chr(34), "")
strLink = Replace(strLink, "script", "", 1, -1, 1)
strLink = Replace(strLink, "onclick", "", 1, -1, 1)
strLink = Replace(strLink, "ondblclick", "", 1, -1, 1)
strLink = Replace(strLink, "onmousedown", "", 1, -1, 1)
strLink = Replace(strLink, "onmouseover", "", 1, -1, 1)
strLink = Replace(strLink, "onmousemove", "", 1, -1, 1)
strLink = Replace(strLink, "onmouseout", "", 1, -1, 1)
strLink = Replace(strLink, "onkeypress", "", 1, -1, 1)
strLink = Replace(strLink, "onkeydown", "", 1, -1, 1)
strLink = Replace(strLink, "onkeyup", "", 1, -1, 1)
strLink = Replace(strLink, "onfocus", "", 1, -1, 1)
strLink = Replace(strLink, "onblur", "", 1, -1, 1)
strLink = Replace(strLink, "&&", "")
strLink = Replace(strLink, "##", "")
strLink = Replace(strLink, "&#", "")
%>
<a href="<%= strLink %>">Continue</a>
I'm working on updating a classic ASP web page used by a number of sub-sites maintained at the company I work for.
The purpose of the page is to notify the user that they are leaving "our" site and going to another site. It's basically a disclaimer, but due to resource limitations and time limitations I can't add the disclaimer to every site we manage.
This is the crux of the problem. The current code pulls a variable from the query string to create the "continue" link in the new window. This obviously creates many problems in the form of cross site scripting.
How do I approach this update to eliminate most (if not all) of the cross site scripting issues using vbScript/ASP.
The code I'm using is below.
<%@ Language = vbScript %>
<% Option Explicit %>
<%
Dim strLink
strLink = Request.QueryString("site")
strLink = Replace(strLink, "<", "<")
strLink = Replace(strLink, ">", ">")
strLink = Replace(strLink, chr(34), "")
strLink = Replace(strLink, "script", "", 1, -1, 1)
strLink = Replace(strLink, "onclick", "", 1, -1, 1)
strLink = Replace(strLink, "ondblclick", "", 1, -1, 1)
strLink = Replace(strLink, "onmousedown", "", 1, -1, 1)
strLink = Replace(strLink, "onmouseover", "", 1, -1, 1)
strLink = Replace(strLink, "onmousemove", "", 1, -1, 1)
strLink = Replace(strLink, "onmouseout", "", 1, -1, 1)
strLink = Replace(strLink, "onkeypress", "", 1, -1, 1)
strLink = Replace(strLink, "onkeydown", "", 1, -1, 1)
strLink = Replace(strLink, "onkeyup", "", 1, -1, 1)
strLink = Replace(strLink, "onfocus", "", 1, -1, 1)
strLink = Replace(strLink, "onblur", "", 1, -1, 1)
strLink = Replace(strLink, "&&", "")
strLink = Replace(strLink, "##", "")
strLink = Replace(strLink, "&#", "")
%>
<a href="<%= strLink %>">Continue</a>
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
您需要实施一种遵循“积极安全模型”概念的方法。 您应该解析“site”变量并确保它明确符合允许的内容,而不是编写一些查找应该禁止的内容。 这将使您的方法更能抵御攻击,尤其是意外攻击。
我建议编写一个正则表达式(或者在 stackoverflow 上询问如何编写这样的正则表达式)。
另外,虽然 Michael 发布的 Web 服务非常酷,但您应该评估是否可以接受依赖这样的东西。
You need to implement an approach that follows the concept of "Positive Security Model". You should parse the "site" variable and make sure it conforms explicitly to what is allowed, rather than write something that looks for what should be disallowed. This will make your approach much more resilient to attacks, especially unanticipated ones.
I suggest writing a regex (or ask how to write such a regex on stackoverflow).
Also, while the web service posted by Michael is pretty cool, you should evaluate if it is acceptable or not to take a dependency on such a thing.
这就是我推荐的 HTML 清理方法 -
HTML 白名单是我的好同事 DeWitt Clinton 提出的“App Engine 上推出的很酷的小型 Python Web 服务”中的最新内容。
它只做一件事,而且做得很好。 您可以传递服务 HTML,它将返回经过清理的版本。
http://html-whitelist.appspot.com/
This is what I recommend for HTML sanitizing -
HTML Whitelist is the latest in the "cool little Python Web service thrown up on App Engine" by my good colleague DeWitt Clinton.
It does one thing, and it does it well. You can pass the service HTML and it will return a sanitized version.
http://html-whitelist.appspot.com/
您可以添加逻辑来继续页面,以确保它仅由您网站之一上的页面基于 url 或 IP 地址调用。 您还可以传递时间和散列代码以提高安全性。
You could add logic to continue page to ensure that it is only called by a page on one of your sites either based on url or IP address. You could also pass a time and hashed code through for added security.