防止 Javascript 和 XSS 攻击
我正在对我的网站进行 xss 防护,防止 javascript 和 xss 攻击。它是用 ASP.NET Webforms 编写的。
我想测试的主要部分是一个具有文本框(附加有tinyMCE)的用户控件。
用户可以通过在此文本框中写入内容来将故事提交到网站。我必须将 validateRequest 设置为 false,因为我想在 HMTL (tinyMCE) 中获取用户的故事。
我应该如何防止 javascript-xss 攻击?由于用户的故事是 HMTL 文本,因此我无法在他们的故事上使用 Server.HtmlEncode 。一般来说,从用户接收 HTML 内容、保存然后显示给用户的安全方法是什么?
如果一名用户将恶意代码放入文本框中并提交,这是否有可能伤害其他查看该文本的人?
谢谢。
I'm xss-proofing my web site for javascript and xss attacks. It's written in ASP.NET Webforms.
The main part I'd like to test is a user control that has a textbox (tinyMCE attached to it).
Users can submit stories to site by writing in this textbox. I had to set validateRequest to false since I want to get users' stories in HMTL (tinyMCE).
How should I prevent javascript-xss attacks? Since users' stories are HMTL texts, I cannot use Server.HtmlEncode on their stories. In general, what's the safe way to receive HTML content from user, save and then display it to users?
If one user puts malicious code in the textbox and submits it, is there a chance that this could harm other people who view that text?
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我会选择将其编码存储在数据库中,然后在显示对其进行解码时,如果您说需要保留其他内容,则仅将
<替换为<。据我所知,如果替换
<XSS 是不可能的,因为任何 JS 代码都必须位于也就是说,如果您允许用户发布“原始”HTML,例如
此部分以粗体显示,那么您必须创建允许标签的“白名单”,然后手动替换具有正确 HTML 的<例如:I would go with storing it encoded in database, then when showing Decode it and replace only the
<with<if you say you need to preserve other things.As far as I know, if you replace the
<XSS is not really possible as any JS code must be inside<script>tags to be executed and by replacing, you'll get this in the HTML source:<script>and the user will see<script>on the screen as the browser will parse the<entity.This said, if you allow users to post "raw" HTML e.g.
<b>this section is bolded</b>then you'll have to create "white list" of allowed tags then manually replace the<with the proper HTML for example:您是否看过OWASP 指南
最好的方法是拥有一个允许标签的白名单,而不是试图想出一种方法来阻止所有脚本标签。
有关如何执行此操作的一种解决方案,请参见此处如何我是否可以过滤除特定白名单之外的所有 HTML 标记?
但您还需要注意,人们可能通过带有指向其自己服务器的 URL 的图像标签拥有指向外部脚本的链接。请参阅此处 http://ha.ckers.org/xss.html 不同类型的示例您需要防御的攻击
Have you seen the OWASP guide on this
The best way would be to have an white list of allowed tags instead of a trying to come up with a way to prevent all script tags.
One solution on how to do this is here How do I filter all HTML tags except a certain whitelist?
But you also need to be aware people might have a link to external script via an image tag with a URL to their own server. See examples here http://ha.ckers.org/xss.html of the different types of attacks you need to defend against
如果您不清理用户在文本框中输入并提交的内容,那么是的,有可能造成伤害。
您可能需要查看Microsoft 反跨站脚本库,因为它旨在帮助开发人员防止此类攻击。
另外值得一看的是 OWASP 的 跨站脚本 (XSS)< /a>
您可能还想研究 HttpUtility.HtmlEncode 和 HttpUtility.HtmlDecode。我刚刚编写了一个快速测试,看起来它可能会解决您在下面的评论中所关心的问题(关于如何以正确的格式向其他用户显示数据):
ASP.NET 控件和 HTMLEncode
我本来打算发布我从课堂上获得的信息,但我发现一个链接列出了完全相同的内容(针对 1.1 和 2.0),因此我将发布该链接以便于参考。您可能可以通过查看 MSDN 来获取有关未列出的特定控件(或 3.0/3.5/4.0 版本,如果它们已更改)的更多信息,但这至少应该作为您的快速入门指南。如果您需要更多信息,请告诉我,我会看看能找到什么。
ASP.NET 控制默认 HTML 编码
下面是来自 MSDN 博客之一的更全面的列表:哪些 ASP.NET 控件自动编码?
If you don't clean what the user puts in the textbox and submits, then yes, there is a chance for harm to be done.
You might want to check out the Microsoft Anti-Cross Site Scripting Library, as it is designed to help developers prevent just such attacks.
Also worth taking a look at is OWASP's Cross-site Scripting (XSS)
You might want to look into HttpUtility.HtmlEncode and HttpUtility.HtmlDecode as well. I just wrote a quick test, and it looks like it might address your concern in the comment below (about how to display the data to other users in the right format):
ASP.NET Controls and HTMLEncode
I was going to post the information I had from my class, but I found a link that lists the exact same thing (for 1.1 and 2.0), so I'll post the link for easier reference. You can probably get more information on a specific control not listed (or 3.0/3.5/4.0 versions if they've changed) by looking on MSDN, but this should serve as a quick start guide for you, at least. Let me know if you need more information and I'll see what I can find.
ASP.NET Controls Default HTML Encoding
Here's a more comprehensive list from one of the MSDN blogs: Which ASP.NET Controls Automatically Encodes?