ASP.net XSS 请求验证未触发
我的 ASP.net 应用程序有一个小问题 - XSS 请求验证(即抛出“潜在危险的 request.form 值...”异常的验证)似乎无法正常工作。
我的网站中有以下简单的测试表单:
<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Test2.aspx.vb"
Inherits="Test2" %>
<form id="form1" runat="server">
<asp:textbox ID="Textbox1" runat="server" ></asp:textbox>
<asp:Button ID="btnSubmit" runat="server" Text="Uh oh" />
</form>
以及 httpRuntime 元素的 web.config 中的以下内容:
<httpRuntime maxRequestLength="8192" />
如果我在文本框中输入以下文本:
<script>alert('XSS!');</script>
表单发布时没有错误,但我希望它会出错,抱怨“潜在危险……等等”。我为按钮添加了一个单击事件处理程序并调用 Request.ValidateInputs() ,但仍然没有问题。观察 Request 变量,我可以看到一个属性调用 ValidateInputCalled,即使在我显式调用之前也是如此...
我们的目标是框架的 v4.0,我发现如果我像这样编辑 httpRuntime 元素:
<httpRuntime maxRequestLength="8192" requestValidationMode="2.0" />
那么页面请求验证开始像我预期的那样工作(但我认为这不是必要的)。像这样的配置中唯一的另一件事是一组规则,如下所示:
<location path="Admin/News.aspx">
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
</location>
我们使用它来允许我们关闭对一组选定页面的验证(在页面级别关闭),其中允许用户提交文本中的一组选定的 HTML 标记。
这以前肯定是有效的。有谁知道为什么这现在可能不起作用?我不想将整个站点恢复到 v2.0 请求验证模式。
刚刚尝试了一个新的网站项目,单页,与上面相同,并且触发了请求验证错误。我们原始站点的 web.config 非常大 - 有谁知道该文件中可能影响请求验证的其他属性吗?配置文件中的页面节点如下所示:
<pages enableEventValidation="false" enableSessionState="true"
enableViewStateMac="true"
viewStateEncryptionMode="Always"
controlRenderingCompatibilityVersion="3.5"
clientIDMode="AutoID">
I have a slight problem with an ASP.net application - the XSS request validation (i.e. the one that throws 'a potentially dangerous request.form value...' exception), does not seem to be working correctly for us.
I have the following simple test form in our site:
<%@ Page Language="VB" AutoEventWireup="false" CodeFile="Test2.aspx.vb"
Inherits="Test2" %>
<form id="form1" runat="server">
<asp:textbox ID="Textbox1" runat="server" ></asp:textbox>
<asp:Button ID="btnSubmit" runat="server" Text="Uh oh" />
</form>
And the following in our web.config for the httpRuntime element:
<httpRuntime maxRequestLength="8192" />
If I enter the following text into the textbox:
<script>alert('XSS!');</script>
The form posts with no error, where I would expect it to error out, complaining about the 'potentially dangerous... etc.'. I put an click event handler in for the button and call Request.ValidateInputs() and still no problems. Watching the Request variable, I can see a property call ValidateInputCalled, which is true even before my explicit call...
We are targeting v4.0 of the framework and I have found that if I edit the httpRuntime element like so:
<httpRuntime maxRequestLength="8192" requestValidationMode="2.0" />
Then the page request validation starts to work like I would expect (but I don't think that this should be necessary). The only other thing in the configuration like this is a set of rules such as this:
<location path="Admin/News.aspx">
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
</location>
Which we use to allow us to turn off the validation for a select set of pages (turned off at page level), where the user is permitted to submit a select set of HTML tags in their text.
This was definitely working previously. Does anybody know why this may not be working now? I don't want to have to revert to v2.0 request validation mode for the entire site.
Just tried a new web site project, single page, same as above and the request validation error IS firing. Our web.config for the original site is quite large - does anyone know of other properties within this file that can affect the request validation? The pages node in the config file looks like the following:
<pages enableEventValidation="false" enableSessionState="true"
enableViewStateMac="true"
viewStateEncryptionMode="Always"
controlRenderingCompatibilityVersion="3.5"
clientIDMode="AutoID">
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
我也遇到了同样的问题,但就我而言,这是 global.asax 的 Application_BeginRequest 中的一个 try-catch,它在访问 HttpContext.Current.Request.Form 时捕获了错误,然后将其吞没。与 uploadify 的 cookie 修复有关
I also had the same problem, but in my case it was a try-catch in global.asax's Application_BeginRequest which caught the error when accessing HttpContext.Current.Request.Form and then just swollowed it. Had something to do with a cookie fix for uploadify
我在追踪类似问题时偶然发现了这个问题。我的问题是,相关页面将其数据作为 JSON 发布,而默认的 JSON 模型绑定器不执行 ASP.NET 请求验证。我最终找到了 Imran Baloch 的一篇博客文章,描述了这种已知的行为及其解决方法: http://forums.asp.net/t/1682096.aspx?MVC3+JSON+Security。
我知道这不是OP的问题,但也许其他人会发现它有用。
I stumbled on this question while tracking down a similar issue. Mine turned out to be the fact that the page in question was POSTing its data as JSON, and the default JSON model binder does not perform the ASP.NET request validation. I eventually found a blog post by Imran Baloch describing this known behavior and a work around for it: http://forums.asp.net/t/1682096.aspx?MVC3+JSON+Security.
I know this wasn't the OP's issue, but maybe others will find it useful.
如果您安装 Glimpse 我发现了同样的问题
web.config 中的以下行完全停止了请求验证的发生 - 无论如何您的一瞥设置是什么:
I've found the same problem if you install Glimpse
The following line in web.config totally stops request validation from happening - no matter what your Glimpse settings are:
好的。我们将配置文件带到一个带有单页的全新站点,并系统地开始删除部分,直到发现问题。
我们对站点中的某些控件使用第三方库,并且我们发现删除此部分:
为我们解决了问题(但在其他地方给我们带来了一些问题)。
OK. We took our configuration file to a brand new site with a single page, and systematically started removing sections until we found the problem.
We use a third party library for some of the controls in our site, and we found that removing this section:
Fixes the problem for us (but gives us a few issues elsewhere).