zoukankan      html  css  js  c++  java
  • AntiCross Site Scripting

          跨站点脚本攻击开发攻击在那些没有进行输入验证和输入编码的web应用程序中,并嵌入到输出数据当中.恶意的用户可以注入客户端的脚本到输出数据中,并导致正常的用户浏览页面时,脚本代码被执行。攻击脚本代码将来自于一个信任的站点并且可能绕过浏览器的安装设置。           那些攻击是平台和浏览器无关的,它将允许恶意的用户在平台上执行恶意的行为,比如在客户端给未获得授权的访问,像cookies或者劫持整个session.

         在web应用程序中,简单的开发人员保护XSS 攻击包括:
            1,验证和限制用户的输入
            2,encoding 输出的内容。

         下面,我们介绍Microsoft Anti-Cross Site Scripting Library

        

    1             About the Anti-Cross Site Scripting Library V1.5

    The Microsoft Anti-Cross Site Scripting Library can be used to provide additional protection to ASP.NET Web-based applications against Cross-Site Scripting (XSS) attacks. This release of the library exposes the following methods:

     

    Encoding Method

    Description

    HtmlEncode

    Encodes input strings for use in HTML

    HtmlAttributeEncode

    Encodes input strings for use in HTML attributes

    JavaScriptEncode

    Encodes input strings for use in JavaScript

    UrlEncode

    Encodes input strings for use in Universal Resource Locators (URLs)

    VisualBasicScriptEncode

    Encodes input strings for use in Visual Basic Script

    XmlEncode

    Encodes input strings for use in XML

    XmlAttributeEncode

    Encodes input strings for use in XML attributes

     

    Namespace: Microsoft.Security.Application

    Assembly: AntiXss or AntiXSSLibrary (in AntiXssLibrary.dll)

    For use with:

    ¾  .NET Framework: 1.1, 2.0

    ¾  Platforms: Windows 2003, Windows XP and Windows 2000

     

     

    namespace Microsoft.Application.Security

    {

    public class AntiXss {

     

    public static string HtmlEncode(string s);

    public static string HtmlAttributeEncode(string s);

    public static string JavaScriptEncode(string s);

    public static string UrlEncode(string s);

    public static string VisualBasicScriptEncode(string s);

    public static string XmlEncode(string s);

    public static string XmlAttributeEncode(string s);

    }

    }

     

    2,How to use the MS anti-scross Liraly v1.5.

    This section shows how developers can use the Microsoft Anti-Cross Site Scripting Library to protect their ASP.NET Web-applications from XSS attacks in addition to other countermeasures such as input validation.

     

    To properly use the Microsoft Anti-Cross Site Scripting Library to protect their ASP.NET Web-applications, developers need to:

     

    ¾  Step 1: Review ASP.NET code that generates output

    ¾  Step 2: Determine whether output includes un-trusted input parameters

    ¾  Step 3: Determine the context which the un-trusted input is used as output

    ¾  Step 4: Encode output

     

    Step 1: Review ASP.NET Code that Generates Output

    XSS attacks are dependent on the ability of un-trusted input to be embedded as output, and so code that generates output must first be identified.  Some common vectors include calls to Response.Write and ASP <% = calls.

     

    Step 2: Determine if Output Could Contain Un-Trusted Input

    Once the sections of code that generate output have been identified, they should be analysed to determined if the output may contain un-trusted input such as input from users or from some other un-trusted source.  If the output does contain un-trusted input then that un-trusted input will require encoding.  Some common sources of un-trusted input include:

     

    ¾  Application variables

    ¾  Cookies

    ¾  Databases

    ¾  Form fields

    ¾  Query string variables

    ¾  Session variables

     

    If it is uncertain that the output may contain un-trusted input, then it is best to err on the side of caution and encode the output anyways.

     

    Step 3: Determine Encoding Method to Use

    Determine the proper encoding method to use.  This will be dependent on the context of how the un-trusted input is being used.  For example, if the un-trusted input will be used to set an HTML attribute, then the Microsoft.Security.Application.HtmlAttributeEncode method should be used to encode the un-trusted input.

     

     

     

    // Vulnerable code

    // Note that un-trusted input is being as an HTML attribute

    Literal1.Text = “<hr noshade size=[un-trusted input here]>”;

     

    // Modified code

    Literal1.Text = “<hr noshade size=”+Microsoft.Security.Application.AntiXss.HtmlAttributeEncode([un-trusted input here])+”>”;

     

     

    Alternatively, if the un-trusted input will be used within the context of JavaScript, then Microsoft.Security.Application.JavaScriptEncode should be used to encode.

     

    Use the following table to help determine the appropriate encoding method to use to encode output that may contain un-trusted input.

     

    Encoding Method

    Should be Used if …

    Example / Pattern

    HtmlEncode

    Un-trusted input is used in HTML output, except when assigning to an HTML attribute.

     

    <a href=”http://www.contoso.com”>Click Here [Un-trusted input]</a>

    HtmlAttributeEncode

    Un-trusted input is used as an HTML attribute

     

    <hr noshade size=[Un-trusted input]>

    JavaScriptEncode

    Un-trusted input is used within a JavaScript context

    <script type=”text/javascript”>

    [Un-trusted input]

    </script>

     

    UrlEncode

    Un-trusted input is used in a URL (such as a value in a querystring)

    <a href=”http://search.msn.com/results.aspx?q=[Un-trusted-input]”>Click Here!</a>

     

    VisualBasicScriptEncode

    Un-trusted input is used within a Visual Basic Script context

    <script type=”text/vbscript” language=”vbscript”>

    [Un-trusted input]

    </script>

     

    XmlEncode

    Un-trusted input is used in XML output, except when assigning to a XML attribute.

    <xml_tag>[Un-trusted input]</xml_tag>

    XmlAttributeEncode

    Un-trusted input is used as a XML attribute

    <xml_tag attribute=[Un-trusted input]>Some Text</xml_tag>

     

     

    A sample Web-application that demonstrations how and when to use each of the above encoding methods can be found in the ‘Samples’ installation directory.

     

    Step 4: Encode Output

    Use the appropriate encoding method to encode output (see Step 3).  Some important things to remember about encoding outputs:

     

    ¾  Outputs should be encoded once.

    ¾  Output encoding should be done as close to the actual writing of the output as possible.  For example, if an application is reading user input, processing the input and then writing it back out in some form, then encoding should happen just before the output is written.

     

     

    // Incorrect sequence

    protected void Button1_Click(object sender, EventArgs e)

    {

    // Read input

    String Input = TextBox1.Text;

     

    // Encode un-trusted input

    Input = Microsoft.Security.Application.AntiXss.HtmlEncode(Input);

     

    // Process input

    ...

     

    // Write Output

    Response.Write(“The input you gave was”+Input);

    }

     

     

    // Correct Sequence

    protected void Button1_Click(object sender, EventArgs e)

    {

    // Read input

    String Input = TextBox1.Text;

     

     

     

    // Process input

    ...

     

    // Encode un-trusted input and write output

    Response.Write(“The input you gave was”+

    Microsoft.Security.Application.AntiXss.HtmlEncode(Input));

    }

     

    3            Examples

    A sample ASP.NET 2.0 Web-application that demonstrates the proper use of each of the encoding methods exposed by the Microsoft Anti-Cross Site Scripting Library V1.5 can be found in the ‘Samples’ installation directory.

     

    Example #1: Using HtmlEncode

     

    The following code example html-encodes a string before sending it to a browser client.  In this example, the HtmlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

     

     

    <html>

    <b>

    Hello, <%= AntiXss.HtmlEncode(Request.Form[“UserName”]) %>

    </b>

    </html>

     

     

     

    Example #2: Using HtmlAttributeEncode

     

    The following code example encodes an html attribute before sending it to a browser client.  In this example, the HtmlAttributeEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

     

     

    <html>

     

    <img src=”/users/user.gif” id=<%= AntiXss.HtmlAttributeEncode(Request.Form[“ID”]) %> >

     

    </html>

     

     

     

    Example #3: Using URLEncode

     

    The following code example URL-encodes a string before sending it to a browser client.  In this example, the UrlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding. 

     

     

    using System;

    using System.Web;

    using System.IO;

    using Microsoft.Security.Application;

     

    ...

    String MyURL;

    MyURL = "http://www.contoso.com/articles.aspx?title=";

     

    // Read user-input

    String Title = TextBox1.Text;  // <-- Un-trusted input!

     

    // Write out URL and encode potentially dangerous user-input!

    Response.Write( "<A HREF = " MyUrl + AntiXss.UrlEncode(Title) + 

    "> ASP.NET Examples <br>" );

     

    ...

     

     

    Remember that UrlEncode should be used to encode only un-trusted values used within URLs such as in query string values.  If the URL itself is the source of un-trusted input, then input validation with regular expressions should be used.

     

     

    using System.Text.RegularExpressions;

     

    ...

    String URL_REGEX = @"^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+=&amp;%\$#_]*)?$";

     

    ...

    String SuspectURL = Text1.Text;    // <-- Un-trusted input!

     

    ...

    // Validate the URL with regular expressions

    if (Regex.IsMatch(SuspectURL,URL_REGEX)) {

    // This is a valid URL so doing something with it

    }

    else {

    // This is a potential attack!  Play it safe and error-out

    }

     

     

    Example #4: Using JavaScriptEncode

     

    The following code example encodes a string used in a JavaScript context before sending it to a browser client.  In this example, the JavaScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

     

     

    <script language=”javascript”>

     

    String s = <% =AntiXss.JavaScriptEncode(Request.QueryString[“UserString”]) %>;

     

    // Perform some action on s

     

    </script>

     

     

    Example #5: Using VisualBasicScriptEncode

     

    The following code example encodes a string used in a Visual Basic Script context before sending it to a browser client.  In this example, the VisualBasicScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

     

     

    <script language=”vbscript”>

     

    String s = <% =AntiXss.VisualBasicScriptEncode(Request.QueryString[“UserString”]) %>;

     

    // Perform some action on s

     

    </script>

     




    In detail ,please link to :

    1             Examples

    A sample ASP.NET 2.0 Web-application that demonstrates the proper use of each of the encoding methods exposed by the Microsoft Anti-Cross Site Scripting Library V1.5 can be found in the ‘Samples’ installation directory.

     

    Example #1: Using HtmlEncode

     

    The following code example html-encodes a string before sending it to a browser client.  In this example, the HtmlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

     

     

    <html>

    <b>

    Hello, <%= AntiXss.HtmlEncode(Request.Form[“UserName”]) %>

    </b>

    </html>

     

     

     

    Example #2: Using HtmlAttributeEncode

     

    The following code example encodes an html attribute before sending it to a browser client.  In this example, the HtmlAttributeEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

     

     

    <html>

     

    <img src=”/users/user.gif” id=<%= AntiXss.HtmlAttributeEncode(Request.Form[“ID”]) %> >

     

    </html>

     

     

     

    Example #3: Using URLEncode

     

    The following code example URL-encodes a string before sending it to a browser client.  In this example, the UrlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding. 

     

     

    using System;

    using System.Web;

    using System.IO;

    using Microsoft.Security.Application;

     

    ...

    String MyURL;

    MyURL = "http://www.contoso.com/articles.aspx?title=";

     

    // Read user-input

    String Title = TextBox1.Text;  // <-- Un-trusted input!

     

    // Write out URL and encode potentially dangerous user-input!

    Response.Write( "<A HREF = " MyUrl + AntiXss.UrlEncode(Title) + 

    "> ASP.NET Examples <br>" );

     

    ...

     

     

    Remember that UrlEncode should be used to encode only un-trusted values used within URLs such as in query string values.  If the URL itself is the source of un-trusted input, then input validation with regular expressions should be used.

     

     

    using System.Text.RegularExpressions;

     

    ...

    String URL_REGEX = @"^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+=&amp;%\$#_]*)?$";

     

    ...

    String SuspectURL = Text1.Text;    // <-- Un-trusted input!

     

    ...

    // Validate the URL with regular expressions

    if (Regex.IsMatch(SuspectURL,URL_REGEX)) {

    // This is a valid URL so doing something with it

    }

    else {

    // This is a potential attack!  Play it safe and error-out

    }

     

     

    Example #4: Using JavaScriptEncode

     

    The following code example encodes a string used in a JavaScript context before sending it to a browser client.  In this example, the JavaScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

     

     

    <script language=”javascript”>

     

    String s = <% =AntiXss.JavaScriptEncode(Request.QueryString[“UserString”]) %>;

     

    // Perform some action on s

     

    </script>

     

     

    Example #5: Using VisualBasicScriptEncode

     

    The following code example encodes a string used in a Visual Basic Script context before sending it to a browser client.  In this example, the VisualBasicScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

     

     

    <script language=”vbscript”>

     

    String s = <% =AntiXss.VisualBasicScriptEncode(Request.QueryString[“UserString”]) %>;

     

    // Perform some action on s

     

    </script>

     



    更详细的信息请访问:http://msdn.microsoft.com/en-us/library/aa973813.aspx
  • 相关阅读:
    剑指offer03-04
    五大算法-1.回溯法
    linux与操作系统(1)- 用户接口
    python中的装饰器
    mysql 创建数据库,用户并给用户设置权限
    centOS6.5 桌面状态栏消失 解决
    centOS linux 远程Mysql 记录之root用户密码丢失
    XStream.toXML() 简单两种使用实例
    FileInputStream和FileOutStream 简单的使用实例;
    orale 行转列或者 字符拼接函数 wmsys.wm_concat()函数 /instr(listagg(name,';') within group (order by o.srclinkedid)
  • 原文地址:https://www.cnblogs.com/luyinghuai/p/1231675.html
Copyright © 2011-2022 走看看