跨站点脚本攻击开发攻击在那些没有进行输入验证和输入编码的web应用程序中,并嵌入到输出数据当中.恶意的用户可以注入客户端的脚本到输出数据中,并导致正常的用户浏览页面时,脚本代码被执行。攻击脚本代码将来自于一个信任的站点并且可能绕过浏览器的安装设置。 那些攻击是平台和浏览器无关的,它将允许恶意的用户在平台上执行恶意的行为,比如在客户端给未获得授权的访问,像cookies或者劫持整个session.
在web应用程序中,简单的开发人员保护XSS 攻击包括:
1,验证和限制用户的输入
2,encoding 输出的内容。
下面,我们介绍Microsoft Anti-Cross Site Scripting Library
1
About the Anti-Cross Site
Scripting Library V1.5
The Microsoft Anti-Cross Site Scripting Library can be
used to provide additional protection to ASP.NET Web-based applications against
Cross-Site Scripting (XSS) attacks. This release of the library exposes the
following methods:
|
Encoding Method |
Description |
|
HtmlEncode |
Encodes
input strings for use in HTML |
|
HtmlAttributeEncode |
Encodes
input strings for use in HTML attributes |
|
JavaScriptEncode |
Encodes
input strings for use in JavaScript |
|
UrlEncode |
Encodes input strings
for use in Universal Resource Locators (URLs) |
|
VisualBasicScriptEncode |
Encodes
input strings for use in Visual Basic Script |
|
XmlEncode |
Encodes
input strings for use in XML |
|
XmlAttributeEncode |
Encodes
input strings for use in XML attributes |
Namespace: Microsoft.Security.Application
Assembly: AntiXss or AntiXSSLibrary (in
AntiXssLibrary.dll)
For use with:
¾ .NET
Framework: 1.1, 2.0
¾ Platforms:
Windows 2003, Windows XP and Windows 2000
|
namespace
Microsoft.Application.Security { public class AntiXss { public static string
HtmlEncode(string s); public static string
HtmlAttributeEncode(string s); public static string
JavaScriptEncode(string s); public static string
UrlEncode(string s); public static string
VisualBasicScriptEncode(string s); public static string
XmlEncode(string s); public static string
XmlAttributeEncode(string s); } } |
2,How to use the MS anti-scross Liraly v1.5.
This section shows how developers can use the
Microsoft Anti-Cross Site Scripting Library to protect their ASP.NET
Web-applications from XSS attacks in addition to other countermeasures such as
input validation.
To properly use the Microsoft Anti-Cross Site
Scripting Library to protect their ASP.NET Web-applications, developers need
to:
¾ Step
1: Review ASP.NET
code that generates output
¾ Step
2: Determine whether
output includes un-trusted input parameters
¾ Step
3: Determine the
context which the un-trusted input is used as output
¾ Step
4: Encode output
Step 1: Review
ASP.NET Code that Generates Output
XSS attacks are dependent on the ability of un-trusted
input to be embedded as output, and so code that generates output must first be
identified. Some common vectors include
calls to Response.Write and ASP <% = calls.
Step 2: Determine
if Output Could Contain Un-Trusted Input
Once the sections of code that generate output have
been identified, they should be analysed to determined if the output may
contain un-trusted input such as input from users or from some other un-trusted
source. If the output does contain
un-trusted input then that un-trusted input will require encoding. Some common sources of un-trusted input
include:
¾ Application variables
¾ Cookies
¾ Databases
¾ Form fields
¾ Query
string variables
¾ Session variables
If
it is uncertain that the output may contain un-trusted input, then it is best
to err on the side of caution and encode the output anyways.
Step 3: Determine
Encoding Method to Use
Determine the proper encoding method to use. This will be dependent on the context of how
the un-trusted input is being used. For
example, if the un-trusted input will be used to set an HTML attribute, then
the Microsoft.Security.Application.HtmlAttributeEncode method should be used to
encode the un-trusted input.
|
// Vulnerable code // Note that un-trusted
input is being as an HTML attribute Literal1.Text = “<hr
noshade size=[un-trusted input here]>”; // Modified code Literal1.Text = “<hr
noshade size=”+Microsoft.Security.Application.AntiXss.HtmlAttributeEncode([un-trusted input here])+”>”; |
Alternatively, if the un-trusted input will be used
within the context of JavaScript, then Microsoft.Security.Application.JavaScriptEncode
should be used to encode.
Use the following table to help determine the
appropriate encoding method to use to encode output that may contain un-trusted
input.
|
Encoding Method |
Should be Used if … |
Example / Pattern |
|
HtmlEncode |
Un-trusted
input is used in HTML output, except when assigning to an HTML attribute. |
<a
href=”http://www.contoso.com”>Click Here [Un-trusted input]</a> |
|
HtmlAttributeEncode |
Un-trusted
input is used as an HTML attribute |
<hr
noshade size=[Un-trusted input]> |
|
JavaScriptEncode |
Un-trusted
input is used within a JavaScript context |
<script
type=”text/javascript”> … [Un-trusted
input] … </script> |
|
UrlEncode |
Un-trusted input is used
in a URL (such as a value in a querystring) |
<a href=”http://search.msn.com/results.aspx?q=[Un-trusted-input]”>Click
Here!</a> |
|
VisualBasicScriptEncode |
Un-trusted
input is used within a Visual Basic Script context |
<script
type=”text/vbscript” language=”vbscript”> … [Un-trusted
input] … </script> |
|
XmlEncode |
Un-trusted
input is used in XML output, except when assigning to a XML attribute. |
<xml_tag>[Un-trusted input]</xml_tag> |
|
XmlAttributeEncode |
Un-trusted
input is used as a XML attribute |
<xml_tag
attribute=[Un-trusted input]>Some
Text</xml_tag> |
A sample Web-application that demonstrations how and
when to use each of the above encoding methods can be found in the ‘Samples’
installation directory.
Step 4: Encode
Output
Use the appropriate encoding method to encode output
(see Step 3). Some important things to
remember about encoding outputs:
¾ Outputs should be encoded once.
¾ Output
encoding should be done as close to the actual writing of the output as
possible. For example, if an application
is reading user input, processing the input and then writing it back out in
some form, then encoding should happen just before the output is written.
|
// Incorrect sequence protected
void Button1_Click(object sender, EventArgs e) { // Read input String Input = TextBox1.Text; // Encode un-trusted input Input =
Microsoft.Security.Application.AntiXss.HtmlEncode(Input); // Process input ... // Write Output Response.Write(“The input you gave was”+Input); } // Correct
Sequence protected
void Button1_Click(object sender, EventArgs e) { // Read input String Input = TextBox1.Text; // Process input ... // Encode un-trusted input and write output Response.Write(“The input you gave was”+ Microsoft.Security.Application.AntiXss.HtmlEncode(Input)); } |
A sample ASP.NET 2.0 Web-application that demonstrates
the proper use of each of the encoding methods exposed by the Microsoft
Anti-Cross Site Scripting Library V1.5 can be found in the ‘Samples’
installation directory.
Example
#1: Using HtmlEncode
The following code example html-encodes a string
before sending it to a browser client.
In this example, the HtmlEncode
method of the Microsoft.Security.Application.AntiXss
class is being used to perform the encoding.
|
<html> <b> Hello,
<%= AntiXss.HtmlEncode(Request.Form[“UserName”])
%> </b> </html> |
Example #2:
Using HtmlAttributeEncode
The following code example encodes an html attribute
before sending it to a browser client.
In this example, the HtmlAttributeEncode
method of the Microsoft.Security.Application.AntiXss
class is being used to perform the encoding.
|
<html> <img
src=”/users/user.gif” id=<%= AntiXss.HtmlAttributeEncode(Request.Form[“ID”])
%> > </html> |
Example #3:
Using URLEncode
The following code example URL-encodes a string before
sending it to a browser client. In this
example, the UrlEncode method of the
Microsoft.Security.Application.AntiXss
class is being used to perform the encoding.
|
using
System; using
System.Web; using
System.IO; using
Microsoft.Security.Application; ... String MyURL; MyURL =
"http://www.contoso.com/articles.aspx?title="; // Read user-input String Title =
TextBox1.Text; // <-- Un-trusted
input! // Write out URL and encode
potentially dangerous user-input! Response.Write( "<A
HREF = " MyUrl + AntiXss.UrlEncode(Title)
+ "> ASP.NET Examples
<br>" ); ... |
Remember that UrlEncode should be used to encode only
un-trusted values used within URLs such as in query string values. If the URL itself is the source of un-trusted
input, then input validation with regular expressions should be used.
|
using
System.Text.RegularExpressions; ... String
URL_REGEX =
@"^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+=&%\$#_]*)?$"; ... String SuspectURL
= Text1.Text; // <-- Un-trusted
input! ... // Validate
the URL with regular expressions if
(Regex.IsMatch(SuspectURL,URL_REGEX)) { // This is
a valid URL so doing something with it } |
|
else { // This is
a potential attack! Play it safe and
error-out } |
Example #4:
Using JavaScriptEncode
The following code example encodes a string used in a
JavaScript context before sending it to a browser client. In this example, the JavaScriptEncode method of the Microsoft.Security.Application.AntiXss
class is being used to perform the encoding.
|
<script
language=”javascript”> String s =
<% =AntiXss.JavaScriptEncode(Request.QueryString[“UserString”])
%>; // Perform
some action on s </script> |
Example #5:
Using VisualBasicScriptEncode
The following code example encodes a string used in a Visual
Basic Script context before sending it to a browser client. In this example, the VisualBasicScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to
perform the encoding.
|
<script
language=”vbscript”> String s =
<% =AntiXss.VisualBasicScriptEncode(Request.QueryString[“UserString”])
%>; // Perform
some action on s </script> |
In detail ,please link to :
A sample ASP.NET 2.0 Web-application that demonstrates
the proper use of each of the encoding methods exposed by the Microsoft
Anti-Cross Site Scripting Library V1.5 can be found in the ‘Samples’
installation directory.
Example
#1: Using HtmlEncode
The following code example html-encodes a string
before sending it to a browser client.
In this example, the HtmlEncode
method of the Microsoft.Security.Application.AntiXss
class is being used to perform the encoding.
|
<html> <b> Hello,
<%= AntiXss.HtmlEncode(Request.Form[“UserName”])
%> </b> </html> |
Example #2:
Using HtmlAttributeEncode
The following code example encodes an html attribute
before sending it to a browser client.
In this example, the HtmlAttributeEncode
method of the Microsoft.Security.Application.AntiXss
class is being used to perform the encoding.
|
<html> <img
src=”/users/user.gif” id=<%= AntiXss.HtmlAttributeEncode(Request.Form[“ID”])
%> > </html> |
Example #3:
Using URLEncode
The following code example URL-encodes a string before
sending it to a browser client. In this
example, the UrlEncode method of the
Microsoft.Security.Application.AntiXss
class is being used to perform the encoding.
|
using
System; using
System.Web; using
System.IO; using
Microsoft.Security.Application; ... String MyURL; MyURL =
"http://www.contoso.com/articles.aspx?title="; // Read user-input String Title =
TextBox1.Text; // <-- Un-trusted
input! // Write out URL and encode
potentially dangerous user-input! Response.Write( "<A
HREF = " MyUrl + AntiXss.UrlEncode(Title)
+ "> ASP.NET Examples
<br>" ); ... |
Remember that UrlEncode should be used to encode only
un-trusted values used within URLs such as in query string values. If the URL itself is the source of un-trusted
input, then input validation with regular expressions should be used.
|
using
System.Text.RegularExpressions; ... String
URL_REGEX =
@"^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+=&%\$#_]*)?$"; ... String SuspectURL
= Text1.Text; // <-- Un-trusted
input! ... // Validate
the URL with regular expressions if
(Regex.IsMatch(SuspectURL,URL_REGEX)) { // This is
a valid URL so doing something with it } |
|
else { // This is
a potential attack! Play it safe and
error-out } |
Example #4:
Using JavaScriptEncode
The following code example encodes a string used in a
JavaScript context before sending it to a browser client. In this example, the JavaScriptEncode method of the Microsoft.Security.Application.AntiXss
class is being used to perform the encoding.
|
<script
language=”javascript”> String s =
<% =AntiXss.JavaScriptEncode(Request.QueryString[“UserString”])
%>; // Perform
some action on s </script> |
Example #5:
Using VisualBasicScriptEncode
The following code example encodes a string used in a Visual
Basic Script context before sending it to a browser client. In this example, the VisualBasicScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to
perform the encoding.
|
<script
language=”vbscript”> String s =
<% =AntiXss.VisualBasicScriptEncode(Request.QueryString[“UserString”])
%>; // Perform
some action on s </script> |
更详细的信息请访问:http://msdn.microsoft.com/en-us/library/aa973813.aspx