XSS是否可以通过MailAddress类?
[英]Is XSS possible through the MailAddress class?
问题描述
Considering I parse user input, which is supposed to be an email address, into the MailAdress class: 
考虑到我将用户输入(应该是电子邮件地址)解析到MailAdress类中:
var mailString = Request.QueryString["mail"];
var mail = new MailAddress(mailString);
Is there any possibility left for a cross-site-scripting attack if I output the MailAddress object later in any way? 如果我以后以任何方式输出MailAddress对象,是否有可能留下跨站点脚本攻击? For example through a Literal control in WebForms: 例如,通过WebForms中的Literal控件:
litMessage.Text = "Your mail address is " + mail.Address;
Is it necessary to sanitize the outpout even though I made sure that the address is a valid email address by parsing the string? 即使我通过解析字符串确保地址是有效的电子邮件地址,是否有必要清理出口?
From what I could gather the RFC for mail addresses is pretty complicated, so I am unsure if cross site scripts can be hidden in a mail address considered valid by .NET. 从我可以收集的RFC邮件地址非常复杂,所以我不确定跨站点脚本是否可以隐藏在.NET认为有效的邮件地址中。
EDIT: 编辑:
MSDN says that > and < brackets are allowed in an email address: MSDN说在电子邮件地址中允许使用>和<括号:
The address parameter can contain a display name and the associated e-mail address if you enclose the address in angle brackets.
So the question remains if this is enough for an XSS attack and/or if the MailMessage class does anything to escape dangerous parts. 所以问题仍然存在,如果这对于XSS攻击是否足够和/或MailMessage类是否做了什么来逃避危险的部分。
2 个解决方案
解决方案1
0 2013-04-16 17:52:18
Generally speaking, you shouldn't need to validate the output later. 一般来说,您不需要稍后验证输出。 However, I always recommend that you do so for the following reasons: 但是,我总是建议您这样做,原因如下:
- There may be a hole somewhere in your app that doesn't validate the input properly. 您的应用中某处可能存在漏洞,无法正确验证输入。 This could be discovered by an attacker and used for XSS. 这可以由攻击者发现并用于XSS。 This is especially possible when many different devs are working on the app. 当许多不同的开发人员正在使用该应用程序时,这尤其可行。
- There may be old data in the database that was stored before implementing/updating your filter on the input. 在输入上实现/更新过滤器之前,数据库中可能存在旧数据。 This could contain malicious code that could be used for XSS. 这可能包含可用于XSS的恶意代码。
- Attackers are very clever and can usually figure out a way to beat a filter. 攻击者非常聪明,通常可以找到一种方法来击败过滤器。 Microsoft puts a lot of attention on preventing this, but it's never going to perfect. 微软非常注重防止这种情况,但它永远不会完美。 It makes the attackers job that much harder if they face and outgoing filter as well and as incoming filter. 如果攻击者面对和传出过滤器以及传入过滤器,它会使攻击者的工作变得更加困难。
I know it's a pain to constantly filter, but there is a lot of value in doing so. 我知道不断过滤会很痛苦,但这样做有很多价值。 A Defense-in-Depth strategy is necessary in today's world. 在当今世界,必须采取纵深防御战略。
Edit: 编辑:
Sorry I didn't really answer the second part of your question. 对不起,我没有真正回答你问题的第二部分。 Based on the documentation I don't get the impression that the API is focused on sanitizing as much as it is on verifying valid formatting. 根据文档,我不会觉得API专注于消毒,就像验证有效格式一样。 Therefore I don't know that it is safe to rely on it for security purposes. 因此,我不知道出于安全目的而依赖它是安全的。
However, writing your own sanitizer isn't terribly hard, and you can update it immediately if you find flaws. 但是,编写自己的消毒剂并不是非常困难,如果发现缺陷,可以立即更新。 First run the address through a good RegEx filter (see: Regex Email validation ), then recursively remove every nonvalid character in an email address (these shouldn't get through at this point but do this for comprehensiveness and in case you want to reuse the class elsewhere), then escape every character with HTML meaning. 首先通过一个好的RegEx过滤器运行地址(参见:正则表达式电子邮件验证 ),然后以递归方式删除电子邮件地址中的每个无效字符(这些不应该在此时通过,但为了全面性而这样做,以防您想重复使用其他类),然后用HTML意义转义每个字符。 I emphasize the recursive application of the filter because attackers can take advantage of a non-recursive filter with stuff like this: 我强调过滤器的递归应用,因为攻击者可以利用这样的东西的非递归过滤器:
<scr<script>ipt>
Notice that a nonrecursive filter would remove the middle occurence of <script> and leave the outer occurrence in tact. 请注意,非递归过滤器将删除<script>的中间出现并使外部事件保持完整。
解决方案2
0 2013-04-17 10:04:03
Is it necessary to sanitize the outpout
You don't 'sanitise' output, you encode it. 你没有'清理'输出,你编码它。 Every string that you output into an HTML document needs to be HTML-encoded, so if there was a < character in the mail address it wouldn't matter - you'd get < 您输出到HTML文档中的每个字符串都需要进行HTML编码,因此如果邮件地址中有<字符无关紧要 - 您将获得< in the HTML source as a result and that would display correctly as a literal < on the page. 作为结果在HTML源中,它将在页面上正确显示为文字< 。
Many ASP.NET controls automatically take care of HTML-escaping for you, but Literal does not by default because it can be used to show markup. 许多ASP.NET控件会自动为您处理HTML转义,但默认情况下Literal不会因为它可用于显示标记。 But if you set the Mode property of the Literal control to Encode then setting the Text like you're doing is perfectly fine. 但是如果你将Literal控件的Mode属性设置为Encode那么设置Text就像你正在做的那样完全没问题。
You should make sure you always use safe HTML-encoded output every time you put content into an HTML page, regardless of whether you think the values you're using will ever be able to include a < character. 每次将内容放入HTML页面时,都应确保始终使用安全的HTML编码输出,无论您认为您使用的值是否能够包含<字符。 This is a separation-of-concerns issue: HTML output code knows all about HTML formatting, but it shouldn't know anything about what characters are OK in an e-mail address or other application field. 这是一个值得关注的问题:HTML输出代码知道HTML格式的所有内容,但它不应该知道电子邮件地址或其他应用程序字段中哪些字符正常。
Leaving out an escape because you think the value is 'safe' introduces an implicit and fragile coupling between the output stage and the input stage, making it difficult to verify that the code is safe and easy to make it unsafe when you make changes. 因为您认为值是“安全”而导致逃逸,会在输出阶段和输入阶段之间引入隐含且脆弱的耦合,从而难以验证代码是否安全且易于在进行更改时使其不安全。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.