处理由veracode引发的跨站点脚本缺陷
[英]Handle cross site scripting flaw raised by veracode
问题描述
We have a legacy web application in ASP.Net and C#, for which we are getting around 400 plus cross site scripting flaw raised by Veracode scan. 
我们在ASP.Net和C#中有一个遗留的Web应用程序,我们得到了大约400个以及Veracode扫描引发的跨站点脚本漏洞。 I have created a sample web application and simulated the issue, and found that whenever we are using any string input directly its raising the flaw. 我已经创建了一个示例Web应用程序并模拟了该问题,并发现每当我们使用任何字符串输入时,它就会提高它的缺陷。 Doing HttpUtility.HtmlEncode(TextBox1.Text);" satisfies the veracode, however applying this change in all 400 places is not feasible as then there would be huge amount of work and testing efforts. I am looking for someway to implement some plug in in httphandler so that all the inputs get encoded at one place and we don't have to change it everywhere. Can someone please steer me if this is possible if yes even if you can guide me on just on approach would be good enough to have a direction at least. Many thanks in advance. 做HttpUtility.HtmlEncode(TextBox1.Text);"满足veracode,但是在所有400个地方应用这个改变是不可行的,因为那时会有大量的工作和测试工作。我正在寻找一些插件来实现httphandler以便所有输入都在一个地方进行编码而我们无需在任何地方进行更改。有人可以引导我,如果这是可能的,即使你可以指导我只是在接近就足够了至少方向。非常感谢提前。
StringOps strop = new StringOps();
string txt1, txt2;
txt1 = HttpUtility.HtmlEncode(TextBox1.Text);
txt2 = HttpUtility.HtmlEncode(TextBox2.Text);
Response.Write(strop.Add(txt1, txt2));
If I remove the HttpUtility.HTMLEncode lines Veracode complains about it. 如果我删除了HttpUtility.HTMLEncode行,Veracode会抱怨它。 Since there are so many places where in we are doing this string operations so implementing this everywhere is not feasible. 由于我们正在进行这种字符串操作的地方很多,因此无处不在。 Would this be possible to have this encoding implemented on a single place and all the response and request should go through that pipeline eg HTTPHandler and HTTPModule. 是否可以在单个位置实现此编码,并且所有响应和请求都应该通过该管道,例如HTTPHandler和HTTPModule。
2 个解决方案
解决方案1
1 2016-11-27 16:23:19
You can accomplish this with a Custom HttpModule that conditionally assigns to HttpResponse.Filter to intercept and process HttpResponse.Write usage. 您可以使用Custom HttpModule来完成此操作,该HttpModule有条件地分配给HttpResponse.Filter以拦截和处理HttpResponse.Write用法。
Module Example 模块示例
this example uses the value of Content-Type of the request.Header to determine whether the html Encoding should be applied. 此示例使用request.Header的Content-Type值来确定是否应该应用html编码。
public class FilterResponseWriteModule : IHttpModule, IDisposable
{
private System.IO.Stream filterStream;
public FilterResponseWriteModule()
{
}
public void Init(HttpApplication context)
{
context.BeginRequest += Context_BeginRequest;
}
private void Context_BeginRequest(object sender, EventArgs e)
{
var context = (sender as HttpApplication).Context;
if (ShouldApplyFilter(context.Request))
ApplyFilter(context.Response);
}
private bool ShouldApplyFilter(HttpRequest request)
{
return string.Equals(request.ContentType, @"text/plain", StringComparison.OrdinalIgnoreCase);
}
private void ApplyFilter(HttpResponse response)
{
filterStream = new EncodeStreamFilter(response.Filter);
response.Filter = filterStream;
}
public void Dispose()
{
if (filterStream != null)
{
filterStream.Dispose();
}
}
}
Filter Stream Example (encapsulate and override) 过滤流示例(封装和覆盖)
Stream is an abstract class, so it will generate all relevant override method stubs. Stream是一个抽象类,因此它将生成所有相关的覆盖方法存根。
public class EncodeStreamFilter : Stream, IDisposable
{
private Stream _baseStream;
public EncodeStreamFilter(Stream responseFilter)
{
_baseStream = responseFilter;
}
public override void Write(byte[] buffer, int offset, int count)
{
byte[] bufferBlock = new byte[count];
Buffer.BlockCopy(buffer, offset, bufferBlock, 0, count);
var encodedBytes = Encoding.UTF8.GetBytes(HttpUtility.HtmlEncode(Encoding.UTF8.GetString(bufferBlock)));
_baseStream.Write(encodedBytes, 0, encodedBytes.Length);
}
public override bool CanRead
{
get
{
return _baseStream.CanRead;
}
}
public override bool CanSeek
{
get
{
return _baseStream.CanSeek;
}
}
public override bool CanWrite
{
get
{
return _baseStream.CanWrite;
}
}
public override long Length
{
get
{
return _baseStream.Length;
}
}
public override long Position
{
get
{
return _baseStream.Position;
}
set
{
_baseStream.Position = value;
}
}
public override void Flush()
{
_baseStream.Flush();
}
public override int Read(byte[] buffer, int offset, int count)
{
return _baseStream.Read(buffer, offset, count);
}
public override long Seek(long offset, SeekOrigin origin)
{
return _baseStream.Seek(offset, origin);
}
public override void SetLength(long value)
{
_baseStream.SetLength(value);
}
protected override void Dispose(bool disposing)
{
if (!disposing)
{
_baseStream.Dispose();
}
base.Dispose(disposing);
}
}
Add Module to Web.Config 将模块添加到Web.Config
Note: In this case, I've defined the module as a class in the App_Start folder of my application. 注意:在这种情况下,我已将模块定义为应用程序的App_Start文件夹中的类。
<system.webServer>
<modules>
<add name="FilterResponseWriteModule" type="HttpModulesTestApp.App_Start.FilterResponseWriteModule"/>
</modules>
</system.webServer>
解决方案2
0 2016-11-21 21:38:58
Listen I also have a legacy site in asp.net 1.0 or 2.0. 听我在asp.net 1.0或2.0中也有一个遗留站点。 We did change its framework to 4.0. 我们确实将其框架更改为4.0。
So, mine suggestion is that do change its framework and run smoke test and might some issues would come then resolve as expected then comes to primary concern to handle things like Response.Write. 所以,我的建议是改变它的框架并运行冒烟测试,然后可能会出现一些问题然后按预期解决,然后主要关注处理像Response.Write这样的事情。 As ASP.net is now open source get those code and make minimal changes in core functions and get your things done, try to utilize partial functionality as much as possible, or any thing like this in order to get upgrade without losing your changes. 由于ASP.net现在是开源的,所以获取这些代码并对核心功能进行最小的更改并完成您的工作,尝试尽可能地利用部分功能,或任何类似的事情,以便升级而不会丢失您的更改。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.