[英]ResolveUrl XSS alternative
After the research published showing that.aspx routes are vulnerable to reflected XSS , what is the recommended alternative to using Page.ResolveUrl
or Control.ResolveUrl
?在发布的研究显示 .aspx 路由易受反射 XSS 攻击后,推荐使用
Page.ResolveUrl
或Control.ResolveUrl
的替代方法是什么? The linked article doesn't suggest any mitigations.链接的文章没有建议任何缓解措施。
Summary of the linked research:相关研究摘要:
http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx
http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx
ResolveUrl
.ResolveUrl
时,它都会将它们包含在页面 output 中。ResolveUrl( "~/Images/logo.png" )
will inject content of the attacker's choice into your page output, egResolveUrl( "~/Images/logo.png" )
这样的调用会将攻击者选择的内容注入您的页面 output,例如/(S("onerror="alert`1`"))/Images/logo.png`
I've posted one possible answer below but am looking for better ideas.我在下面发布了一个可能的答案,但我正在寻找更好的想法。
Note that ResolveClientUrl
is not a direct replacement since it generates a relative Url, eg ../Images/logo.png
unlike ResolveUrl
which generates a root Url eg /myapp/Images/logo.png
请注意,
ResolveClientUrl
不是直接替换,因为它生成相对 Url,例如../Images/logo.png
不像ResolveUrl
生成根 Url,例如/myapp/Images/logo.png
One approach is to use HttpRuntime.AppDomainAppVirtualPath
instead of the special tilde syntax.一种方法是使用
HttpRuntime.AppDomainAppVirtualPath
而不是特殊的波浪号语法。 So the example from above...所以上面的例子......
Instead of:代替:
ResolveUrl( "~/Images/logo.png" )
We would have:我们会有:
HttpRuntime.AppDomainAppVirtualPath.TrimEnd( '/' ) + "/Images/logo.png"
Slightly less concise but seems to accomplish the same thing without invoking the ancient "cookieless" route parsing.稍微不那么简洁,但似乎在不调用古老的“无cookie”路由解析的情况下完成了同样的事情。
Use ResolveClientUrl
instead of ResolveUrl
.使用
ResolveClientUrl
而不是ResolveUrl
。 ResolveClientUrl
will not allow XSS. ResolveClientUrl
不允许 XSS。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.