堆栈内存溢出
  简体   繁体   English

ResolveUrl XSS 替代方案

[英]ResolveUrl XSS alternative

 原文  2020-02-24 13:43:00       c#/ asp.net

问题描述

After the research published showing that.aspx routes are vulnerable to reflected XSS , what is the recommended alternative to using Page.ResolveUrl or Control.ResolveUrl ?发布的研究显示 .aspx 路由易受反射 XSS 攻击后,推荐使用Page.ResolveUrlControl.ResolveUrl的替代方法是什么? The linked article doesn't suggest any mitigations.链接的文章没有建议任何缓解措施。

Summary of the linked research:相关研究摘要:

  • For.aspx pages (not MVC) , even if you don't have cookieless sessions enabled, ASP.NET still parses those "special" URL formats such http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx对于.aspx 页面(非 MVC) ,即使您没有启用 cookieless 会话,ASP.NET 仍会解析那些“特殊”URL 格式,例如http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx
  • it includes them in the page output whenever you use ResolveUrl .每当您使用ResolveUrl时,它都会将它们包含在页面 output 中。
  • Thus it creates an attack vector where a call like ResolveUrl( "~/Images/logo.png" ) will inject content of the attacker's choice into your page output, eg因此它创建了一个攻击向量,其中像ResolveUrl( "~/Images/logo.png" )这样的调用会将攻击者选择的内容注入您的页面 output,例如
/(S("onerror="alert`1`"))/Images/logo.png`

I've posted one possible answer below but am looking for better ideas.我在下面发布了一个可能的答案,但我正在寻找更好的想法。

Note that ResolveClientUrl is not a direct replacement since it generates a relative Url, eg ../Images/logo.png unlike ResolveUrl which generates a root Url eg /myapp/Images/logo.png请注意, ResolveClientUrl不是直接替换,因为它生成相对 Url,例如../Images/logo.png不像ResolveUrl生成根 Url,例如/myapp/Images/logo.png

2 个解决方案

解决方案1
 3  2020-02-24 13:43:00

One approach is to use HttpRuntime.AppDomainAppVirtualPath instead of the special tilde syntax.一种方法是使用HttpRuntime.AppDomainAppVirtualPath而不是特殊的波浪号语法。 So the example from above...所以上面的例子......

Instead of:代替:

ResolveUrl( "~/Images/logo.png" )

We would have:我们会有:

HttpRuntime.AppDomainAppVirtualPath.TrimEnd( '/' ) + "/Images/logo.png"

Slightly less concise but seems to accomplish the same thing without invoking the ancient "cookieless" route parsing.稍微不那么简洁,但似乎在不调用古老的“无cookie”路由解析的情况下完成了同样的事情。

解决方案2
 -1  2020-07-08 10:43:23

Use ResolveClientUrl instead of ResolveUrl .使用ResolveClientUrl而不是ResolveUrl ResolveClientUrl will not allow XSS. ResolveClientUrl不允许 XSS。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 ResolveURL无法在用户控件中解析 - ResolveURL not resolving in a user control ResolveUrl 插入额外的引号 - ResolveUrl inserts extra quote 母版页中的ResolveUrl问题 - ResolveUrl Problem in Master Page 是否可以覆盖ResolveUrl? - Is it possible to override ResolveUrl? 我可以在javascript中使用resolveurl吗? - Can i use resolveurl in javascript ResolveUrl和ResolveClientUrl有什么区别? - What is the difference between ResolveUrl and ResolveClientUrl? 没有ASP.NET页面的ResolveUrl - ResolveUrl without an ASP.NET Page ResolveUrl将随机字符串添加到实际URL - ResolveUrl prepending random string to actual url Page.ResolveUrl()在VS2010 Dev Server上不起作用 - Page.ResolveUrl() not working on VS2010 Dev Server 搜索文本框的XSS脚本 - XSS scripting for Search textbox
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM