Blazor 和 SignalR - 在存储和呈现纯字符串文本时,XSS 或其他攻击如何可能?
[英]Blazor with SignalR - how is an XSS or other attack possible when storing and rendering plain string text?
问题描述
In a Blazor Server with SignalR chat app, I'm taking user input in an <input> element, binding it to a string in the @code section, and storing that string in the db as a parameterized query.
在带有 SignalR 聊天应用程序的 Blazor 服务器中,我在<input>元素中获取用户输入,将其绑定到 @code 部分中的字符串,并将该字符串作为参数化查询存储在数据库中。 I believe this is enough to prevent a 1st order sql injection.我相信这足以防止一阶 sql 注入。
I'm displaying the same string back to the user on the frontend, and all other users connected to the chat app, both via SignalR and also later on page reload from the string being retrieved from the db, via simply rendering it as a string again (the strings are saved to a string array, loops in the.razor file, and rendered in a <p> tag), example:我正在通过 SignalR 向前端用户和连接到聊天应用程序的所有其他用户显示相同的字符串,之后通过简单地将其呈现为字符串,从从数据库检索的字符串重新加载页面再次(字符串保存到字符串数组,在.razor文件中循环,并在<p>标签中渲染),例子:
<ul id="messagesList">
@foreach (var message in userInputtedMessages)
{
<li>@message</li>
}
</ul>
From all the research I've done, I believe my implementation may be vulnerable to XSS attacks, but I can't see how, since whatever HTML or javascript, or C# code I input there as a message, it's simply rendered as plain text.从我所做的所有研究来看,我相信我的实现可能容易受到 XSS 攻击,但我看不出如何,因为无论 HTML 或 javascript,还是 C# 代码我在那里作为消息输入,它只是呈现为纯文本.
I'm not using any form of input/output sanitzation, but merely storing the input as a string, parsing it as a parameterized query into the sql db, where its only use is to be used for the frontend again as a displayed message (also a string).我没有使用任何形式的输入/输出清理,而只是将输入存储为字符串,将其作为参数化查询解析到 sql 数据库中,它的唯一用途是作为显示消息再次用于前端(也是一个字符串)。
Is this vulnerbable to XSS?这是否容易受到 XSS 攻击? And in particular if it is, could an example please be given as to how this is so?特别是如果是这样的话,能否举例说明这是怎么回事? My understanding of an actual XSS attack like this is limited and I cannot see what the issue is other than many posts saying "always sanitize output", etc.我对像这样的实际 XSS 攻击的理解是有限的,除了许多帖子说“始终清理输出”等,我看不出问题是什么。
My question is why?我的问题是为什么? How is this vulnerable?这有多脆弱?
1 个解决方案
解决方案1
2 已采纳 2023-01-26 08:11:56
As a general rule of thumb, you should always take steps when processing user input, so the advice is sound.作为一般经验法则,在处理用户输入时您应该始终采取步骤,因此建议是合理的。 Some frameworks (such as ASP.NET Core) put protections in place on your behalf.一些框架(例如 ASP.NET Core)会为您提供保护。
By default, Razor HTML encodes all strings that it is asked to render.默认情况下,Razor HTML 对要求呈现的所有字符串进行编码。 This mitigates against XSS attacks.这减轻了 XSS 攻击。 You have to take steps to bypass this protection to render the string as raw HTML by casting to MarkupString in Blazor or using HTML.Raw() in Razor Pages/MVC.您必须采取措施绕过此保护,通过转换为MarkupString中的 MarkupString 或在 Razor Pages/MVC 中使用HTML.Raw()来将字符串呈现为原始 HTML。 At that point, you should take responsibility for any sanitising that your application requires.届时,您应该对您的应用程序所需的任何清理负责。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.