stackoom
  简体   繁体   中英

How to protect or secured ASP.NET MVC from XSS?

 原文  2017-08-16 02:41:38       c#/ asp.net-mvc/ security/ asp.net-mvc-5

Question

I'm creating a web application using the latest version of ASP.NET MVC 5.2.3. I just concern in XSS attack. I figure out in ASP.NET Core is perfectly working protecting from this attack the XSS and this framework totally amazing but it lacked third party I need to my project. Here's my concern. I already enabled the custom error too but I disabled it currently for testing.

But I want to make sure this will catch also.

  1. Input Validation is passed. To avoid this exception or error.

A potentially dangerous Request.Form value was detected from the client (Name="").

using, the [AllowHtml] attribute this is fine or using the AntiXss library.

  1. But, from the URL. Example URLs,

    http://localhost:54642/Employees/ 

     http://localhost:54642/Employees/?a=<script>

link or url

this error should like,

A potentially dangerous Request.Path value was detected from the client (<).

So my solution is enabling this from Web.config then it works!

But Troy Hunt said from his tutorial this is not a good or better practice for this error. So I decided to look the best solution from this XSS attack.

3 answers

solution1
 3  2017-08-16 02:47:06

In my form I normally add this anti-forgery token

 @Html.AntiForgeryToken()

then on my controller I made sure validate the token

[ValidateAntiForgeryToken]

also when passing the variable or data, I always declare correct variable. Anyways if its member area page you can always restrict access to correct member roles example like

  [Authorize] // for registered user

  or more filtered

  [Authorize(Roles = "SUBSCRIBER.VIEW")]

Below is only applicable for .net 4.5 and above

  // web.config 
  <system.Web> 
     <httpRuntime targetFramework="4.5" />
  </system.Web>

 // enabling anti-xss 
   <httpRuntime targetFramework="4.5" encoderType="System.Web.Security.AntiXss.AntiXssEncoder,System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" />

Request validation Lazy validation was introduced in ASP.NET 4.5, I just did some testing on it and it seems that lazy validation is the enabled regardless of how you set the "requestValidationMode", after you've installed the 4.5 framework.

solution2
 1  2017-08-29 20:25:29

Check out OWASP site. Here is the common ones I add in system.web in web.config file of a webapi app.

<httpProtocol>
  <customHeaders>
    <remove name="Server" />
    <remove name="X-Powered-By" />
    <remove name="X-Frame-Options" />
    <remove name="X-XSS-Protection" />
    <remove name="X-Content-Type-Options" />
    <remove name="Cache-Control" />
    <remove name="Pragma" />
    <remove name="Expires" />
    <remove name="Content-Security-Policy"/>
    <clear />
    <add name="X-Frame-Options" value="DENY" />
    <add name="X-XSS-Protection" value="1; mode=block"/>
    <add name="X-Content-Type-Options" value="nosniff" />
    <add name="Cache-Control" value="no-cache, no-store" />
    <add name="Pragma" value="no-cache" />
    <add name="Expires" value="Sun, 1 Jan 2017 00:00:00 UTC" />
    <add name="Content-Security-Policy" value="default-src 'self' 'unsafe-inline' data; img-src https://*;"/>
  </customHeaders>
</httpProtocol>

solution3
 0  2020-10-01 00:26:57

Steps:
1. Disables input validation
2. Encodes all the input that is coming from the user
3. Finally we selectively replace, the encoded html with the HTML elements that we want to allow.

[HttpPost]
// Input validation is disabled, so the users can submit HTML
[ValidateInput(false)]
public ActionResult Create(Comment comment)
{
    StringBuilder sbComments = new StringBuilder();
    
    // Encode the text that is coming from comments textbox
    sbComments.Append(HttpUtility.HtmlEncode(comment.Comments));
    
    // Only decode bold and underline tags
    sbComments.Replace("&lt;b&gt;", "<b>");
    sbComments.Replace("&lt;/b&gt;", "</b>");
    sbComments.Replace("&lt;u&gt;", "<u>");
    sbComments.Replace("&lt;/u&gt;", "</u>");
    comment.Comments = sbComments.ToString();

    // HTML encode the text that is coming from name textbox
    string strEncodedName = HttpUtility.HtmlEncode(comment.Name);
    comment.Name = strEncodedName;

    if (ModelState.IsValid)
    {
        db.Comments.AddObject(comment);
        db.SaveChanges();
        return RedirectToAction("Index");
    }

    return View(comment);
}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to protect against XSS in ASP.NET Core? How to protect against CSRF by default in ASP.NET MVC 4? How can protect the Asp.Net MVC 5 in the Edit action route from throwing unhandled exception? Asp.Net MVC ActionFilter to validate query params for xss ASP.Net MVC App Stored XSS vulnerability reported by Checkmarx How to read API secured with username and password in ASP.NET Core MVC How to protect ASP.NET Web API 2 Protect certain folders in wwwroot with authetication in asp.net core mvc Protect Urls's in Asp.net mvc 3 application How to protect slash in asp.net mvc and avoid “Failed to map the path” error?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM