After the research published showing that.aspx routes are vulnerable to reflected XSS , what is the recommended alternative to using Page.ResolveUrl
or Control.ResolveUrl
? The linked article doesn't suggest any mitigations.
Summary of the linked research:
http://www.example.com/(S(lit3py55t21z5v55vlm25s55))/orderform.aspx
ResolveUrl
.ResolveUrl( "~/Images/logo.png" )
will inject content of the attacker's choice into your page output, eg/(S("onerror="alert`1`"))/Images/logo.png`
I've posted one possible answer below but am looking for better ideas.
Note that ResolveClientUrl
is not a direct replacement since it generates a relative Url, eg ../Images/logo.png
unlike ResolveUrl
which generates a root Url eg /myapp/Images/logo.png
One approach is to use HttpRuntime.AppDomainAppVirtualPath
instead of the special tilde syntax. So the example from above...
Instead of:
ResolveUrl( "~/Images/logo.png" )
We would have:
HttpRuntime.AppDomainAppVirtualPath.TrimEnd( '/' ) + "/Images/logo.png"
Slightly less concise but seems to accomplish the same thing without invoking the ancient "cookieless" route parsing.
Use ResolveClientUrl
instead of ResolveUrl
. ResolveClientUrl
will not allow XSS.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.