不积跬步,无以至千里;不积小流,无以成江海

Our practice

不积跬步,无以至千里;不积小流,无以成江海

  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::

      跨站点脚本攻击开发攻击在那些没有进行输入验证和输入编码的web应用程序中,并嵌入到输出数据当中.恶意的用户可以注入客户端的脚本到输出数据中,并导致正常的用户浏览页面时,脚本代码被执行。攻击脚本代码将来自于一个信任的站点并且可能绕过浏览器的安装设置。           那些攻击是平台和浏览器无关的,它将允许恶意的用户在平台上执行恶意的行为,比如在客户端给未获得授权的访问,像cookies或者劫持整个session.

     在web应用程序中,简单的开发人员保护XSS 攻击包括:
        1,验证和限制用户的输入
        2,encoding 输出的内容。

     下面,我们介绍Microsoft Anti-Cross Site Scripting Library

    

1             About the Anti-Cross Site Scripting Library V1.5

The Microsoft Anti-Cross Site Scripting Library can be used to provide additional protection to ASP.NET Web-based applications against Cross-Site Scripting (XSS) attacks. This release of the library exposes the following methods:

 

Encoding Method

Description

HtmlEncode

Encodes input strings for use in HTML

HtmlAttributeEncode

Encodes input strings for use in HTML attributes

JavaScriptEncode

Encodes input strings for use in JavaScript

UrlEncode

Encodes input strings for use in Universal Resource Locators (URLs)

VisualBasicScriptEncode

Encodes input strings for use in Visual Basic Script

XmlEncode

Encodes input strings for use in XML

XmlAttributeEncode

Encodes input strings for use in XML attributes

 

Namespace: Microsoft.Security.Application

Assembly: AntiXss or AntiXSSLibrary (in AntiXssLibrary.dll)

For use with:

¾  .NET Framework: 1.1, 2.0

¾  Platforms: Windows 2003, Windows XP and Windows 2000

 

 

namespace Microsoft.Application.Security

{

public class AntiXss {

 

public static string HtmlEncode(string s);

public static string HtmlAttributeEncode(string s);

public static string JavaScriptEncode(string s);

public static string UrlEncode(string s);

public static string VisualBasicScriptEncode(string s);

public static string XmlEncode(string s);

public static string XmlAttributeEncode(string s);

}

}

 

2,How to use the MS anti-scross Liraly v1.5.

This section shows how developers can use the Microsoft Anti-Cross Site Scripting Library to protect their ASP.NET Web-applications from XSS attacks in addition to other countermeasures such as input validation.

 

To properly use the Microsoft Anti-Cross Site Scripting Library to protect their ASP.NET Web-applications, developers need to:

 

¾  Step 1: Review ASP.NET code that generates output

¾  Step 2: Determine whether output includes un-trusted input parameters

¾  Step 3: Determine the context which the un-trusted input is used as output

¾  Step 4: Encode output

 

Step 1: Review ASP.NET Code that Generates Output

XSS attacks are dependent on the ability of un-trusted input to be embedded as output, and so code that generates output must first be identified.  Some common vectors include calls to Response.Write and ASP <% = calls.

 

Step 2: Determine if Output Could Contain Un-Trusted Input

Once the sections of code that generate output have been identified, they should be analysed to determined if the output may contain un-trusted input such as input from users or from some other un-trusted source.  If the output does contain un-trusted input then that un-trusted input will require encoding.  Some common sources of un-trusted input include:

 

¾  Application variables

¾  Cookies

¾  Databases

¾  Form fields

¾  Query string variables

¾  Session variables

 

If it is uncertain that the output may contain un-trusted input, then it is best to err on the side of caution and encode the output anyways.

 

Step 3: Determine Encoding Method to Use

Determine the proper encoding method to use.  This will be dependent on the context of how the un-trusted input is being used.  For example, if the un-trusted input will be used to set an HTML attribute, then the Microsoft.Security.Application.HtmlAttributeEncode method should be used to encode the un-trusted input.

 

 

 

// Vulnerable code

// Note that un-trusted input is being as an HTML attribute

Literal1.Text = “<hr noshade size=[un-trusted input here]>”;

 

// Modified code

Literal1.Text = “<hr noshade size=”+Microsoft.Security.Application.AntiXss.HtmlAttributeEncode([un-trusted input here])+”>”;

 

 

Alternatively, if the un-trusted input will be used within the context of JavaScript, then Microsoft.Security.Application.JavaScriptEncode should be used to encode.

 

Use the following table to help determine the appropriate encoding method to use to encode output that may contain un-trusted input.

 

Encoding Method

Should be Used if …

Example / Pattern

HtmlEncode

Un-trusted input is used in HTML output, except when assigning to an HTML attribute.

 

<a href=”http://www.contoso.com”>Click Here [Un-trusted input]</a>

HtmlAttributeEncode

Un-trusted input is used as an HTML attribute

 

<hr noshade size=[Un-trusted input]>

JavaScriptEncode

Un-trusted input is used within a JavaScript context

<script type=”text/javascript”>

[Un-trusted input]

</script>

 

UrlEncode

Un-trusted input is used in a URL (such as a value in a querystring)

<a href=”http://search.msn.com/results.aspx?q=[Un-trusted-input]”>Click Here!</a>

 

VisualBasicScriptEncode

Un-trusted input is used within a Visual Basic Script context

<script type=”text/vbscript” language=”vbscript”>

[Un-trusted input]

</script>

 

XmlEncode

Un-trusted input is used in XML output, except when assigning to a XML attribute.

<xml_tag>[Un-trusted input]</xml_tag>

XmlAttributeEncode

Un-trusted input is used as a XML attribute

<xml_tag attribute=[Un-trusted input]>Some Text</xml_tag>

 

 

A sample Web-application that demonstrations how and when to use each of the above encoding methods can be found in the ‘Samples’ installation directory.

 

Step 4: Encode Output

Use the appropriate encoding method to encode output (see Step 3).  Some important things to remember about encoding outputs:

 

¾  Outputs should be encoded once.

¾  Output encoding should be done as close to the actual writing of the output as possible.  For example, if an application is reading user input, processing the input and then writing it back out in some form, then encoding should happen just before the output is written.

 

 

// Incorrect sequence

protected void Button1_Click(object sender, EventArgs e)

{

// Read input

String Input = TextBox1.Text;

 

// Encode un-trusted input

Input = Microsoft.Security.Application.AntiXss.HtmlEncode(Input);

 

// Process input

...

 

// Write Output

Response.Write(“The input you gave was”+Input);

}

 

 

// Correct Sequence

protected void Button1_Click(object sender, EventArgs e)

{

// Read input

String Input = TextBox1.Text;

 

 

 

// Process input

...

 

// Encode un-trusted input and write output

Response.Write(“The input you gave was”+

Microsoft.Security.Application.AntiXss.HtmlEncode(Input));

}

 

3            Examples

A sample ASP.NET 2.0 Web-application that demonstrates the proper use of each of the encoding methods exposed by the Microsoft Anti-Cross Site Scripting Library V1.5 can be found in the ‘Samples’ installation directory.

 

Example #1: Using HtmlEncode

 

The following code example html-encodes a string before sending it to a browser client.  In this example, the HtmlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

 

 

<html>

<b>

Hello, <%= AntiXss.HtmlEncode(Request.Form[“UserName”]) %>

</b>

</html>

 

 

 

Example #2: Using HtmlAttributeEncode

 

The following code example encodes an html attribute before sending it to a browser client.  In this example, the HtmlAttributeEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

 

 

<html>

 

<img src=”/users/user.gif” id=<%= AntiXss.HtmlAttributeEncode(Request.Form[“ID”]) %> >

 

</html>

 

 

 

Example #3: Using URLEncode

 

The following code example URL-encodes a string before sending it to a browser client.  In this example, the UrlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding. 

 

 

using System;

using System.Web;

using System.IO;

using Microsoft.Security.Application;

 

...

String MyURL;

MyURL = "http://www.contoso.com/articles.aspx?title=";

 

// Read user-input

String Title = TextBox1.Text;  // <-- Un-trusted input!

 

// Write out URL and encode potentially dangerous user-input!

Response.Write( "<A HREF = " MyUrl + AntiXss.UrlEncode(Title) + 

"> ASP.NET Examples <br>" );

 

...

 

 

Remember that UrlEncode should be used to encode only un-trusted values used within URLs such as in query string values.  If the URL itself is the source of un-trusted input, then input validation with regular expressions should be used.

 

 

using System.Text.RegularExpressions;

 

...

String URL_REGEX = @"^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+=&amp;%\$#_]*)?$";

 

...

String SuspectURL = Text1.Text;    // <-- Un-trusted input!

 

...

// Validate the URL with regular expressions

if (Regex.IsMatch(SuspectURL,URL_REGEX)) {

// This is a valid URL so doing something with it

}

else {

// This is a potential attack!  Play it safe and error-out

}

 

 

Example #4: Using JavaScriptEncode

 

The following code example encodes a string used in a JavaScript context before sending it to a browser client.  In this example, the JavaScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

 

 

<script language=”javascript”>

 

String s = <% =AntiXss.JavaScriptEncode(Request.QueryString[“UserString”]) %>;

 

// Perform some action on s

 

</script>

 

 

Example #5: Using VisualBasicScriptEncode

 

The following code example encodes a string used in a Visual Basic Script context before sending it to a browser client.  In this example, the VisualBasicScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

 

 

<script language=”vbscript”>

 

String s = <% =AntiXss.VisualBasicScriptEncode(Request.QueryString[“UserString”]) %>;

 

// Perform some action on s

 

</script>

 




In detail ,please link to :

1             Examples

A sample ASP.NET 2.0 Web-application that demonstrates the proper use of each of the encoding methods exposed by the Microsoft Anti-Cross Site Scripting Library V1.5 can be found in the ‘Samples’ installation directory.

 

Example #1: Using HtmlEncode

 

The following code example html-encodes a string before sending it to a browser client.  In this example, the HtmlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

 

 

<html>

<b>

Hello, <%= AntiXss.HtmlEncode(Request.Form[“UserName”]) %>

</b>

</html>

 

 

 

Example #2: Using HtmlAttributeEncode

 

The following code example encodes an html attribute before sending it to a browser client.  In this example, the HtmlAttributeEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

 

 

<html>

 

<img src=”/users/user.gif” id=<%= AntiXss.HtmlAttributeEncode(Request.Form[“ID”]) %> >

 

</html>

 

 

 

Example #3: Using URLEncode

 

The following code example URL-encodes a string before sending it to a browser client.  In this example, the UrlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding. 

 

 

using System;

using System.Web;

using System.IO;

using Microsoft.Security.Application;

 

...

String MyURL;

MyURL = "http://www.contoso.com/articles.aspx?title=";

 

// Read user-input

String Title = TextBox1.Text;  // <-- Un-trusted input!

 

// Write out URL and encode potentially dangerous user-input!

Response.Write( "<A HREF = " MyUrl + AntiXss.UrlEncode(Title) + 

"> ASP.NET Examples <br>" );

 

...

 

 

Remember that UrlEncode should be used to encode only un-trusted values used within URLs such as in query string values.  If the URL itself is the source of un-trusted input, then input validation with regular expressions should be used.

 

 

using System.Text.RegularExpressions;

 

...

String URL_REGEX = @"^(ht|f)tp(s?)\:\/\/[0-9a-zA-Z]([-.\w]*[0-9a-zA-Z])*(:(0-9)*)*(\/?)([a-zA-Z0-9\-\.\?\,\'\/\\\+=&amp;%\$#_]*)?$";

 

...

String SuspectURL = Text1.Text;    // <-- Un-trusted input!

 

...

// Validate the URL with regular expressions

if (Regex.IsMatch(SuspectURL,URL_REGEX)) {

// This is a valid URL so doing something with it

}

else {

// This is a potential attack!  Play it safe and error-out

}

 

 

Example #4: Using JavaScriptEncode

 

The following code example encodes a string used in a JavaScript context before sending it to a browser client.  In this example, the JavaScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

 

 

<script language=”javascript”>

 

String s = <% =AntiXss.JavaScriptEncode(Request.QueryString[“UserString”]) %>;

 

// Perform some action on s

 

</script>

 

 

Example #5: Using VisualBasicScriptEncode

 

The following code example encodes a string used in a Visual Basic Script context before sending it to a browser client.  In this example, the VisualBasicScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.

 

 

<script language=”vbscript”>

 

String s = <% =AntiXss.VisualBasicScriptEncode(Request.QueryString[“UserString”]) %>;

 

// Perform some action on s

 

</script>

 



更详细的信息请访问:http://msdn.microsoft.com/en-us/library/aa973813.aspx
posted on 2008-06-28 16:11  英怀  阅读(2352)  评论(0编辑  收藏  举报