在web应用程序中,简单的开发人员保护XSS 攻击包括:
1,验证和限制用户的输入
2,encoding 输出的内容。
下面,我们介绍Microsoft Anti-Cross Site Scripting Library
<!--[if !supportLists]-->1 <!--[endif]-->About the Anti-Cross Site Scripting Library V1.5
The Microsoft Anti-Cross Site Scripting Library can be used to provide additional protection to ASP.NET Web-based applications against Cross-Site Scripting (XSS) attacks. This release of the library exposes the following methods:
Encoding Method | Description |
HtmlEncode | Encodes input strings for use in HTML |
HtmlAttributeEncode | Encodes input strings for use in HTML attributes |
JavaScriptEncode | Encodes input strings for use in JavaScript |
UrlEncode | Encodes input strings for use in Universal Resource Locators (URLs) |
VisualBasicScriptEncode | Encodes input strings for use in Visual Basic Script |
XmlEncode | Encodes input strings for use in XML |
XmlAttributeEncode | Encodes input strings for use in XML attributes |
Namespace: Microsoft.Security.Application
Assembly: AntiXss or AntiXSSLibrary (in AntiXssLibrary.dll)
For use with:
<!--[if !supportLists]-->¾ <!--[endif]-->.NET Framework: 1.1, 2.0
<!--[if !supportLists]-->¾ <!--[endif]-->Platforms: Windows 2003, Windows XP and Windows 2000
namespace Microsoft.Application.Security { public class AntiXss {
public static string HtmlEncode(string s); public static string HtmlAttributeEncode(string s); public static string JavaScriptEncode(string s); public static string UrlEncode(string s); public static string VisualBasicScriptEncode(string s); public static string XmlEncode(string s); public static string XmlAttributeEncode(string s); } }
|
2,How to use the MS anti-scross Liraly v1.5.
This section shows how developers can use the Microsoft Anti-Cross Site Scripting Library to protect their ASP.NET Web-applications from XSS attacks in addition to other countermeasures such as input validation.
To properly use the Microsoft Anti-Cross Site Scripting Library to protect their ASP.NET Web-applications, developers need to:
<!--[if !supportLists]-->¾ <!--[endif]-->Step 1: Review ASP.NET code that generates output
<!--[if !supportLists]-->¾ <!--[endif]-->Step 2: Determine whether output includes un-trusted input parameters
<!--[if !supportLists]-->¾ <!--[endif]-->Step 3: Determine the context which the un-trusted input is used as output
<!--[if !supportLists]-->¾ <!--[endif]-->Step 4: Encode output
Step 1: Review ASP.NET Code that Generates Output
XSS attacks are dependent on the ability of un-trusted input to be embedded as output, and so code that generates output must first be identified. Some common vectors include calls to Response.Write and ASP <% = calls.
Step 2: Determine if Output Could Contain Un-Trusted Input
Once the sections of code that generate output have been identified, they should be analysed to determined if the output may contain un-trusted input such as input from users or from some other un-trusted source. If the output does contain un-trusted input then that un-trusted input will require encoding. Some common sources of un-trusted input include:
<!--[if !supportLists]-->¾ <!--[endif]-->Application variables
<!--[if !supportLists]-->¾ <!--[endif]-->Cookies
<!--[if !supportLists]-->¾ <!--[endif]-->Databases
<!--[if !supportLists]-->¾ <!--[endif]-->Form fields
<!--[if !supportLists]-->¾ <!--[endif]-->Query string variables
<!--[if !supportLists]-->¾ <!--[endif]-->Session variables
If it is uncertain that the output may contain un-trusted input, then it is best to err on the side of caution and encode the output anyways.
Step 3: Determine Encoding Method to Use
Determine the proper encoding method to use. This will be dependent on the context of how the un-trusted input is being used. For example, if the un-trusted input will be used to set an HTML attribute, then the Microsoft.Security.Application.HtmlAttributeEncode method should be used to encode the un-trusted input.
// Vulnerable code // Note that un-trusted input is being as an HTML attribute Literal1.Text = “<hr noshade size=[un-trusted input here]>”;
// Modified code Literal1.Text = “<hr noshade size=”+Microsoft.Security.Application.AntiXss.HtmlAttributeEncode([un-trusted input here])+”>”;
|
Alternatively, if the un-trusted input will be used within the context of JavaScript, then Microsoft.Security.Application.JavaScriptEncode should be used to encode.
Use the following table to help determine the appropriate encoding method to use to encode output that may contain un-trusted input.
Encoding Method | Should be Used if … | Example / Pattern |
HtmlEncode | Un-trusted input is used in HTML output, except when assigning to an HTML attribute.
| <a href=”http://www.contoso.com”>Click Here [Un-trusted input]</a> |
HtmlAttributeEncode | Un-trusted input is used as an HTML attribute
| <hr noshade size=[Un-trusted input]> |
JavaScriptEncode | Un-trusted input is used within a JavaScript context | <script type=”text/javascript”> … [Un-trusted input] … </script>
|
UrlEncode | Un-trusted input is used in a URL (such as a value in a querystring) | <a href=”http://search.msn.com/results.aspx?q=[Un-trusted-input]”>Click Here!</a>
|
VisualBasicScriptEncode | Un-trusted input is used within a Visual Basic Script context | <script type=”text/vbscript” language=”vbscript”> … [Un-trusted input] … </script>
|
XmlEncode | Un-trusted input is used in XML output, except when assigning to a XML attribute. | <xml_tag>[Un-trusted input]</xml_tag> |
XmlAttributeEncode | Un-trusted input is used as a XML attribute | <xml_tag attribute=[Un-trusted input]>Some Text</xml_tag>
|
A sample Web-application that demonstrations how and when to use each of the above encoding methods can be found in the ‘Samples’ installation directory.
Step 4: Encode Output
Use the appropriate encoding method to encode output (see Step 3). Some important things to remember about encoding outputs:
<!--[if !supportLists]-->¾ <!--[endif]-->Outputs should be encoded once.
<!--[if !supportLists]-->¾ <!--[endif]-->Output encoding should be done as close to the actual writing of the output as possible. For example, if an application is reading user input, processing the input and then writing it back out in some form, then encoding should happen just before the output is written.
// Incorrect sequence protected void Button1_Click(object sender, EventArgs e) { // Read input String Input = TextBox1.Text;
// Encode un-trusted input Input = Microsoft.Security.Application.AntiXss.HtmlEncode(Input);
// Process input ...
// Write Output Response.Write(“The input you gave was”+Input); }
// Correct Sequence protected void Button1_Click(object sender, EventArgs e) { // Read input String Input = TextBox1.Text;
// Process input ...
// Encode un-trusted input and write output Response.Write(“The input you gave was”+ Microsoft.Security.Application.AntiXss.HtmlEncode(Input)); }
|
<!--[if !supportLists]-->3 <!--[endif]-->Examples
A sample ASP.NET 2.0 Web-application that demonstrates the proper use of each of the encoding methods exposed by the Microsoft Anti-Cross Site Scripting Library V1.5 can be found in the ‘Samples’ installation directory.
Example #1: Using HtmlEncode
The following code example html-encodes a string before sending it to a browser client. In this example, the HtmlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.
<html> <b> Hello, <%= AntiXss.HtmlEncode(Request.Form[“UserName”]) %> </b> </html>
|
Example #2: Using HtmlAttributeEncode
The following code example encodes an html attribute before sending it to a browser client. In this example, the HtmlAttributeEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.
<html>
<img src=”/users/user.gif” id=<%= AntiXss.HtmlAttributeEncode(Request.Form[“ID”]) %> >
</html>
|
Example #3: Using URLEncode
The following code example URL-encodes a string before sending it to a browser client. In this example, the UrlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.
using System; using System.Web; using System.IO; using Microsoft.Security.Application;
... String MyURL; MyURL = "http://www.contoso.com/articles.aspx?title=";
// Read user-input String Title = TextBox1.Text; // <-- Un-trusted input!
// Write out URL and encode potentially dangerous user-input! Response.Write( "<A HREF = " MyUrl + AntiXss.UrlEncode(Title) + "> ASP.NET Examples <br>" );
...
|
Remember that UrlEncode should be used to encode only un-trusted values used within URLs such as in query string values. If the URL itself is the source of un-trusted input, then input validation with regular expressions should be used.
using System.Text.RegularExpressions;
... String URL_REGEX = @"^(ht|f)tp(s?)/:[0-9a-zA-Z]([-./w]*[0-9a-zA-Z])*(:(0-9)*)*(//?)([a-zA-Z0-9/-/./?/,/'/+=&%/$#_]*)?$";
... String SuspectURL = Text1.Text; // <-- Un-trusted input!
... // Validate the URL with regular expressions if (Regex.IsMatch(SuspectURL,URL_REGEX)) { // This is a valid URL so doing something with it } |
else { // This is a potential attack! Play it safe and error-out } |
Example #4: Using JavaScriptEncode
The following code example encodes a string used in a JavaScript context before sending it to a browser client. In this example, the JavaScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.
<script language=”javascript”>
String s = <% =AntiXss.JavaScriptEncode(Request.QueryString[“UserString”]) %>;
// Perform some action on s
</script>
|
Example #5: Using VisualBasicScriptEncode
The following code example encodes a string used in a Visual Basic Script context before sending it to a browser client. In this example, the VisualBasicScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.
<script language=”vbscript”>
String s = <% =AntiXss.VisualBasicScriptEncode(Request.QueryString[“UserString”]) %>;
// Perform some action on s
</script>
|
In detail ,please link to :
<!--[if !supportLists]-->1 <!--[endif]-->Examples
A sample ASP.NET 2.0 Web-application that demonstrates the proper use of each of the encoding methods exposed by the Microsoft Anti-Cross Site Scripting Library V1.5 can be found in the ‘Samples’ installation directory.
Example #1: Using HtmlEncode
The following code example html-encodes a string before sending it to a browser client. In this example, the HtmlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.
<html> <b> Hello, <%= AntiXss.HtmlEncode(Request.Form[“UserName”]) %> </b> </html>
|
Example #2: Using HtmlAttributeEncode
The following code example encodes an html attribute before sending it to a browser client. In this example, the HtmlAttributeEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.
<html>
<img src=”/users/user.gif” id=<%= AntiXss.HtmlAttributeEncode(Request.Form[“ID”]) %> >
</html>
|
Example #3: Using URLEncode
The following code example URL-encodes a string before sending it to a browser client. In this example, the UrlEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.
using System; using System.Web; using System.IO; using Microsoft.Security.Application;
... String MyURL; MyURL = "http://www.contoso.com/articles.aspx?title=";
// Read user-input String Title = TextBox1.Text; // <-- Un-trusted input!
// Write out URL and encode potentially dangerous user-input! Response.Write( "<A HREF = " MyUrl + AntiXss.UrlEncode(Title) + "> ASP.NET Examples <br>" );
...
|
Remember that UrlEncode should be used to encode only un-trusted values used within URLs such as in query string values. If the URL itself is the source of un-trusted input, then input validation with regular expressions should be used.
using System.Text.RegularExpressions;
... String URL_REGEX = @"^(ht|f)tp(s?)/:[0-9a-zA-Z]([-./w]*[0-9a-zA-Z])*(:(0-9)*)*(//?)([a-zA-Z0-9/-/./?/,/'/+=&%/$#_]*)?$";
... String SuspectURL = Text1.Text; // <-- Un-trusted input!
... // Validate the URL with regular expressions if (Regex.IsMatch(SuspectURL,URL_REGEX)) { // This is a valid URL so doing something with it } |
else { // This is a potential attack! Play it safe and error-out } |
Example #4: Using JavaScriptEncode
The following code example encodes a string used in a JavaScript context before sending it to a browser client. In this example, the JavaScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.
<script language=”javascript”>
String s = <% =AntiXss.JavaScriptEncode(Request.QueryString[“UserString”]) %>;
// Perform some action on s
</script>
|
Example #5: Using VisualBasicScriptEncode
The following code example encodes a string used in a Visual Basic Script context before sending it to a browser client. In this example, the VisualBasicScriptEncode method of the Microsoft.Security.Application.AntiXss class is being used to perform the encoding.
<script language=”vbscript”>
String s = <% =AntiXss.VisualBasicScriptEncode(Request.QueryString[“UserString”]) %>;
// Perform some action on s
</script>
|
更详细的信息请访问:http://msdn.microsoft.com/en-us/library/aa973813.aspx