by Lancer
27. September 2009 15:02
Applies To
- ASP.NET version 1.1
- ASP.NET version 2.0
Summary
This How To shows how you can help protect your ASP.NET applications from cross-site scripting attacks by using proper input validation techniques and by encoding the output. It also describes a number of other protection mechanisms that you can use in addition to these two main countermeasures.
Cross-site scripting (XSS) attacks exploit vulnerabilities in Web page validation by injecting client-side script code. Common vulnerabilities that make your Web applications susceptible to cross-site scripting attacks include failing to properly validate input, failing to encode output, and trusting the data retrieved from a shared database. To protect your application against cross-site scripting attacks, assume that all input is malicious. Constrain and validate all input. Encode all output that could, potentially, include HTML characters. This includes data read from files and databases.
Contents
Objectives
Overview
Summary of Steps
Step 1. Check That ASP.NET Request Validation Is Enabled
Step 2. Review ASP.NET Code That Generates HTML Output
Step 3. Determine Whether HTML Output Includes Input Parameters
Step 4. Review Potentially Dangerous HTML Tags and Attributes
Step 5. Evaluate Countermeasures
Additional Considerations
Additional Resources
Objectives
- Understand the common cross-site scripting vulnerabilities in Web page validation.
- Apply countermeasures for cross-site scripting attacks.
- Constrain input by using regular expressions, type checks, and ASP.NET validator controls.
- Constrain output to ensure the browser does not execute HTML tags that contain script code.
- Review potentially dangerous HTML tags and attributes and evaluate countermeasures.
详细内容请阅读: http://msdn.microsoft.com/en-us/library/ms998274(classic).aspx
cb3d704e-296e-4c93-aa2f-534061fb51f7|0|.0
Tags: 软件安全, xss
软件安全
Subscribe