[研究][ASP.NET]Micro Focus Fortify Static Code Analyzer (SCA) 報告Response.Redirect有Open Redirect問題
2021-07-07
2021-08-09更新
Software Security | Protect your Software at the Source | Fortify
https://vulncat.fortify.com/zh-tw/weakness?q=Open%20Redirect
Response.Redirect("/PN?PhoneNumber=" + HttpUtility.UrlEncode(PhoneNumber.Text)); |
改成 Server.Transfer 是最簡單避免被 Fortify SCA 報告的方法,因為 Server.Transfer 的網址無法外連。
// 將使用者重新導向至外部,可能遭竄改,改為使用Server.Transfer進行轉址。 Server.Transfer("/PN?PhoneNumber=" + HttpUtility.UrlEncode(PhoneNumber.Text)); |
Response.Redirect("~/Default2.aspx"); Response.Redirect("~/Default.aspx?reUrl=https://localhost/Default3.aspx"); Response.Redirect("~/Default.aspx?reUrl=/Default3.aspx"); Response.Redirect("~/Default.aspx?reUrl=https://www.hinet.net/Default3.aspx"); string newUrl = "~/Default.aspx?reUrl=/Default3.aspx"; Response.Redirect(newUrl); |
下面實測會被報告
var reUrl = ViewState["BUrl"] == null ? "index.aspx" : ViewState["BUrl"].ToString(); Response.Redirect(reUrl); |
實際測試,下面也不行
var reUrl = Request.Url.ToString(); if (requestExtension.IsLocalUrl(reUrl)) { Response.Redirect("signup.aspx?ReUrl=" + HttpUtility.HtmlEncode(reUrl)); } |
實際測試,下面也不行
protected void Button6_Click(object sender, EventArgs e) { string reUrl = Request.QueryString["reUrl"]; if (!String.IsNullOrEmpty(reUrl) && IsLocalURL(reUrl)) { Response.Redirect(reUrl); } else { Response.Redirect("~/"); } } protected bool IsLocalURL(string _url) { bool flag = false; try { var url = new Uri(_url); var ctx = HttpContext.Current; if (url.Host.Equals(ctx.Request.Url.Host) && url.Port.Equals(ctx.Request.Url.Port)) flag = true; } catch { } return flag; } |
以上所謂不行,是無法讓 Fortify SCA 通過。
********************************************************************************
String redirect = Request["dest"]; Int32 strDest = System.Convert.ToInt32(redirect); if((strDest >= 0) && (strDest <= strURLArray.Length -1 )) { strFinalURL = strURLArray[strDest]; pageContext.forward(strFinalURL); } |
也就是建立「轉址白名單」,利用網址中某個整數值參數,當作索引,決定要去哪個新網址,缺點是如果白名單很大,會麻煩。
在Web.config 中設定禁止重導到外部網址
ASP.NET appSettings Element
https://docs.microsoft.com/en-us/previous-versions/aspnet/hh975440(v=vs.120)
<configuration> <appSettings> <add key="aspnet:AllowRelaxedRelativeUrl" value="false" /> </appSettings> </configuration> |
不過 Fortify SCA 好像不認得這種解法。
********************************************************************************
2021-11-24 補充
特例解法,如果參數是數值,透過 Int32.TryParse 或 Int64.TryParse 可解
//Fortify SCA : Critical : Open Redirect
//不要用 Server.Transfer,不轉址但載入新程式,會造成 debug 除錯困難
//Response.Redirect("ABCD.aspx?sno=" + Request["sno"].ToString());
//改為下面
string sno= Request["sno"].ToString();
Int32.TryParse(sno, out int snoInt);
Response.Redirect("ABCD.aspx?sno=" + snoInt.ToString()); |
實際測試過,Fortify SCA 21.1.2不會認為有 Open Redirect 問題。
********************************************************************************
2024-02-26 補
string url = "~/ABCD.aspx?id=" + sno.ToString(); url = Common.MyAntiXssFilter(url); Response.Redirect(url); |
測試過可以正常轉址
// 處理XSS #region == public static string MyAntiXssFilter(object inputObject) == public static string MyAntiXssFilter(object inputObject) { // NuGet 要安裝 HtmlSanitizer // 要 using Ganss.Xss; string inputStr = ""; if (inputObject != null) { inputStr = inputObject.ToString(); } var sanitizer = new HtmlSanitizer(); sanitizer.AllowedAttributes.Add("class"); sanitizer.AllowedAttributes.Add("id"); sanitizer.AllowedSchemes.Add("mailto"); // 允許 <a href="mailto:",因為公告使用 //sanitizer.AllowedAttributes.Add("&"); // 沒用; 若處理網址, & 會變成 & var sanitized = sanitizer.Sanitize(inputStr); sanitized = sanitized.Replace("&", "&"); return sanitized; } #endregion |
********************************************************************************
相關
[研究][ASP.NET]Fortify Static Code Analyzer (SCA) 報告Open Redirect
https://shaurong.blogspot.com/2021/07/aspnetfortify-sca-open-redirect.html
[研究][ASP.NET]Fortify SCA 報告Password Management: Empty Password 和 Hardcoded Password
http://shaurong.blogspot.com/2021/07/aspnetfortify-sca-password-management.html
[研究][ASP.NET]Fortify Static Code Analyzer (SCA) 報告從資料庫取得資料直接顯示於 Label 可能 Cross-Site Scripting: Persistent (XSS)
https://shaurong.blogspot.com/2021/07/aspnetfortify-static-code-analyzer-sca.html
[研究] Microsoft Anti-XSS Library V4.3 (Anti-Cross Site Scripting Library) 與 AntiXssEncoder.HtmlEncode
http://shaurong.blogspot.com/2017/06/microsoft-anti-xss-library-v43-anti.html
[研究] Microsoft Anti-XSS Library V4.3 (Anti-Cross Site Scripting Library)
https://shaurong.blogspot.com/2017/06/microsoft-anti-xss-library-v43-anti.html
AntiXssEncoder.HtmlEncode 方法 (System.Web.Security.AntiXss) | Microsoft Docs
https://docs.microsoft.com/zh-tw/dotnet/api/system.web.security.antixss.antixssencoder.htmlencode?view=netframework-4.8
[研究][ASP.NET] 用了 AntiXssEncoder.HtmlEncoder 仍被 Fortify SCA v17.20 說有問題
https://shaurong.blogspot.com/2018/04/aspnet-antixssencoderhtmlencoder.html
[研究] [ASP.NET] DropDownList1 的 Cross-site scripting (XSS) (Reflected XSS) 修正
https://shaurong.blogspot.com/2017/09/aspnet-dropdownlist1-cross-site.html
[研究] [ASP.NET] Cross-Site Scripting(XSS) 防範,白名單輸入驗證
https://shaurong.blogspot.com/2019/06/aspnet-cross-site-scriptingxss.html
[研究] X-XSS Protection
https://shaurong.blogspot.com/2017/06/x-xss-protection.html
[研究][ASP.NET][C#]Fortify SCA 報告 Eval()有 Cross-Site Scripting: Persistent解法
https://shaurong.blogspot.com/2020/10/aspnetcfortify-sca-eval-cross-site.html
[研究] Fortify SCA 19.10 與 jquery-3.3.1-vsdoc.js, line 812 (Dynamic Code Evaluation Code Injection)
https://shaurong.blogspot.com/2019/07/fortify-sca-1910-jquery-331-vsdocjs.html
[研究] Fortify SCA 報告 Web.Config 連線資訊有 Insecure Transport: Database 問題
https://shaurong.blogspot.com/2018/12/fortify-sca-webconfig.html
[研究][ASP.NET] Fortify SCA v17.20 報告 Web.config ( Insecure Transport: Datbase) Critical 問題
https://shaurong.blogspot.com/2018/04/aspnet-fortify-sca-v1720-webconfig.html
[研究][JavaScript] CKeditor 4.9.1 與 Fortify SCA v17.20
https://shaurong.blogspot.com/2018/04/javascript-ckeditor-491-fortify-sca.html
[研究][ASP.NET][JavaScript] hideShowPassword 與 Fortify SCA 白箱測試
https://shaurong.blogspot.com/2018/04/aspnetjavascript-hideshowpassword.html
沒有留言:
張貼留言