[研究][ASP.NET][WebForm][C#]網址防 Fortify SCA 報告跨站腳本攻擊(Cross-Site Scripting, XSS)
2021-11-24
工具:Visual Studio 2022 + Micro Focus Fortify Static Code Analyzer 21.1.2
NuGet 安裝 HtmlSanitizer 套件
Default.aspx
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication16.Default" %>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:Button ID="Button1" runat="server" Text="Button" OnClick="Button1_Click" /><br />
<asp:Label ID="Label1" runat="server" Text="Label"></asp:Label><br />
<br />
<asp:Button ID="Button2" runat="server" Text="Button" OnClick="Button2_Click" /><br />
<asp:Label ID="Label2" runat="server" Text="Label"></asp:Label><br />
<br />
<asp:Button ID="Button3" runat="server" Text="Button" OnClick="Button3_Click" /><br />
<asp:Label ID="Label3" runat="server" Text="Label"></asp:Label><br />
<br />
</div>
</form>
</body>
</html>
|
Default.aspx.cs
using Ganss.XSS; using System; using System.Web.Security.AntiXss; namespace WebApplication16 { public partial class Default : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { //Button1_Click(sender, e); //Button2_Click(sender, e); //Button3_Click(sender, e); } protected void Button1_Click(object sender, EventArgs e) { string url = "https://www.hinet.net/?sno=" + Request.QueryString["sno"]; Label1.Text = url; // 有 XSS 問題 ClientScript.RegisterStartupScript(GetType(), "message", "<script>alert('修改成功。\\n按【確定】轉往列表畫面。');" + "location.href='" + url + "';</script>"); // 有 XSS 問題 } protected void Button2_Click(object sender, EventArgs e) { string url = "https://www.hinet.net/?sno=" + Request.QueryString["sno"]; url = AntiXssEncoder.UrlEncode(url); Label2.Text = url; // https%3A%2F%2Fwww.hinet.net%2F%3Fsno%3D // 不能用了 // '/' 應用程式中發生伺服器錯誤。 // 具有潛在危險 Request.Path 的值已從用戶端(:) 偵測到。 ClientScript.RegisterStartupScript(GetType(), "message", "<script>alert('修改成功。\\n按【確定】轉往列表畫面。');" + "location.href='" + url + "';</script>"); } protected void Button3_Click(object sender, EventArgs e) { string url = "https://www.hinet.net/?sno=" + Request.QueryString["sno"]; url = MyAntiXssFilter(url); Label3.Text = url; // https://www.hinet.net/?sno= // 仍可以使用 ClientScript.RegisterStartupScript(GetType(), "message", "<script>alert('修改成功。\\n按【確定】轉往列表畫面。');" + "location.href='" + url + "';</script>"); } public static string MyAntiXssFilter(object inputObject) { string inputStr = ""; if (inputObject != null) { inputStr = inputObject.ToString(); } var sanitizer = new HtmlSanitizer(); sanitizer.AllowedAttributes.Add("class"); sanitizer.AllowedAttributes.Add("id"); var sanitized = sanitizer.Sanitize(inputStr); return sanitized; } } } |
********************************************************************************
2022-09-08 .fpr 報告預設 Quick View 模式改成 Security Auditor View,不會有 Cross-Site Scripting: Poor Validation 問題。
(完)
沒有留言:
張貼留言