Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
895 views
in Technique[技术] by (71.8m points)

.net - Is PagesSection.ValidateRequest enough to prevent XSS in asp.Net

In asp.net is the PagesSection.ValidateRequest method enough to prevent all XSS attacks or is there something more that needs to be done?

Can anyone point me to a more thorough resource on this topic specifically for asp.net as Google mainly returns MSDN articles and I'd like to verify that we're doing enough.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Here is one example: HttpRequestValidationException and cross-site scripting XSS

The request validation simply tries to stop requests containing a very small set of bad letters. And this is not enough to stop XSS, as there are several examples of XSS that falls outside that set of letters. One such example is jumping out of an existing html attribute and into a new one:

<input type="text" value="BAD_DATA">

If the BAD_DATA is " autofocus onfocus="alert(1) this becomes

<input type="text" value="" autofocus onfocus="alert(1)">

which will popup the alert box.

So while request validation will stop simple XSS attacks, it will not stop all. I have also seen the need to switch it off on login forms, as it will reject users having a < in their password.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...