人生是一场不能存盘的RPG,我只能尽量多搞几个Screenshot

May 11, 2007

XSS的资料收集

Filed under: ASP.NET

常见的手法:
在页面或地址栏中写入javascript代码,经过HEX编码编码後会更隐蔽.
javaScript的用途:
盗取当前用户的cookie信息
通过XMLHttpRequest() 整蛊web server.

如何检查XSS
在各种输入接口输入或者在GET的URL参数中加入: “><img src=1 onerror=javascript:alert(document.cookie)><” 如果有js alert执行,说明可能有潜在漏洞。

防御
过滤非法的输入
把user提交的某些可以在浏览器中执行的代码encode後再发送给请求者

The Cross Site Scripting (XSS) FAQ
http://www.cgisecurity.com/articles/xss-faq.shtml

How To: Prevent Cross-Site Scripting in ASP.NET
http://msdn2.microsoft.com/en-us/library/ms998274.aspx

MS Anti-Cross Site Scripting Library V1.5
http://blog.joycode.com/saucer/archive/2006/11/21/87365.aspx
http://msdn2.microsoft.com/en-us/security/aa973814.aspx

Comments »

The URI to TrackBack this entry is: http://recordsome.blogsome.com/2007/05/11/p236/trackback/

No comments yet.

RSS feed for comments on this post.

Leave a comment

Line and paragraph breaks automatic, e-mail address never displayed, HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>



Anti-spam measure: please retype the above text into the box provided.






















Get free blog up and running in minutes with Blogsome
Theme designed by Hadley Wickham