EC Council CASE.NET_Common Application-Level Attacks_lab2.XSS攻擊與防範

 










可能在導覽至contact輸入欄位後下js語法
進行一些資訊竊取等等
<script>alert('XSS');</script>


含有漏洞的程式


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace Labs.M1Lab2
{
    public partial class Index : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (Request.QueryString["Username"] != null)
                Lblgreeting.Text = "Thank you " + Request.QueryString["Username"].ToString() + " for Contacting Us.";


        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            Response.Redirect("Index.aspx?Username=" + txtName.Text);
        }
    }
}



修正後

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

namespace Labs.M1Lab2
{
    public partial class Index : System.Web.UI.Page
    {
        protected void Page_Load(object sender, EventArgs e)
        {
            if (Request.QueryString["Username"] != null)
                Lblgreeting.Text = "Thank you " + Request.QueryString["Username"].ToString() + " for Contacting Us.";


        }

        protected void Button1_Click(object sender, EventArgs e)
        {
            Response.Redirect("Index.aspx?Username=" + Server.HtmlEncode(txtName.Text));
        }
    }
}









留言

這個網誌中的熱門文章

何謂淨重(Net Weight)、皮重(Tare Weight)與毛重(Gross Weight)

Architecture(架構) 和 Framework(框架) 有何不同?_軟體設計前的事前規劃的藍圖概念

經得起原始碼資安弱點掃描的程式設計習慣培養(五)_Missing HSTS Header