EC Council CASE.NET_Common Application-Level Attacks_lab2.XSS攻擊與防範
可能在導覽至contact輸入欄位後下js語法
進行一些資訊竊取等等
<script>alert('XSS');</script>
含有漏洞的程式
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; namespace Labs.M1Lab2 { public partial class Index : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { if (Request.QueryString["Username"] != null) Lblgreeting.Text = "Thank you " + Request.QueryString["Username"].ToString() + " for Contacting Us."; } protected void Button1_Click(object sender, EventArgs e) { Response.Redirect("Index.aspx?Username=" + txtName.Text); } } } |
修正後
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | using System; using System.Collections.Generic; using System.Linq; using System.Web; using System.Web.UI; using System.Web.UI.WebControls; namespace Labs.M1Lab2 { public partial class Index : System.Web.UI.Page { protected void Page_Load(object sender, EventArgs e) { if (Request.QueryString["Username"] != null) Lblgreeting.Text = "Thank you " + Request.QueryString["Username"].ToString() + " for Contacting Us."; } protected void Button1_Click(object sender, EventArgs e) { Response.Redirect("Index.aspx?Username=" + Server.HtmlEncode(txtName.Text)); } } } |
留言
張貼留言