当前位置:七道奇文章资讯安全技术网络技术
日期:2011-07-01 21:39:00  来源:本站整理

利用antixss防备xss[网络技术]

赞助商链接



  本文“利用antixss防备xss[网络技术]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:

AntiXSS,由微软推出的用于避免XSS攻击的一个类库,可实现输入白名单机制和输出转义
文章最后有antixx演示工程下载
 
antixss下载地址
http://www.microsoft.com/download/en/details.aspx?id=5242
 
msi安装程序,安装之后,安装目录下有以下文件
AntiXSS.chm   包含类库的操作手册参数阐明
HtmlSanitizationLibrary.dll    包含Sanitizer类(输入白名单)
AntiXSSLibrary.dll    包含Antixss,Encoder类(输出转义)
利用时在工程内增添引用HtmlSanitizationLibrary.dll 和AntiXSSLibrary.dll
导入命名空间using Microsoft.Security.Application;
 
1、输入白名单
调用Sanitizer.GetSafeHtmlFragment办法便可,url_c未过滤后的干净字串
 
            url = Request.QueryString["url"];
            url_c = Sanitizer.GetSafeHtmlFragment(url);
            Response.Write(url_c);
2、输出转义
 
            //HTML内容编码
            html_cont = Encoder.HtmlEncode(url);
            //html_cont = url;
 
            //HTML属性编码
            input1.Value = Encoder.HtmlAttributeEncode(url);
            //input1.Value = url;
 
            //对js举行编码
            url_c = Encoder.JavaScriptEncode(url);
            //url_c = url;
 
            //URL编码
            img1.Src = Encoder.UrlEncode(url);
            //img1.Src = url;
 
 
            XmlDocument xmlDoc;
            XmlNodeList nodeList;
 
            //XML属性编码
            isbn = Encoder.XmlAttributeEncode(Request.QueryString["isbn"]);
 
            if (isbn != null)
            {
                xmlDoc = new XmlDocument();
                xmlDoc.Load(Server.MapPath("db.xml"));
                nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;
                foreach (XmlNode xn in nodeList)
                {
                    XmlElement xe = (XmlElement)xn;
                    if (xe.GetAttribute("genre") == "张三")
                    {
                        xe.SetAttribute("ISBN", isbn);
                    }
                }
                xmlDoc.Save(Server.MapPath("db.xml"));
            }
 
            //XML内容编码
            price = Encoder.XmlEncode(Request.QueryString["price"]);
            price = Request.QueryString["price"];
            if (price != null)
            {
                xmlDoc = new XmlDocument();
                xmlDoc.Load(Server.MapPath("db.xml"));
                nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;
                foreach (XmlNode xn in nodeList)
                {
                    XmlElement xe = (XmlElement)xn;
                    if (xe.GetAttribute("genre") == "张三")
                    {
                        XmlNodeList nls = xe.ChildNodes;
                        foreach (XmlNode xn1 in nls)
                        {
                            XmlElement xe2 = (XmlElement)xn1;
                            if (xe2.Name == "price")
                            {
                                xe2.InnerText = price;
                            }
                        }
                    }
                }
                xmlDoc.Save(Server.MapPath("db.xml"));
            }
以下为表示层
 
<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">
<form action="" id="form1" method="post">
<table border="1">
<tr>
    <td width="100">范例</td>
    <td width="300">POC clickme</td>
    <td width="500">result</td>
</tr>
<tr>
    <td>HTML内容</td>
    <td><a href="?url=%3Cscript%3Ealert('xss')%3C/script%3E" ><script>alert('xss')</script></a></td>
    <td><pre id="h1" runat="server" ><%=html_cont %></pre></td>
</tr>
<tr>
    <td>HTML属性</td>
    <td><a href="?url=%22%20src=%22javascript:alert('xss')%22" >" src="javascript:alert('xss')"</a></td>
    <td><input id="input1" runat="server"/></td>
</tr>
<tr>
    <td>js</td>
    <td><a href="?url=test';alert(1);'">test';alert(1);'</td>
    <td>
        <script type="text/javascript">
            var url = <%=url_c %>;
        </script>
    </td>
</tr>
<tr>
    <td>URL</td>
    <td><a href="?url=javascript:alert('xss')" >javascript:alert('xss')</a></td>
    <td><img id="img1" runat="server" alt="img1" /></td>
</tr>
<tr>
    <td>XML属性编码</td>
    <td><a href="?isbn=2-3631-4" >isbn=2-3631-4</a></td>
    <td><%=isbn %></td>
</tr>
<tr>
    <td>XML内容编码www.110hack.com</td>
    <td><a href="?price=90" >price=90</a></td>
    <td><%=price %></td>
</tr>
</table>
</form>
</asp:Content>

本文根源于:DoDo's Blog


  以上是“利用antixss防备xss[网络技术]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
  • 利用antixss防备xss
  • 本文地址: 与您的QQ/BBS好友分享!
    • 好的评价 如果您觉得此文章好,就请您
        0%(0)
    • 差的评价 如果您觉得此文章差,就请您
        0%(0)

    文章评论评论内容只代表网友观点,与本站立场无关!

       评论摘要(共 0 条,得分 0 分,平均 0 分) 查看完整评论
    Copyright © 2020-2022 www.xiamiku.com. All Rights Reserved .