您的位置:首页 > 其它

使用antixss防御xss

2016-04-07 18:26 253 查看
http://security.zdnet.com.cn/security_zone/2011/0713/2046720.shtml

AntiXSS,由微软推出的用于防止XSS攻击的一个类库,可实现输入白名单机制和输出转义

文章最后有antixx演示工程下载

antixss下载地址

http://www.microsoft.com/download/en/details.aspx?id=5242

msi安装程序,安装之后,安装目录下有以下文件

AntiXSS.chm 包括类库的操作手册参数说明

HtmlSanitizationLibrary.dll 包含Sanitizer类(输入白名单)

AntiXSSLibrary.dll 包含Antixss,Encoder类(输出转义)

使用时在工程内添加引用HtmlSanitizationLibrary.dll 和AntiXSSLibrary.dll

导入命名空间using Microsoft.Security.Application;

1、输入白名单

调用Sanitizer.GetSafeHtmlFragment方法即可,url_c未过滤后的干净字串

url = Request.QueryString["url"];

url_c = Sanitizer.GetSafeHtmlFragment(url);

Response.Write(url_c);

2、输出转义

//HTML内容编码

html_cont = Encoder.HtmlEncode(url);

//html_cont = url;

//HTML属性编码

input1.Value = Encoder.HtmlAttributeEncode(url);

//input1.Value = url;

//对js进行编码

url_c = Encoder.JavaScriptEncode(url);

//url_c = url;

//URL编码

img1.Src = Encoder.UrlEncode(url);

//img1.Src = url;

XmlDocument xmlDoc;

XmlNodeList nodeList;

//XML属性编码

isbn = Encoder.XmlAttributeEncode(Request.QueryString["isbn"]);

if (isbn != null)

{

xmlDoc = new XmlDocument();

xmlDoc.Load(Server.MapPath("db.xml"));

nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;

foreach (XmlNode xn in nodeList)

{

XmlElement xe = (XmlElement)xn;

if (xe.GetAttribute("genre") == "张三")

{

xe.SetAttribute("ISBN", isbn);

}

}

xmlDoc.Save(Server.MapPath("db.xml"));

}

//XML内容编码

price = Encoder.XmlEncode(Request.QueryString["price"]);

price = Request.QueryString["price"];

if (price != null)

{

xmlDoc = new XmlDocument();

xmlDoc.Load(Server.MapPath("db.xml"));

nodeList = xmlDoc.SelectSingleNode("Employees").ChildNodes;

foreach (XmlNode xn in nodeList)

{

XmlElement xe = (XmlElement)xn;

if (xe.GetAttribute("genre") == "张三")

{

XmlNodeList nls = xe.ChildNodes;

foreach (XmlNode xn1 in nls)

{

XmlElement xe2 = (XmlElement)xn1;

if (xe2.Name == "price")

{

xe2.InnerText = price;

}

}

}

}

xmlDoc.Save(Server.MapPath("db.xml"));

}

以下为表示层

<asp:Content ID="BodyContent" runat="server" ContentPlaceHolderID="MainContent">

<form action="" id="form1" method="post">

<table border="1">

<tr>

<td width="100">类型</td>

<td width="300">POC clickme</td>

<td width="500">result</td>

</tr>

<tr>

<td>HTML内容</td>

<td><a href="?url=%3Cscript%3Ealert('xss')%3C/script%3E" ><script>alert('xss')</script></a></td>

<td><pre id="h1" runat="server" ><%=html_cont %></pre></td>

</tr>

<tr>

<td>HTML属性</td>

<td><a href="?url=%22%20src=%22javascript:alert('xss')%22" >" src="javascript:alert('xss')"</a></td>

<td><input id="input1" runat="server"/></td>

</tr>

<tr>

<td>js</td>

<td><a href="?url=test';alert(1);'">test';alert(1);'</td>

<td>

<script type="text/javascript">

var url = <%=url_c %>;

</script>

</td>

</tr>

<tr>

<td>URL</td>

<td><a href="?url=javascript:alert('xss')" >javascript:alert('xss')</a></td>

<td><img id="img1" runat="server" alt="img1" /></td>

</tr>

<tr>

<td>XML属性编码</td>

<td><a href="?isbn=2-3631-4" >isbn=2-3631-4</a></td>

<td><%=isbn %></td>

</tr>

<tr>

<td>XML内容编码<A href="http://www.2cto.com</td">www.2cto.com</td>

<td><a href="?price=90" >price=90</a></td>

<td><%=price %></td>

</tr>

</table>

</form>

</asp:Content>
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航