收藏 基于DOM的跨站点脚本攻击的防御,大家帮忙看下这个
0
悬赏园豆:30
[已关闭问题]
关闭于 2012-11-20 15:33
Details
URL encoded POST input NewTop1%24hidLogoUrl was set to " onmouseover=prompt(935845) bad="
The input is reflected inside a tag parameter between double quotes.
Request headers
POST /actionfornewcustomers.aspx HTTP/1.1
Content-Length: 560
Content-Type: application/x-www-form-urlencoded
(line truncated)
...2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2f2010-11-17%2fC477585_ListPic20101117100
952.jpg%2chttp%3a%2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2fc460266_ListPic.jpg%2cht
tp%3a%2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2f2010-02-03%2fC787190_ListPic10020304
1825.jpg%2chttp%3a%2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2fc659323_ListPic.jpg&Gds
Url=%2fNvZhuang%2fChenShan%2fC477585%2f%2c%2fNvZhuang%2fZhenZhiShan%2fC460266%2f%2c%2fNv
Zhuang%2fTXu%2fC787190%2f%2c%2fNvZhuang%2fChenShan%2fC659323%2f
Host: www.f508.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
主要看看Details下边的错误指的是什么意思,是post过去的数据可能被脚本攻击但是post过去的是写在隐藏域里边的:<!--LOGO连接-->
<input type="hidden" id="hidLogoUrl" runat="server" value="http://www.sdfd.com"/>
下边是LOGO显示的代码:
<li class="hp_logo"><a href="<%=strLogoUrl %>" title="<%= strLogoName %>">
<img src='<%=strLogoPath %>' alt="<%= strLogoName %>" /></a></li>
后台cs文件会对上述那个隐藏域做操作,是显示value里边的链接还是显示从数据库里边读的
现在我对此隐藏域进行了“过滤xss攻击脚本 ”,但是还会报出这个错误,有可能是从数据库里边读到的链接会造成xss攻击脚本?
URL encoded POST input NewTop1%24hidLogoUrl was set to " onmouseover=prompt(935845) bad="
The input is reflected inside a tag parameter between double quotes.
Request headers
POST /actionfornewcustomers.aspx HTTP/1.1
Content-Length: 560
Content-Type: application/x-www-form-urlencoded
(line truncated)
...2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2f2010-11-17%2fC477585_ListPic20101117100
952.jpg%2chttp%3a%2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2fc460266_ListPic.jpg%2cht
tp%3a%2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2f2010-02-03%2fC787190_ListPic10020304
1825.jpg%2chttp%3a%2f%2fimg.f508.com%2fGoods_Pic%2fGDS_Preview%2fc659323_ListPic.jpg&Gds
Url=%2fNvZhuang%2fChenShan%2fC477585%2f%2c%2fNvZhuang%2fZhenZhiShan%2fC460266%2f%2c%2fNv
Zhuang%2fTXu%2fC787190%2f%2c%2fNvZhuang%2fChenShan%2fC659323%2f
Host: www.f508.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
主要看看Details下边的错误指的是什么意思,是post过去的数据可能被脚本攻击但是post过去的是写在隐藏域里边的:<!--LOGO连接-->
<input type="hidden" id="hidLogoUrl" runat="server" value="http://www.sdfd.com"/>
下边是LOGO显示的代码:
<li class="hp_logo"><a href="<%=strLogoUrl %>" title="<%= strLogoName %>">
<img src='<%=strLogoPath %>' alt="<%= strLogoName %>" /></a></li>
后台cs文件会对上述那个隐藏域做操作,是显示value里边的链接还是显示从数据库里边读的
现在我对此隐藏域进行了“过滤xss攻击脚本 ”,但是还会报出这个错误,有可能是从数据库里边读到的链接会造成xss攻击脚本?
所有回答(2)
0
文本框等默认已经启动检测了吧 如果输入类似<script>之类的标签都会不被执行吧,楼主给关了?
之前没启动吧,之前搜索框那没启动,我手动过滤的,但是这个我跟输入无关,这个只是显示网站的logo图,在不同的页面会显示不同的logo图和链接,默认是显示首页logo和首页地址的,跟输入框没关系的。
0
页面传值问题,加载页面时给隐藏域赋值,下边又用隐藏域里边的值给全局变量赋值,做了无用功,还可能引起xss攻击。
