Question

On my site, I want to allow users to add reference to images which are hosted anywhere on the internet. These images can then be seen by all users of my site. As far as I understand, this could open the risk of cross site scripting, as in the following scenario: User A adds a link to a gif which he hosts on his own webserver. This webserver is configured in such a way, that it returns javascript instead of the image. User B opens the page containg the image. Instead of seeing the image, javascript is executed.

My current security messures are currently such, that both on save and open, all content is encoded. I am using asp.net(c#) on the server and a lot of jquery on the client to build ui elements, including the generation of image tags.

这种对地雷的恐惧是否正确? 我在这里没有其他重要的安全漏洞? 最重要的是,我如何防止这次袭击? 我现在能想到的唯一安全方式是,在服务器上 image光图像,如果它包含除双元数据以外的任何东西,则进行检查。

Answer 1

检查档案确实是一种形象的胜利。当服务器提出要求时,攻击者可以回去一件事,如果潜在受害者提出同样的要求,则可以回去一件事。

说到,只要你将URL限制在只字标的斜体内印制,那么你就存在一个CSRF缺陷,但不是一个XSS。

Someone could for instance create an "image" URL along the lines of: http://yoursite.com/admin/?action=create_user&un=bob&pw=alice Or, more realistically but more annoyingly; http://yoursite.com/logout/

如果所有敏感行动(博客、编辑简介、设立员额、改变语言/主题)都受到震动,那么,像这一 would那样的攻击媒介给使用者带来任何好处。

但是,回到你的问题;除非有某些目前的浏览器,否则,我就认为你已经获得XSS。 Oh,记住他们的形象,URL并不包括奇迹。例如:><script>alert(1)</script><!--显然具有不良效果。我假定你知道会逃脱。

Answer 2

Your approach to security is incorrect. Don t approach the topic as "I have a user input, so how can I prevent XSS". Rather approach it like it this: "I have user input - it should be restrictive as possible - i.e. allowing nothing through". Then based on that allow only what s absolutely essential - plain-text strings thoroughly sanitized to prevent anything but a URL, and the specific, necessary characters for URLS only. Then Once it is sanitized I should only allow images. Testing for that is hard because it can be easily tricked. However, it should still be tested for. Then because you re using an input field you should make sure that everything from javascript scripts and escape characters, HTML, XML and SQL injections are all converted to plaintext and rendered harmless and useless. Consider your users as being both idiots and hackers - that they ll input everything incorrectly and try to hack something into your input space.

友情链接