How do you fight against all these ways? -Javascript and its million different ways you can write it
I just don't know what to think anymore. It seems like the people who made javascript went out of their way to allow it to be written a million different ways so hackers can have a field day.
I finally got my white list up by using html agility pack. It should remove
<scrpit></script>
As it is not in my white list plus any onclick,onmouse and etc.
However now it seems you can write javascript in the attribute tags.
<IMG SRC="javascript:alert('hi');">
and since I allow SRC attributes my white list can't help me on this. So I came up with the idea to go through all valid attributes at the end and look inside them.
So it would find all my allowed attributes for every html tag( so src,href and etc).
I then found the innertext and put it to lowercase. I then did a index check on this string for "javascript".
If an index was found I started at that index and removed every character from that index on. So in the above case the attribute would be left with Src="".
Now it seems that is not good enough since you can do something like
java script jav ascript
and probably a space开发者_如何学Go between every letter.
So I don't know how to stop it. If it was just a space between java and script then I could just write a simple regex that did not care how many spaces between. But if it is really that you can put a space or tab or whatever after each letter then I have no clue.
Then to top it off you can do all these other great ways too
<IMG SRC=javascript:alert('XSS')> // will work apparently
<IMG SRC=javascript:alert('XSS')> // will work apparently
<IMG SRC="jav ascript:alert('XSS');"> // will work apparently
<IMG SRC="jav	ascript:alert('XSS');">// will work apparently
<IMG SRC="jav
ascript:alert('XSS');"> // will work apparently
<IMG SRC="jav
ascript:alert('XSS');"> // will work apparently
http://ha.ckers.org/xss.html
I know this is for some cross scripting attack( I am not making an XSS asp.net mvc does a good job of this already) but I don't see why it can't be use for other things like like in all those examples it makes alerts so it could be used for something else.
So I have no clue how to check and remove any of these.
I am using C# but I don't know how to stop any of these and don't know of anything in C# that could help me out.
Seems you want to clean out javascript, and for that there is in fact a nice solution for you in C#/.Net.
Download Microsoft Web Protection Library from CodePlex.
If you run your html fragment thru Microsoft.Security.Application.AntiXss.GetSafeHtmlFragment(html) then you will end up with this output:
<img src=""> // will work apparently
<img src=""> // will work apparently
<img src=""> // will work apparently
<img src="">// will work apparently
<img src=""> // will work apparently
<img src=""> // will work apparently
All script cleaned out.
make a page say redir
Now after form submission take all src attribute's value and replace it with
redir?src=theExactValueHere
now that redir program First downloads the value of GET parameter src (Which is eventually the actual src attribute's Value) from serverside and then Forward's the Content as it is including the exact same MIME/type
it can also do some Checking on the attribute's value and then Header Redirection too.
There are even more ways But I think This would be simplest and Reliable too.
加载中,请稍侯......
精彩评论