Fatal编程技术网
  • asp-classic/
  • Asp classic 经典ASP中通过引用头防止XSS攻击

Asp classic 经典ASP中通过引用头防止XSS攻击

asp-classic

Asp classic 经典ASP中通过引用头防止XSS攻击,asp-classic,header,http-headers,xss,Asp Classic,Header,Http Headers,Xss,我目前正试图限制代码中的一些遗留区域 Acunetix报告说: HTTP标头输入引用已设置为 http://www.google.com/search?hl=en&q=testing“()&%w4wD(9628) HTTP请求 GET /get/activity HTTP/1.1 Referer: http://www.google.com/search?hl=en&q=testing'"()&%<acx><ScRiPt >w4wD(9628)</S

我目前正试图限制代码中的一些遗留区域

Acunetix报告说:

HTTP标头输入引用已设置为 
http://www.google.com/search?hl=en&q=testing“()&%w4wD(9628)

HTTP请求

GET /get/activity HTTP/1.1
Referer: http://www.google.com/search?hl=en&q=testing'"()&%<acx><ScRiPt >w4wD(9628)</ScRiPt>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.21 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.21
Client-IP: 127.0.0.1
X-Forwarded-For: 127.0.0.1
X-Forwarded-Host: localhost
Accept-Language: en
Via: 1.1 wa.www.test.com
Origin: http://www.test.com/
Cookie: login%5Fcsrf=78FB0E23%2D2AF0%2D4D93%2D80F4%2DA4167982CAFD; ASPSESSIONIDQETDADBA=MBDPBIFBEHIJLCHMLDEDMNMA; UID=19B75396%2DF73B%2D4ED1%2D811F%2DFC3521BD9A66; linkedin%5Ftoken%5Fexpires=3%2F24%2F2015+3%3A03%3A43+PM; facebook%5Ftoken%5Fexpires=3%2F24%2F2015+3%3A03%3A43+PM; addevent_track_cookie=331dac94-8056-4853-6db4-d32779751626; CTK=1aei06d81bqp7fo4; ctkgen=1; JSESSIONID=DF0E35299D9A599B9B0FD9DAD011EF5E.jasxA_sjc-job20; BIGipServerjob_sjc=!0DQ3jSiLSSml/YlyPyTRGq9gi+rS3RzqpnSdGp+a4H86AStK8uZDXAHW1mcqwBzEsumzwo03rHdXGPY=; TS01d65e80=0139b1f9976b1c645e29362f9a324ea4394c66891bedf6b36ad06108f69b2908405c0edb721888a6b580f3edeeb5e573a8bbfbda4bd1cc23e2b69d6cc521b5abfb63ea49f961518bdc077c30ef41459aa792c942cf87918cf68dbe681a51068a117b375546; TS01c598d3=0139b1f9974322379e22f1fe5fab0db4a57096201eed85463ee289670f78e8c4a2d79535beb14d5b117120b5303b71298697559647a203ebc955633196690dbc6e72e0887b; RF="HvVEPZ1apChPBHfT6ywcEvzxuORi22TF2TITLDoQJ6BzIuMxqjLlugZ07BmLw45FGmf4cAjw1_8SlVMGKF-s1g=="; INDEED_CSRF_TOKEN=kC3qOut72kVW3yfdd6fEn3sQrnmzv1n6
Host: dev.qweqwe.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
Accept: */*
如何通过referer抵御此攻击?

根据问题的上下文,每个跨站点脚本漏洞都是独特的,因此,针对XSS攻击的最佳防御措施是定制使用以下两种:

  • 输入验证-从不隐式信任来自外部源的输入
  • HTML编码-用有趣的符号(
    )替换像“”这样的特殊HTML字符,这些符号不会被浏览器错误地解释为HTML
    • 有大量的资源提供了更多的信息,但我发现以下几点很有帮助:

    您抛出了一个500错误。这已经减轻了它。(假设您没有将URL作为错误HTML文档的一部分进行回显)是的,我是这么想的,URL没有任何回显…:\ 
    HTTP/1.1 500 Internal Server Error
Cache-Control: private
Content-Length: 2019
Content-Type: text/html; Charset=utf-8
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Wed, 23 Mar 2016 20:02:13 GMT