防止XSS攻擊套件 Microsoft Anti-Cross Site Scripting Library .NET ez 2012-06-04
測試用的攻擊程式碼:
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>能在CSS 執行 JavaScript 是很多人不知道的開發技巧,但也是駭客最愛玩的 XSS ,不過這語法在新版的瀏覽器中都被移除了,目前已知支援這語法的瀏覽器有 IE6.0、IE7.0、Firefox 2.0、Opera 9.02...
套件下載:Microsoft Anti-Cross Site Scripting Library or AntiXSSV31
※請用3.1版本,4.0未包含此功能 測試範例:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Security;
using Microsoft.Security.Application;
namespace AntiXSS_Test
{
class Program
{
static void Main(string[] args)
{
string body = AntiXss.GetSafeHtml("<div onload=\"alert('xss');\"><script>alert('xss')</script></div>");
Console.WriteLine(body);
//輸出結果
//<html>
//<body>
//<div></div>
//</body>
//</html>
body = AntiXss.GetSafeHtmlFragment("<div onload=\"alert('xss');\"><script>alert('xss')</script></div>");
Console.WriteLine(body);
//輸出結果
//<div></div>
}
}
}
標籤: .NET
本文章網址:
https://www.ez2o.com/Blog/Post/XSS-Microsoft-Anti-Cross-Site-Scripting-Library
https://www.ez2o.com/Blog/Post/17
https://www.ez2o.com/Blog/Post/XSS-Microsoft-Anti-Cross-Site-Scripting-Library
https://www.ez2o.com/Blog/Post/17
留言
1212 ( 2023-01-17 )122222222222222222222222