Första XSS-attacken mot vår blogg

Det här är inte speciellt dramatiskt egentligen, men lite kul med action. Någon postade för en stund sen en XSS-länk på den engelska delen av vår hemsida.

Jag visste att kommentarsfältet inte var skyddat mot HTML och har inte brytt mig om att fixa det förrän nu.

Attackvektorer

I kommentaren som postades låg följande html-tagg och det är alltså bara en test för att se ifall det gick att köra javascript genom kommentarerna på vår blogg.

<INPUT TYPE="IMAGE" src="javascript:alert('XSS');">

På ha.ckers.org's XSS (Cross Site Scripting) Cheat Sheet kan man läsa att denna vektor inte fungerar på IE7 eller FF2 men på IE6 och Opera. Där finns även fler referenser till andra vektorer.

Hur man skyddar man sig mot XSS (med .NET)

Det enklaste alternativet är att låta validateRequest vara på slaget som det är som standard. Nackdelarna är att det då inte går att posta taggar över huvudtaget och att ett error visas. Läs mer om för-/nackdelar ValidateRequest här. I vår blogg som handlar om webbutveckling vill vi ju kunna tillåta html-kod från våra besökare, så vi har detta skydd avstängt.

Istället ser vi till att använda Server.HtmlEncode på all text som kommer från besökaren (det var detta jag just la till).

En bra effekt är att det numera går att skriva htmlkod i kommentarerna och den visas som den ska. Vissa har ju märkt att det inte fungerat så bra tidigare och vi borde ha fixat det för länge sen.

Testning tillåtet

Om nån är intressarad får ni gärna försöka att posta XSS till detta inlägget. Jag antar att det är omöjligt men vem vet om det finns någon obskyr metod som inte HTMLEncode klarar av att filtera.

Har även lagt in en liten funktion som ska göra om url till länkar. Där kan jag tänka mig att det kan gå att få in någon XSS-variant. Så här ser funktionen ut ifall nån vill prova att "hacka" den.

public string ConvertUrlToHyperlink(string strInput)
{
string strPattern = @"(?<url>http://(?:[\w-]+\.)+[\w-]+(?:/[\w-./?%&~=]*[^.\s|,|\)|<|!])?)";
string strReplace = "<a href=\"${url}\" target=_blank>${url}</a>";
string strResult;
strResult = Regex.Replace(strInput, strPattern, strReplace);
strPattern = @"(?<!http://)(?<url>www\.(?:[\w-]+\.)+[\w-]+(?:/[\w-./?%&~=]*[^.\s|,|\)|<|!])?)";
strReplace = "<a href=\"http://${url}\" target=_blank>${url}</a>";
strResult = Regex.Replace(strResult, strPattern, strReplace);

return strResult;
}

Comments

testar länkar http://codeodyssey.se/blog.aspx?id=352#write-comment

Thanks for making such a cool project. I've been checking the site for the Windows version, but I never left a comment about it. I know you are working hard and doing it for free so you shouldn't feel rushed or anything

Thanks for making such a cool project. I've been checking the site for the Windows version, but I never left a comment kw:essay writing service about it. I know you are working hard and doing it for free so you shouldn't feel rushed or anything

I appreciate your idea here.my profile Definitely it has a good content. Thank you for imparting more of your own thoughts. look at my profile Good job! my site

Excellent post share with us and this blog is impresses more people to reading that blog

Most enticing blogs I’ve ever read and this is what it should. Must be shared as well. I was really bored awriter.org but your blog lightened up my day

Good

Your post is really very good and i appreciate. It's hard to sort the good from the bad sometimes but i think you have nailed it. You write very well which is amazing . I really impressed by your post. Thanks for sharing.

Thanks for sharing great information.Excellent post share with us and this blog is impresses more people to reading that blog.thanks

Thanks for sharing great information.Excellent post share with us and this blog is impresses more people to reading that blog.thanks http://www.onlinepromotionuae.ae

Thanks for sharing great information.Excellent post share with us and this blog is impresses more people to reading that blog.thanks http://www.onlinepromotionuae.ae

I like your all post. You have done really good work. a10, color switch

I appreciate your working style at the end just my request is please share with us some more great post... roblox, mortal kombat x

Nice post! Thanks for sharing with us.

eCommerce Web Development Company

Our products are authentic http://www.essay-writing.co.uk/ and free of plagiarism. Each essay is examined for plagiarism.

good posting.. Web Promotion Company in Delhi

Is it so really important? Get it easy, watching http://camsdesire.com/anal-play. Hot girls, hot asses, amazing views ;)

I am so delighted to be here and wanna say thanks for share this with us. I am so delighted to reach here and to take a overview on your page. Call Girls in Chandigarh

I just want to say thanks for your wonderful post, it is contain a lot of knowledge and information that i needed right now. You really help me out my friend, thanks ! gmail sign login

Great work and this one has shown a lot of new potential blog writers on the fold. nursing schools California

I think we are going to get more such posts in coming weeks on the blog. prayers

I have read your post.I wanna inform you that Cyber Monday sale is out now.You can get latest discount coupons here.Thank you. Hostgator cyber Monday 2016

I was on your website and reading your blog. You have shared very informative blog for every one. Please keep update from your more blogs. Thanks for sharing this with me. [url="http://packagingboxessupplier.com/packaging-boxes/bottle-packaging-boxes.html"]Discounted USA Bottle Packaging Boxes[/url]

Moreover, the changing of IP addresses like 192.168.1.1 can also have an impact on the backing up files process to network storage devices.

Great blog. Get instant solution for System has crashed with important files inside issue from Toshiba technical support team. Now you can call us @0800-098-8371 Toshiba Customer Care Number UK.

Thanks for this awesome web page, i like it Dell Printer Support

thanks for this page

Hello there, Very pleasant your blog entry. I read this blog. I get critical data with your blog. so I like it. thank for sharing post.

Great information I will tweet to my friends to get them to check it out. keep it up. Gurgaon Call Girls Service

http://mozillafirefox2017freedownload.com http://avgfreedownload2017.com/"> http://avgfreedownload2017.com/

I think my browser is old or not supported for the post, i cant seen any portfolio or image, but i can read the text and i enjoyed the post you shared Casio g Shock Watches in UK

Hong Kong Tailor Recommendation

It is very useful for my future. keep sharing. This is really a great stuff for sharing. Keep it up .

website

this post give me lots of advise it is very useful for me. this article is really one of the very best in the history of article.

over here

I was amazed by you. the way you create a website very thorough and good. This is very very impressive. Thank you for sharing hopefully more successful Godaddy one dollar hosting

Welcome, Very great your blog zone. I am especially lively and incredible this. When I read this blog portion. So I like it. Appreciative to you for giving this post to us. http://www.postescortcontent.in/ http://www.escortguestblogs.in/ http://www.contentpost.in/ http://www.addpostcontent.in/ http://www.postarticle.in/

download youtvplayer apk now for free

hntyemjkuku

Thanks for sharing. I hope it will be helpful for us. Jaipur escorts

Marvelous post which I need to explore more thanks a lot sir for this kind article. http://www.delhiescortsgirl.com"> http://www.delhiescortsgirl.com

Thanks for sharing the post. This is a wonderful and amazing article. [url=http://www.chandigarhescortsgirl.com] escorts in chandigarh [/url]

I like your post ,its so amazing and helpfull top 10 horror movies of all time

It so important and helpfull for us. 99logo design 

Awesome and interesting article. Great things you’ve always shared with us. Thanks Call Girls in Mahipalpur

Howdy, Very better than frequent, your prepared to look at this is believed. I am incredibly interesting the details. I like it. I am ahead to another material with you. grateful to you.

I really liked the way you have done it here thanks a lot for making this happen - escorts in Jaipur

To get to the jcp associate kiosk website, you only need to enter that website’s address into your browser, and your browser will then transfer you to the said site (as long as your computer is connected to the Internet). jcp kiosk If you check towards the end of this article, in the section entitled ‘links to get you going’, jcpenney associate kiosk you will find the address we are making reference to: that is, the address you can enter into your browser, in order to be taken to the jcpenney associate kiosk website.

Please fill out all the fields.

*
*