Asp.Net webresource.axd打开重定向安全漏洞?

时间:2014-11-05 14:15:45

标签: c# asp.net .net security

通过Burpe Suite的主动扫描运行WebResource.axd表明WebForm_DoCallback函数中可能存在开放重定向缺陷。此函数根据生成的URL执行发布。生成的url基于表单操作url或document.location.pathname 我还没弄清楚我的网站在哪里使用这种方法,也没有找到滥用它的方法。 怎么有人滥用这个? 这是相关功能。评论包括潜在的问题。

var xmlRequest,e;
try {
    xmlRequest = new XMLHttpRequest();
}
catch(e) {
    try {
        xmlRequest = new ActiveXObject("Microsoft.XMLHTTP");
    }
    catch(e) {
    }
}
var setRequestHeaderMethodExists = true;
try {
    setRequestHeaderMethodExists = (xmlRequest && xmlRequest.setRequestHeader);
}
catch(e) {}
var callback = new Object();
callback.eventCallback = eventCallback;
callback.context = context;
callback.errorCallback = errorCallback;
callback.async = useAsync;
var callbackIndex = WebForm_FillFirstAvailableSlot(__pendingCallbacks, callback);
if (!useAsync) {
    if (__synchronousCallBackIndex != -1) {
        __pendingCallbacks[__synchronousCallBackIndex] = null;
    }
    __synchronousCallBackIndex = callbackIndex;
}
if (setRequestHeaderMethodExists) {
    xmlRequest.onreadystatechange = WebForm_CallbackComplete;
    callback.xmlRequest = xmlRequest;
    // action is set to the url of the form or current path.
    //fragmentIndex is set to the index of # in the url
    var action = theForm.action || document.location.pathname, fragmentIndex = action.indexOf('#');
    if (fragmentIndex !== -1) {
        //action is set to index of start to the position of fragmentIndex
        action = action.substr(0, fragmentIndex);
    }
    //From somewhere else in the script.
    //var __nonMSDOMBrowser = (window.navigator.appName.toLowerCase().indexOf('explorer') == -1)
    if (!__nonMSDOMBrowser) {
        var queryIndex = action.indexOf('?');
        if (queryIndex !== -1) {
            var path = action.substr(0, queryIndex);
            if (path.indexOf("%") === -1) {
                action = encodeURI(path) + action.substr(queryIndex);
            }
        }
        else if (action.indexOf("%") === -1) {
            action = encodeURI(action);
        }
    }
    //post to the generated url.
    xmlRequest.open("POST", action, true);
    xmlRequest.setRequestHeader("Content-Type", "application/x-www-form-urlencoded; charset=utf-8");
    xmlRequest.send(postData);
    return;
}

0 个答案:

没有答案