经典ASP ::跨站点脚本(XSS)差的验证问题

时间:2015-06-02 07:21:48

标签: security asp-classic xss fortify

对于传统的经典ASP应用程序,我应该删除所有安全攻击问题。目前,DB包含已编码的数据,不再有插入/更新操作。仅从现在开始就选择操作。

我能够删除SQL注入和其他一些安全问题,但无法删除

  

跨站点脚本(XSS):验证不良问题

这成为交付项目的瓶颈。

有人可以帮我解决这个问题。

示例: 我在DB中的数据如下。

一个细胞样本数据(韩语和英语字符) 

1..&nbsp;Rupture&nbsp;disc&nbsp;설치&nbsp;관련&nbsp;필요&nbsp;자재&nbsp;List<BR>──────────────────────────────────────<BR>&nbsp;&nbsp;&nbsp;No 필요&nbsp;자재 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;재질 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;비&nbsp;고 <BR>──────────────────────────────────────<BR>&nbsp;&nbsp;&nbsp;1 inlet&nbsp;isolation&nbsp;valve,&nbsp;8" &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Hast&nbsp;C276 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;기존&nbsp;재고&nbsp;사용 <BR>&nbsp;&nbsp;&nbsp;2 RD&nbsp;holder&nbsp;inlet/outlet &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Hast&nbsp;C276&nbsp;/&nbsp;316L&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;신규&nbsp;구매 <BR>&nbsp;&nbsp;&nbsp;3 Rupture&nbsp;Disc &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Hast&nbsp;C276 &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;신규&nbsp;구매 <BR>&nbsp;&nbsp;&nbsp;4 SV&nbsp;outlet&nbsp;isolation&nbsp;valve,&nbsp;10"&nbsp;&nbsp;&nbsp;SUS&nbsp;316L &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;신규&nbsp;구매 <BR>──────────────────────────────────────<BR><BR>2.&nbsp;Rupture&nbsp;Disc&nbsp;Specification<BR>&nbsp;&nbsp;1)&nbsp;Rupture&nbsp;design&nbsp;press  :&nbsp;4kg/cm2<BR>&nbsp;&nbsp;2)&nbsp;Design&nbsp;temperature  :&nbsp;100℃<BR>&nbsp;&nbsp;3)&nbsp;Rupture&nbsp;press&nbsp;tolerance&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;±&nbsp;5%<BR>&nbsp;&nbsp;4)&nbsp;Manufacturing&nbsp;range  :&nbsp;+&nbsp;0%,&nbsp;&nbsp;&nbsp;-&nbsp;10%<BR>&nbsp;&nbsp;5)&nbsp;Material&nbsp;spec   :&nbsp;M1,&nbsp;M4,&nbsp;C31<BR>&nbsp;&nbsp;6)&nbsp;Max.&nbsp;allowable&nbsp;oper&nbsp;press &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;:&nbsp;3.2kg/cm2&nbsp;(at&nbsp;100℃)<BR><BR>3.&nbsp;Rupture&nbsp;Disc&nbsp;spec&nbsp;선정&nbsp;기준<BR>&nbsp;&nbsp;.&nbsp;Code,&nbsp;&nbsp;Standard&nbsp;=&nbsp;API&nbsp;520,&nbsp;&nbsp;ASME&nbsp;VIII<BR>&nbsp;&nbsp;.&nbsp;Required&nbsp;Burst&nbsp;Pressure&nbsp;=&nbsp;Vessel&nbsp;Design&nbsp;Pressure<BR>&nbsp;&nbsp;.&nbsp;Manufacturing&nbsp;range(+0%&nbsp;∼&nbsp;-10%)&nbsp;of&nbsp;Required&nbsp;Burst&nbsp;Pressure<BR>&nbsp;&nbsp;.&nbsp;Rupture&nbsp;Pressure&nbsp;Tolerance&nbsp;+5%,&nbsp;-5%&nbsp;of&nbsp;Stamped&nbsp;Burst&nbsp;Pressure<BR>&nbsp;&nbsp;.&nbsp;Specified&nbsp;Disc&nbsp;Temperature&nbsp;=&nbsp;Actual&nbsp;Temperature&nbsp;of&nbsp;Disc&nbsp;in&nbsp;Operation&nbsp;<BR>&nbsp;&nbsp;&nbsp;&nbsp;→&nbsp;usually&nbsp;lower&nbsp;at&nbsp;disc&nbsp;than&nbsp;in&nbsp;liquid&nbsp;phase&nbsp;of&nbsp;vessel&nbsp;&nbsp;<BR><BR>4.&nbsp;Rupture&nbsp;Disk&nbsp;전단&nbsp;및&nbsp;SV2209&nbsp;후단&nbsp;Isolation&nbsp;valve는&nbsp;CSO(CAR&nbsp;SEAL&nbsp;OPEN)&nbsp;.<BR><BR>5.&nbsp;Rupture&nbsp;Disk&nbsp;후단에&nbsp;PG2209를&nbsp;설치하여&nbsp;운전&nbsp;중&nbsp;Rupture&nbsp;disk&nbsp;파손&nbsp;여부&nbsp;확인&nbsp;가능토록&nbsp;함.<BR>

我正在显示以上单元数据:

示例页面 

<!-- #include file="INCLUDES/HTMLDecode.inc" -->
.
.
.
<HTML>
.
.
.
sampledata = rs("sampledata")
.
.
.
<TD><%= ClearForAttack(sampledata) =%></TD>
.
.
.
</HTML>

以上功能定义如下:

用户定义的功能: 

    <%
    Function HTMLDecode(sText)
        Dim I
        sText = Replace(sText, "&quot;", Chr(34))
        sText = Replace(sText, "&lt;"  , Chr(60))
        sText = Replace(sText, "&gt;"  , Chr(62))
        sText = Replace(sText, "&amp;" , Chr(38))
        sText = Replace(sText, "&nbsp;", Chr(32))
        For I = 1 to 255
            sText = Replace(sText, "&#" & I & ";", Chr(I))
        Next
        HTMLDecode = sText
    End Function
    %>
    <%
    Function ClearForAttack(pStrValue)
        if len(pStrValue)>0 then
            pStrValue = HTMLDecode(Server.HTMLEncode(pStrValue))
            pStrValue = replace(pStrValue,"'","")
            pStrValue = replace(pStrValue,"`","")
            pStrValue = replace(pStrValue,"%","")
            pStrValue = replace(pStrValue,"<","&lt;")
            pStrValue = replace(pStrValue,">","&gt;")
        else
            pStrValue = ""
        end if
        ClearForAttack = pStrValue
    End Function
    %>

要显示已编码的数据,我正在使用HTMLDecode和HTMLEncode函数

编辑功能或建议其他方法。

非常感谢您的帮助或建议。

提前致谢。

2 个答案:

答案 0 :(得分:0)

如上所述,只需清理发布/查询字符串数据来自用户输入和数据库的所有数据。您可以尝试多种方法,包括Server.HTMLEncode

如果您需要对此进行扩展以涵盖数据库字段,那么您需要在<>上执行某种搜索和替换,将其替换为{{1}分别和&lt;

XSS存在一些问题。您可能需要read this first

答案 1 :(得分:0)

Server.HTMLEncode清理查询。您需要运行验证过程以满足不良验证。有一个简单的黑名单&#34;您可以根据自己的需要进行更改的程序。检查http://blogs.iis.net/nazim/filtering-sql-injection-from-classic-aspValidation for Form and QueryString in ASP Classic using Regex. Almost working but missing something?。一旦合并,应删除大多数不良验证。

相关问题
最新问题