小于或大于URL破坏我的网站

时间:2015-07-05 04:09:05

标签: c# asp.net asp.net-mvc

我试图通过在URL中输入HTML来检查XSS漏洞来破坏我的ASP.NET网站,但事实证明它比这更糟糕:

我已经通过在我的Web.config中设置+来允许包含其他符号的网址(例如allowDoubleEscaping=true),但似乎这对包含{{1}的网址不起作用},<,还可能更多。我希望我的自定义500错误页面能够显示this implementation,但该网站甚至无法实现这一目标。

如何通过这些类型的URL,并使用通用错误页面处理它们?

编辑:

我最接近堆栈跟踪的是:

>

当我尝试访问类中的 at vReport2.User.get_Current() in z:\Scott\Projects\Visual Studio\C#\vReport2.1\vReport2.1\Models\User.cs:line 18 at ASP._Page_Views_Shared__Layout_cshtml.Execute() in z:\Scott\Projects\Visual Studio\C#\vReport2.1\vReport2.1\Views\Shared\_Layout.cshtml:line 35 at System.Web.WebPages.WebPageBase.ExecutePageHierarchy() at System.Web.Mvc.WebViewPage.ExecutePageHierarchy() at System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage) at System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer) at System.Web.WebPages.WebPageBase.<>c__DisplayClass3.<RenderPageCore>b__2(TextWriter writer) at System.Web.WebPages.HelperResult.WriteTo(TextWriter writer) at System.Web.WebPages.WebPageExecutingBase.WriteTo(TextWriter writer, HelperResult content) at System.Web.WebPages.WebPageBase.Write(HelperResult result) at System.Web.WebPages.WebPageBase.RenderSurrounding(String partialViewName, Action`1 body) at System.Web.WebPages.WebPageBase.PopContext() at System.Web.WebPages.WebPageBase.ExecutePageHierarchy(WebPageContext pageContext, TextWriter writer, WebPageRenderingBase startPage) at System.Web.Mvc.RazorView.RenderView(ViewContext viewContext, TextWriter writer, Object instance) at System.Web.Mvc.BuildManagerCompiledView.Render(ViewContext viewContext, TextWriter writer) at System.Web.Mvc.ViewResultBase.ExecuteResult(ControllerContext context) at System.Web.Mvc.ControllerActionInvoker.InvokeActionResult(ControllerContext controllerContext, ActionResult actionResult) at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilterRecursive(IList`1 filters, Int32 filterIndex, ResultExecutingContext preContext, ControllerContext controllerContext, ActionResult actionResult) at System.Web.Mvc.ControllerActionInvoker.InvokeActionResultFilterRecursive(IList`1 filters, Int32 filterIndex, ResultExecutingContext preContext, ControllerContext controllerContext, ActionResult actionResult) 时抛出异常。

2 个答案:

答案 0 :(得分:1)

删除&lt;和&gt;来自requestPathInvalidCharacters列表。请参阅:https://stackoverflow.com/a/8597868/331281

例如,您的web.config可能如下所示:

<system.web>
    <httpRuntime requestPathInvalidCharacters="&lt;,&gt;,%,&amp;,:,\,?" />
</system.web>

答案 1 :(得分:0)

你应该在打开之前记下网址。 并在加载时解密它并且可以获取url参数值

使用EncryptDecrypt逻辑解决此问题

相关问题
最新问题