新功能上线：客户端写博客，随时保存，图片批量贴　 IT北斗星争霸，看看咱博友的真面目！

ASP.NET 2.0 dumb’s down request validation

2008-04-25 08:22:47

　标签：ASP.NET request down validation　　　[推送到技术圈]

以下消息来自幻影论坛[Ph4nt0m]邮件组

Since the early days of ASP.NET there has been a heavy reliance on the request validation performed to mitigate cross-site scripting issues as many of the WebControls do not perform any encoding. In ASP.NET v1.1 the request validation performed was fairly restrictive. It looked for tags, expressions, on strings (onClick, etc), javascript:, and "&#". After reviewing an ASP.NET 2.0 site I found these protections have been simplified to just look for tags and "&#".

This has a number of interesting security impacts as any 1.1 site which relies on these protections as mitigation’s to security issues will find themselves vulnerable once they upgrade. It would be interesting to know Microsoft’s reasons for removing these checks. I would assume it caused to many customer issues, perhaps interfered with AJAX in some way.

To recap, asp.net v1.1 performed the following checks:

Look for "&#"
Look for ‘<’ then alphas or ! or / (tags)
Look for "script:"
Look for on handlers (onXXX=)
Look for “expression(“
Skip elements named "__VIEWSTATE"

While asp.net v2.0 and higher performs the following:

Look for &#
Look for ‘<’ then alphas or ! or / (tags)
Skip elements with names prefixed with double underscore (__)

As you can see the 2.0 version is much weaker than 1.1.

Enjoy!

上一篇 ADSL2/2+接入技术与运用说明　　下一篇又见0day! [FlashGet]-FG2CatchUrl Crash POC

类别：黑客&安全 ┆ 技术圈() ┆ 阅读() ┆ 评论() ┆推送到技术圈 ┆返回首页

相关文章

文章评论

昵称：
验证码：		点击图片可刷新验证码　　博客过2级，无需填写验证码
内容：

水煮豆豆_网络爬爬

ASP.NET 2.0 dumb’s down request validation