问题
After running a security scan across our web application (WebInspect), it has reported several XSS vulnerabilities with some aspx pages.
The request URL seems to be able to change the form action.
Example,
/Website/somepage.aspx/'+alert(1234)+'
the form action is changed to
action="'+alert(1234)+'"
To rule out our application code, I tried this with the default new Visual Studio webform project and it allows the same.
How can this be prevented?
I've always been told that un-validated input being reflected into the page is bad news.
回答1:
just put something in the action, something like this:
<form id="id_form" runat="server" action="Default.aspx">
When the action form is not specified asp fills this attribute with which you wrote in the URL next to the last slash. If you write something there asp doesn't rewrite this.
回答2:
Please check your global.asax - Application_Start to see if any routes have been defined.
来源:https://stackoverflow.com/questions/17431057/cross-site-scripting-asp-net-form-action-being-modified-by-url