发表新帖
发表新帖

Stopping XSS when using WebAPI

后端 未结
关注
4 1561
醉酒成梦
醉酒成梦 2021-02-06 07:12

I have a controller which accepts

public class MyModel
{
   [MaxLength(400)]
   public string Message { get; set; }
}

I have a WebApi Post Acti

4条回答
  • 暗喜
    暗喜 (楼主)
    2021-02-06 07:47

    As your code stands right now, a user could just inject JavaScript that doesn't use a script tag.

    There is a common list of XSS vulnerabilities that could be used.

    Right now you accept a 'string', and all you parse out are HTML tags. Unfortunately, there are a lot of XSS attacks that don't rely on HTML.

    For instance, adding the following to a GET Request in Firefox: %22onmouseover=prompt%28%29// will allow the person to inject JavaScript.

    Your best bet is to use the AntiXss library from Microsoft, and specifically encode the parameters for GET and POST requests.

    (I have to head to work, but I'll post more code later on how to do this).

    0 讨论(0)
 看不清?
提交回复
热议问题