我使用的WebForm
I'm using WebForm
我在做安全测试,以我的网站,但是当我试图通过URL查询字符串,如:
I'm doing a Security Testing to my site but when I try to pass through url a QueryString like:
' - > netsparker(0x00286A) mysite/Error/PageNotFound.aspx?aspxerrorpath=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0030C5)%3C/script%3E
'"-->netsparker(0x00286A) mysite/Error/PageNotFound.aspx?aspxerrorpath=%27%22--%3E%3C/style%3E%3C/script%3E%3Cscript%3Enetsparker(0x0030C5)%3C/script%3E
我在'/'应用了服务器错误。
I got Server Error in '/' Application.
一个潜在危险的Request.QueryString值从检测 客户从客户端检测到有潜在危险的Request的值(>)。
A potentially dangerous Request.QueryString value was detected from the client A potentially dangerous Request.Path value was detected from the client (>).
我在web.config
I have in the web.config
<httpRuntime enableVersionHeader="false"/> <customErrors mode="On" defaultRedirect="~/Error/GeneralError.aspx"> <error statusCode="404" redirect="~/Error/PageNotFound.aspx" /> <error statusCode="403" redirect="~/Error/GeneralError.aspx" /> <error statusCode="500" redirect="~/Error/GeneralError.aspx" /> </customErrors> .................. <pages controlRenderingCompatibilityVersion="4.0" viewStateEncryptionMode="Always">
任何想法,我该怎么纠正?
Any idea how can I correct that?
推荐答案您错误是由于违反了建在ASP平台的安全规则。这些规则prevent注入和跨站脚本攻击。如果您正在使用MVC有一个方便的AntiForgeryToken,可以照顾这个给你。
Your error is due to violation of built in security rules in the ASP platform. These rules prevent injection and cross-site scripting attacks. If you are using MVC there is a handy AntiForgeryToken that can take care of this for you.
请看看来自斯科特Hanselman的
Please look into the post from Scot Hanselman
www.hanselman/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx
更多推荐
从客户端检测到有潜在危险的Request.QueryString值
发布评论