我正在寻找在我的网站上报告的一个漏洞,该漏洞主要是用带有 VBscript 的经典 ASP 编写的。我认为我所做的修复应该已经足够了,但是“重新扫描”仍然在端口 80/tcp 上显示“中等风险”项目:
51972 - CGI Generic Cross-Site Scripting (Parameters Names)
以下是此报告项目的片段:
-------- request --------
GET /stagedmds/marketshare/ParmsV2.asp?<<<<<<<<<<foo"bar'314>>>>>=1 HTTP/1.1
Host: www.mortgagedataweb.com
Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1
Accept-Language: en
Connection: Close
Cookie: ASPSESSIONIDSQQQBDTB=MCJAMHCACGEHCNCCGDDPOEAI; ASPSESSIONIDQSSQDCTB=JAFAABIAONBOMMAMJILMMLGL; ASPSESSIONIDQSQQBDTB=IBJAMHCAIGIGCEKMBNPOMCPN
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */*
------------------------
-------- output --------
<button type="button" onclick=
"location.href='/stagedmds/marketshare/ParmsV2.asp?<<<<<<<<<<foo"bar'314
>>>>>=1&Doc=Y';"
ONMOUSEOVER="this.className = 'over';"
ONMOUSEOUT="this.className = '';"
------------------------
/stagedmds/marketshare/ParmsV2.ASP?<<<<<<<<<<foo"bar'314>>>>>=1
当我查看这个服务器端脚本页面时,我注意到我对参数的检索并没有“清理”输入,如下所示:
implied_Menu = UCase(Request.QueryString("Menu"))
因此,我将其更改如下:
implied_Menu = getUserInput(UCase(Request.QueryString("Menu")))
其中新添加的函数应“清理”parm 值,如下所示:
Function getUserInput(input)
dim newString
newString=input
newString = replace(newString,"--","")
newString = replace(newString,";","")
newString = replace(newString,chr(34),"'")
newString = replace(newString,"'","")
newString = replace(newString,"=","=")
newString = replace(newString,"(","[")
newString = replace(newString,")","]")
newString = replace(newString,"'","''")
newString = replace(newString,"<","[")
newString = replace(newString,">","]")
newString = replace(newString,"/*","/")
newString = replace(newString,"*/","/")
getUserInput = newString
End Function
这个名为implicit_Menu 的变量永远不会以任何方式输出到页面。仅使用某些案例逻辑对其进行评估以设置其他变量,如下例所示:
Select Case implied_Menu
Case "C_ST"
implied_PromptType = ByCounty
implied_DataSubset = iConventional
implied_ReportName = Conventional
我看不出还有什么可以在这里做的。我已阅读防止跨站点脚本攻击?其中一些漏洞扫描程序无法识别我采取的措施。
当扫描程序看到从查询字符串中检索时,是否有可能总是报告 XSS 违规?