??????? ?????? ??????? WEB IMPROVING: AND COUNTERMEASURES: ??????? ????????

?????? ????????? ?????? ?????????
???? ???????: 867600 - ??? ???????? ???? ????? ????? ??? ???????.
????? ???? | ?? ????

??????

????? ??? ??????? ??? ??????? ????????? ???????? ??? ????? ???????? ???????? ???? Microsoft ??? & ?????????????? ?????? ????? ???: ????????? ? ??????? ? ISBN 0-7356-1842-9

??? ????? ????? ??? ???? ??? ?????? ?????? ??? ???????. ?? ??? ?????? ?? ???? ??????? ????? ????? ?????? ?? ????? ??? ?????? ??? MSDN.

??? ????? ???????? ???????:
  • 273 ?????? ? ????? 10: ????? ????? ASP.NET ?????? ?????? ?????: ???? ?????? ????? ???? ??? ????????
  • 441 ?????? ? ????? 16: ????? ????????? ???? ??? ? ??????: ????? NetBIOS ? SMB

??????? ????

273 ?????? ? ????? 10: ????? ????? ASP.NET ?????? ?????? ?????: ???? ?????? ????? ???? ??? ????????
http://msdn2.microsoft.com/en-us/library/aa302426.aspx

???????:

?? ????? ????? ???? ??? ???????? ??? ???????. ???? ?????? ??? ???? ?????? ??????? ?? ???? ???? ???? ?? ??? ????? ??????? TextMode ?????? ?? ??? ?????. ?? ???? ??? ?? ???? ???? ??? ???????? ???? ????? ??? ??????? ?????? ???? XSS ???? ????? ????????? ???????? ??? ??????. ?????? ????? ??? ??????? ???????? ?? ????? ?????? ??? ???? ?? ????? ???? ???????? ????? ???? (???? ??? ????? ?????? ???????? ?? ????????? ??????) ? ????? ???????? ??? ??????? ??? ??????.

To:

???????? ?? ????? ???? ????? ????? ???? ???? ??? ???? ???? ????? ?????? ???????? ???? ??? ?????? ? DataSource ? ???????. ??? ???? ? ???? DataGrid ? ListBox ? DropDownList ???? ???????? ???? ??????. ??????? ???????? ???? ???? ????? ???? ????? ????? ??????? ??? ??? ?????? ?? ???? ?????? ????; ?????? ????? ????????? ?????? ????? ??? ?????? ??? ????? ??? ?? ?????? ???? ????? XSS. ??? ???? ??????? ?? ???? ????? ????? ??? ???? ?????? ?? ??????? ??? ??????? ?????? ?????? ????? ?????? ?????. ??? ??? ???? ??????? ?????? ??? ????? ??????? ?????? ???? XSS ??? ????? ???????? (?????? abusing ???? ????? ?? ??? ?????????, ??? ???? ??????) ??? ????? ???? ????????? ???? ?????? ????? ??? ????? ??? ????, ???? ???? ??????? ?????? ?????????. ???? ????? ??? ??? ???? ?? ???? ????? ?????? ???? ???? ??????? ?? ???? ???????? ???.

??? ????? ????? ???? ??? ???????? ??? ????? ????? DataGrid ? DataList RadioButtonList ? CheckBoxList. ????? ????? ???????? ?? ????? ???? ???? ???? ??? ?? ???? ???? ????. ??? ???? ??????? ??????? DataGrid ???? ??????? ???? ???????? ???????:
  • ????? ???? ??????? ?? ????? ?????????? HtmlEncode()/UrlEncode() ?????? ??? ?? ??????? DataBinder.Eval
  • ????? ??? ?? ?????? DataBinding ??? OnDatabinding ?? OnItemDataBound ?????? ????? ??? ??????? ?????? ??. ???? ?????? ?????? ????? ????? ????? OnItemDataBound ????? ???? DataGrid ??? ????? ??????? ?????? ?? ?????? ??? ???????? HtmlEncode() ?? UrlEncode() ??? ?????:

...
[DefaultProperty("Text"),
  ToolboxData("<{0}:DataGrid runat=server></{0}:DataGrid>")]
 
public class DataGrid : System.Web.UI.WebControls.DataGrid
{
    /// <summary>
    /// The ItemDataBound event is raised after an item is data bound to the DataGrid
    /// control. This event provides you with the last opportunity to access the data
    /// item before it is displayed on the client. After this event is raised, the data
    /// item is nulled out and no longer available. - .NET Framework Class Library
    /// </summary>
    /// <param name="e"></param>
    protected override void OnItemDataBound(DataGridItemEventArgs e)
    {
      base.OnItemDataBound (e);
 
      switch (e.Item.ItemType)
      {
        case ListItemType.Item:
        case ListItemType.AlternatingItem:
        case ListItemType.EditItem:
        case ListItemType.SelectedItem:
        case ListItemType.Footer:
        case ListItemType.Header:
        case ListItemType.Pager:  
          // even though not all of these ListItemTypes are data bound,
          // perform HtmlEncode or UrlEncode on each control. If there are
          // no controls, we perform HtmlEncode on any available text.
          // Also, don't let &nbsp;'s be encoded.
          TableCellCollection cCells = e.Item.Cells;
          foreach (TableCell tc in cCells)
          {
            if (tc.Controls.Count > 0)
            {
              foreach (Control ctrl in tc.Controls)
              {
                
                // don't perform HtmlEncode on URL's
                if (ctrl is HyperLink)
                {
                  HyperLink hLnk = (HyperLink)ctrl;
 
                  if (hLnk.Text.Length > 0)
                    hLnk.Text = HttpUtility.HtmlEncode(hLnk.Text);
                  if (hLnk.NavigateUrl.Length > 0)
                    hLnk.NavigateUrl = HttpUtility.UrlEncode(hLnk.NavigateUrl);
                }
                else if (ctrl is LinkButton)
                {
                  LinkButton lButton = (LinkButton)ctrl;
 
                  if (lButton.Text.Length > 0)
                    lButton.Text = HttpUtility.HtmlEncode(lButton.Text);
                }
                else if (ctrl is Button)
                {
                  Button cButton = (Button)ctrl;
 
                  if (cButton.Text.Length > 0)
                    cButton.Text = HttpUtility.HtmlEncode(cButton.Text);
                }
              }
            } 
            else 
            {              
              // there are no controls in the table cell
              // HTMLEncode any available text
              if (tc.Text.Length > 0) 
              {
                if ("&nbsp;" != tc.Text) 
                  tc.Text = HttpUtility.HtmlEncode(tc.Text);
              }
            }
          }
          break;
        
        default:
          break;
      }
     }
   }
...

441 ?????? ? ????? 16: ????? ????????? ???? ??? ? ??????: ????? NetBIOS ? SMB
http://msdn2.microsoft.com/en-us/library/aa302432.aspx

????? "???????? ???????":

??????: ?????? ????????? ??? ????? ?? ???????. ????? ?????? ?? NetBIOS ???? ????? ???? ??????? ???????? ????? ??. ??? ???? ??????? ?????? IIS API NetUserChangePassword ???? ????? ??? NetBIOS. ??? ???? ?????????? ?????? ????? ?????? ???? IIS ??? ?? ??? ????.

???????

???? ???????: 867600 - ????? ??? ??????: 21/???? ??????/1428 - ??????: 1.4
????? ???
  • MSPRESS Improving Web Application Security: Threats and Countermeasures, ISBN 0-7356-1842-9
????? ??????: 
kbmt kbdocfix kbdocerr KB867600 KbMtar
????? ????
???: ??? ????? ??? ?????? ???????? ?????? ????? ???? ????? ?????????? ????? ?? ????????? ?????? ????. ???? ???? ?????????? ???? ?? ???????? ???????? ?????? ????????? ????? ????????? ???????? ????? ???????? ?????? ?? ?????? ??? ?? ???????? ???????? ?? ????? ??????? ?????? ??? ??????? ?????? ??. ?????? ?? ???? ??? ??????? ???????? ????? ?? ???? ????? ?????? ??? ????? ??? ????? ??????? ?? ????? ?? ?????? ??? ??? ??????? ??????? ?? ????? ????? ????? ????? ?????. ?? ????? ???? ?????????? ??????? ??? ????? ?? ??????? ?? ????? ?????? ?? ??? ????? ?? ????? ??????? ?? ???????? ?? ??? ???????. ???? ???? ?????????? ???????? ??? ????? ?????? ??????? ??????
???? ??? ????? ??????? ?????? ??????????867600

????? ???????

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com