台灣最大程式設計社群網站
線上人數
1130
 
會員總數:243650
討論主題:188247
歡迎您免費加入會員
討論區列表 >> ASP >> 網頁有XSS跨網站指令碼漏洞
[]  
[我要回覆]
1
回應主題 加入我的關注話題 檢舉此篇討論 將提問者加入個人黑名單
網頁有XSS跨網站指令碼漏洞
價值 : 500 QP  點閱數:255 回應數:1

樓主

言考
門外漢
0 3
168 4
發送站內信

網頁有XSS跨網站指令碼漏洞,詢問了網頁公司得到壟統的答案如下有四點????
1.取代或過濾出現於輸入內容中的特殊字元,如:’、”、?、*、_、%、&、||、/、\、:、;、<、>、(、)等。
2.取代或過濾出現於輸入內容中的特殊html標籤,如:<script>、<iframe>、&quot等。
3.取代或過濾出現於輸入內容中的JavaScript事件標籤,如:onload、onclick、onfocus、onblur、onmouseover等。
4.以專業弱點掃描程式進行系統弱點掃描,若發現有其他弱點建議同時進行修補。
以下網頁有XSS跨網站指令碼漏洞,請問大大應該如何修補????

請問應該如何修改才能補上漏洞,請大大直接給修改後編碼,謝謝

<!--#include file="../Connections/conn.asp" -->
<!--#include file="../Connections/function.asp" -->
<!--#include file="../sys/define/define.inc.asp" -->
<!--#include file="../sys/define/menu.inc.asp" -->
<!--#include file="../inc/get_mid2.inc.asp" -->
<%
table3="photo_album_tb"
table1="photo_album_type_tb"
type_select=false
search_input=true


keyword=replace(SQLinJ("keyword"),"%","")
if keyword="" or keyword="請輸入關鍵字" then
keyword_t="請輸入關鍵字"
keyword=""
else
keyword_t=keyword
table1="photo_view"
SQL1=" and (title like '%"&keyword&"%' or title2 like '%"&keyword&"%' or content like '%"& keyword &"%') "
end if
act=replace(mstr,"&sid=","")&IIF(keyword<>"","&keyword="&keyword,"")

%>
<html lang="zh-TW">
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=big5">
<title><%=web_top_title%></title>
<link href="../css/scroballbar.css" rel="stylesheet" type="text/css">
<link href="../css/text.css" rel="stylesheet" type="text/css">
<script src="../js/fontSL.js" type="text/javascript"></script>
</head>
<link rel="alternate stylesheet" type="text/css" href="../css/1-003.css" title="c3">
</link>
<link rel="alternate stylesheet" type="text/css" href="../css/1-002.css" title="c2">
</link>
<link rel="stylesheet" type="text/css" href="../css/1-001.css" title="c1">
</link><body>
<table class="TH_index" height="10%" border="0" align="center" cellpadding="0" cellspacing="0" summary="排版用表格">
<tr>
<td colspan="2"><!--#include file="../include/top.asp" --></td>
</tr>
<tr>
<td class="menu_bg_style"><!--#include file="../include/menu.asp" --></td>
<td class="main_bg_style" valign="top" align="center">
<!--內容開始-->
<!--#include file="../include/main_top.asp" -->
<!--#include file="../menu/type.inc.asp" -->
<table width="100%" border="0" cellpadding="0" cellspacing="0" summary="排版用表格">
<tr>
<td width="2%"></td>
<td width="97%"><!--#include file="../menu/title.inc.asp" --></td>
<td width="1%" align="right"></td>
</tr>
<tr>
<td height="376" colspan="3" align="center" valign="top"><table width="95%" border="0" cellpadding="0" cellspacing="5" summary="排版用表格">
<%
if keyword<>"" then '搜尋
SQL="select sid,title,img1 from "& table1 &" where (m2_id=" &m2 &") and display='Y' "& options & SQL1 &" group by sid,title,img1 "
else
SQL="select * from "& table1 &" where (m2_id=" &m2 &") and display='Y' "& options & SQL1 &" order by unit_orderID,sid desc "
end if
'response.write SQL
rs.open SQL,conn,1,1

'==分頁===============================================================
SetPageList 6
if not rs.eof then
cc=true
for pp=1 to rs.pagesize
nUrl_id=act &"&sid="&rs(0)
A_title=trim(rs("title"))
A_title1=wordmark(left_chr(trim(rs("title")),12),keyword)
clk=IIF(cc,"#FFFFFF","#EFEFEF")
cc=not cc
if trim(rs("img1"))="" or isnull(rs("img1")) then
'無指定照片取得第一張照片================
img1="../img2/spacer.gif"
SQLA="select top 1 img1 from " &table3 &" where sid=" &rs(0) &" order by unit_OrderID,id "
rs1.open SQLA,conn,0,1
if not rs1.eof then
img1=IIF(trim(rs1("img1"))<>"" ,http_path2 & rs1("img1"),img1)
end if
rs1.close
else
img1=http_path2 & rs("img1")
end if
'=========================================
%>
<tr>
<td width="27%" align="center"><table border="0" cellspacing="0" cellpadding="0">
<tr>
<td valign="top"><img src="../img/arr1_01.gif" alt="*" width="10" height="10"></td>
<td valign="top" background="../img/arr1_02.gif"><img src="../img/arr1_02.gif" alt="*" width="3" height="10"></td>
<td align="right" valign="top"><img src="../img/arr1_03.gif" alt="*" width="11" height="10"></td>
</tr>
<tr>
<td valign="top" background="../img/arr1_04.gif"><img src="../img/arr1_04.gif" alt="*" width="10" height="1"></td>
<td valign="top"><a href="index-1.asp?<%=nUrl_id%>"><img src="<%=img1%>" alt="<%=rs("title")%>" width="120" height="90" border="0"></a></td>
<td align="right" valign="top" background="../img/arr1_05.gif"><img src="../img/arr1_05.gif" alt="*" width="11" height="2"></td>
</tr>
<tr>
<td valign="top"><img src="../img/arr1_06.gif" alt="*" width="10" height="10"></td>
<td valign="top" background="../img/arr1_07.gif"><img src="../img/arr1_07.gif" alt="*" width="2" height="10"></td>
<td align="right" valign="top"><img src="../img/arr1_08.gif" alt="*" width="11" height="10"></td>
</tr>
</table></td>
<td width="73%" valign="top"><table border="0" cellpadding="2" cellspacing="0" class="TH_TABLE100">
<tr>
<td width="2%"><img src="../img/icon_01.gif" alt="*" width="16" height="16" align="absmiddle"></td>
<td width="98%"><a href="index-1.asp?<%=nUrl_id%>" class="T95 bold bigsmall"><%=wordmark(rs("title"),keyword)%></a></td>
</tr>
<tr>
<td> </td>
<td class="T75 bigsmall"><% if keyword="" then
Response.Write(wordmark(left_chr(stripHTML(rs("content")),50),keyword))
else
Response.Write(wordmark(left_chr(stripHTML(get_field_name("content","photo_album_type_tb","sid",rs(0))),50),keyword))
end if
%></td>
</tr>
</table></td>
</tr>
<tr align="center">
<td colspan="2"><table border="0" cellpadding="0" cellspacing="0" class="TH_TABLE100">
<tr>
<td background="../images/table-line.gif" style="background-repeat: repeat-x;"><img src="../img/spacer.gif" alt="*" width="3" height="3"></td>
</tr>
</table></td>
</tr>
<%
rs.movenext
if rs.eof then exit for end if
next
else
Response.Write("<span class='bigsmall'>目前尚無資料...</span>")
end if
%>
</table>
<table width="95%" border="0" cellspacing="0" cellpadding="1">
<tr>
<td align="center"><% Page_List page,rs.pagecount,act %></td>
</tr>
</table>
<br>
<!--#include file="../menu/gotop.asp" --></td>
</tr>
</table>
<!--內容結束-->
</td>
</tr>
<tr>
<td colspan="2"><!--#include file="../include/down.asp" --></td>
</tr>
</table>
</body>
</html>




搜尋相關Tags的文章: [ asp ] , [ XSS ] , [ 補漏洞 ] , [ 弱點掃描 ] ,
本篇文章發表於2018-11-14 16:31
別忘捐VP感謝幫助你的人 新手會員瞧一瞧
1樓
回應

迷路
捐贈 VP 給 迷路 檢舉此回應
這裡學習討論的板塊
想要直接得到答案
請到綜合區的外包接案
本篇文章回覆於2018-11-16 18:20
== 簽名檔 ==
--未登入的會員無法查看對方簽名檔--
   
1

回覆
如要回應,請先登入.