Page_load 方法可能会泄露服务器端条件值,使用户能够从另一个网站进行跟踪
Page_load method may leak server-side conditional values, enabling user tracking from another website
我在对我的解决方案进行 Checkmarx 扫描时遇到跨站点历史操作问题。
我遇到的问题是:
xyz\abc.aspx.cs 第 40 行的方法 Page_Load 可能会泄露服务器端条件值,从而允许从另一个网站跟踪用户。这可能构成隐私侵犯。
这是代码,我收到了在线错误 (*)
protected void Page_Load(object sender, EventArgs e)
{
try
{
lblErrorMsg.Text = "";
lblErrorMsg.Visible = false;
if (!IsPostBack)
{
//Code to get the content page name.
string[] strPageInfo = HttpContext.Current.Request.ServerVariables.GetValues("PATH_INFO");
string strPage = strPageInfo[0].Substring(strPageInfo[0].LastIndexOf('/') + 1, ((strPageInfo[0].Length - strPageInfo[0].LastIndexOf("/")) - 1)).ToLower();
msg.MessageText = "Verifying access";
oLogger.LogInfo(msg, "Verifying access");
//firstly, check whether the logged-in user is authorized to view the page
ManageAuthorization.CheckAccess(strPage, out BoolAccess);
if (BoolAccess)
{
msg.MessageText = "Authorized to perform operations";
oLogger.LogInfo(msg, "Authorized to perform operations");
}
else
{
////display unauthorized screen
msg.MessageText = "Unauthorized to perform operations";
oLogger.LogWarning(msg, "Unauthorized to perform operations");
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
var byteArray = new byte[4];
var randomInteger = BitConverter.ToUInt32(byteArray, 0);
Response.Redirect(String.Format("../Default/Unauthorized.aspx?r={0}",randomInteger),true);
}
}
}
catch (Exception ex)
{
msg.MessageText = "Error while loading the page, Exception is:" + ex.Message;
oLogger.LogMessage(LogCategory.Error, msg);
}
}
我没有得到任何正确的答案我该如何解决这个问题,请任何人帮忙。提前致谢:)
Checkmarx 将此标记为漏洞,因为威胁代理可能会危及浏览器的 SOP 并可能通过 activity 推断泄露用户信息。
要解决此问题,您需要在重定向中添加一个随机值:
msg.MessageText = "Unauthorized to perform operations";
oLogger.LogWarning(msg, "Unauthorized to perform operations");
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
var byteArray = new byte[4];
provider.GetBytes(byteArray);
var randomInteger = BitConverter.ToUInt32(byteArray, 0);
Response.Redirect(String.Format("../Default/Unauthorized.aspx?r={0}", randomInteger), true);
我在对我的解决方案进行 Checkmarx 扫描时遇到跨站点历史操作问题。
我遇到的问题是: xyz\abc.aspx.cs 第 40 行的方法 Page_Load 可能会泄露服务器端条件值,从而允许从另一个网站跟踪用户。这可能构成隐私侵犯。 这是代码,我收到了在线错误 (*)
protected void Page_Load(object sender, EventArgs e)
{
try
{
lblErrorMsg.Text = "";
lblErrorMsg.Visible = false;
if (!IsPostBack)
{
//Code to get the content page name.
string[] strPageInfo = HttpContext.Current.Request.ServerVariables.GetValues("PATH_INFO");
string strPage = strPageInfo[0].Substring(strPageInfo[0].LastIndexOf('/') + 1, ((strPageInfo[0].Length - strPageInfo[0].LastIndexOf("/")) - 1)).ToLower();
msg.MessageText = "Verifying access";
oLogger.LogInfo(msg, "Verifying access");
//firstly, check whether the logged-in user is authorized to view the page
ManageAuthorization.CheckAccess(strPage, out BoolAccess);
if (BoolAccess)
{
msg.MessageText = "Authorized to perform operations";
oLogger.LogInfo(msg, "Authorized to perform operations");
}
else
{
////display unauthorized screen
msg.MessageText = "Unauthorized to perform operations";
oLogger.LogWarning(msg, "Unauthorized to perform operations");
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
var byteArray = new byte[4];
var randomInteger = BitConverter.ToUInt32(byteArray, 0);
Response.Redirect(String.Format("../Default/Unauthorized.aspx?r={0}",randomInteger),true);
}
}
}
catch (Exception ex)
{
msg.MessageText = "Error while loading the page, Exception is:" + ex.Message;
oLogger.LogMessage(LogCategory.Error, msg);
}
}
我没有得到任何正确的答案我该如何解决这个问题,请任何人帮忙。提前致谢:)
Checkmarx 将此标记为漏洞,因为威胁代理可能会危及浏览器的 SOP 并可能通过 activity 推断泄露用户信息。
要解决此问题,您需要在重定向中添加一个随机值:
msg.MessageText = "Unauthorized to perform operations";
oLogger.LogWarning(msg, "Unauthorized to perform operations");
RNGCryptoServiceProvider provider = new RNGCryptoServiceProvider();
var byteArray = new byte[4];
provider.GetBytes(byteArray);
var randomInteger = BitConverter.ToUInt32(byteArray, 0);
Response.Redirect(String.Format("../Default/Unauthorized.aspx?r={0}", randomInteger), true);