Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
359 views
in Technique[技术] by (71.8m points)

asp.net - How to solve/fix DOM XSS issue reported by OWASP ZAP?

I am using OWASP ZAP to scan my web-application, developed using asp.net framework/C#. I am being tasked by company to ensure NO error reported by OWASP ZAP.

The OWASP ZAP reported this log: Issue: Cross Site Scripting (DOM Based) URL:

http://[WEBSITE]/myapplication/script.aspx#jaVasCript:/*-/*`/*`/*'/*"/**/(/* */oNcliCk=alert() )//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>x3csVg/<sVg/oNloAd=alert()//>x3e

I understand that the fragment (#hex) will not be sent to server for processing, it is more for browser to process.

So what do i suppose to do to ensure it never gets reported again in OWASP ZAP? I've done following actions, but with no luck:

  1. On the page, I embedded the javascript code, to remove the hashtag in the url. (Remove fragment in URL with JavaScript w/out causing page reload). It works, and I can see it being removed on the browser. But OWASP ZAP still reporting it as problem.

  2. Similar to #1, i come out with javascript to detect whether #-fragment-url exists in URL. If exists, then redirect to "error" page. It is working, but ZAP again still report it as problem.

I guess since browser never send the # to the server for validation, i have no way to sanitize it. By the time ZAP/browser receives the response, ZAP will report it as issue.

So, what shall i do? I just want OWASP ZAP never report this issue anymore. Any ideas?

question from:https://stackoverflow.com/questions/65924298/how-to-solve-fix-dom-xss-issue-reported-by-owasp-zap

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)
Waitting for answers

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...