Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The valid characters for a user name can be easily restricted to a small set of valid characters, such as A-Z, a-z, and 0-9. The following server-side JScript snippet shows how to construct and use a regular expression to parse the user name at the server:
// Determine whether user name is valid.
// Valid format is 1 to 32 alphanumeric characters.
var reg = /^[A-Za-z0-9]{1,32}$/g;
if (reg.test(Request.form("name")) > 0) {
// Username is valid.
} else {
// Username is invalid.
}
Note the use of the 'g' option at the end of the expression just shown. This is the global option that forces the regular expression to check all input for the pattern; otherwise, it checks the first line only. Not setting the global option can have serious consequences if the attacker can force the input to span multiple lines.
Not only does this regular expression restrict the username to a small subset of characters, but also it makes sure the string is between 1 and 32 characters long.
.gif "Ee810574.note(en-US,CS.20).gif")
Note
- Note the use of "^" and "$" in the regular expression—these signify that all characters from the start (^) to the end ($) of the input must match this regular expression. Otherwise, the regular expression might match only a subset of the string. For example, /[A-Za-z0-9]{1,32}/ would only match any portion of the input string. And HTML tags or script, such as <script>alert("hi!")</script>, would match because the word "script" matches the expression.
Your code should apply a regular expression to all input, whether it is part of a form, an HTTP header, or a query string.
In the case of the file name passed to the Web server as a query string, the following regular expression, which represents a valid file name (this does not allow for directories or drive letters), would defeat any attempt to use script as part of the query string:
// Determine whether filename is valid.
// Valid format is 1 to 24 alphanumeric characters
// followed by a period, and 1 to 3 alpha characters.
var reg = /^[A-Za-z0-9]{1,24}\.[A-Za-z]{1,3}$/g;
if (reg.test(Request.Querystring("file")) > 0) {
// Valid filename.
} else {
// Invalid filename.
}
A common mistake made by many Web developers is to allow "safe" HTML constructs—for example, allowing a user to send <IMG> or <TABLE> tags to the Web application. Then the user can send HTML tags but nothing else, other than plain text. Do not do this. A cross-site scripting danger still exists because the attacker can embed script in some of these tags.
Following are some examples:
<img src=javascript:alert(document.domain)>
<link rel=stylesheet href="javascript:alert(document.domain)">
<input type=image src=javascript:alert(document.domain)>
<bgsound src=javascript:alert(document.domain)>
<iframe src="javascript:alert(document.domain)">
<frameset onload=vbscript:msgbox(document.cookie)></frameset>
<table background="javascript:alert(document.domain)"></table>
<object type=text/html data="javascript:alert(document.domain);"></object>
<body onload="javascript:alert(document.cookie)"></body>
<body background="javascript:alert(document.cookie)"></body>
<p style=left:expression(alert(document.cookie))>
Copyright © 2005 Microsoft Corporation.
All rights reserved.