Recently, the school conducted a security grade assessment, I was called to say that I wrote a site there is an IFRAME injection vulnerability, the page is the error page. I then used Netsparker scan my website, I found the error page there is a loophole, I write the site, in order to easily know the current program error, wrote an error page, the code is as follows
if (! IsPostBack) { div_error. InnerHtml = application["Error"]. ToString () + "<br/>" + "<a target= ' _top ' href= ' login.aspx ' > Return home </a>";
Which is written in Global.asax.
voidApplication_Error (Objectsender, EventArgs e) { //code to run when an unhandled error occurs//Exception ex = Server.GetLastError (); //Server.ClearError (); //Try//{ //Its.Common.LogBase.WriteException (ex, Request); //} //Catch {}//finally//{ // //may cause ASP. NET Ajax UpdatePanel Control exceptions//Response.Redirect ("~/error.aspx"); //} //code to run when an unhandled error occursException objerr =Server.GetLastError (). GetBaseException (); stringError ="<br/><br/><span style= ' color:red ' > Occurrence exception page:</span>"+ Request.Url.ToString () +"<br/><br/>"; Error+="<span style= ' color:red ' > Exception information:</span>"+ Objerr.message +"<br/><br/>"; Server.ClearError (); application["Error"] =error; Response.Redirect ("error.aspx"); }
Note: This is written so that if someone malicious IFRAME injects an attack, this
application["Error" will be the embedded content of that IFRAME. If you get an unhealthy thing, be laughed at. Remind everyone. As for the error page. Or output a custom character directly. Do not throw system exception information. This is Microsoft's loophole.
An IFRAME injection vulnerability, also Microsoft's application["error" vulnerability