码迷,mamicode.com
首页 > 其他好文 > 详细

File upload XSS

时间:2021-03-04 13:34:27      阅读:0      评论:0      收藏:0      [点我收藏+]

标签:was   ESS   web app   load   php   types   ica   dia   cut   

File upload XSS

Description

This script is possibly vulnerable to XSS (Cross-site scripting). The web application allows file upload and Acunetix was able to upload a file containing HTML content. When HTML files are allowed, XSS payload can be injected in the file uploaded. Check Attack details for more information about this attack.

Remediation

Restrict file types accepted for upload: check the file extension and only allow certain files to be uploaded. Use a whitelist approach instead of a blacklist. Check for double extensions such as .php.png. Check for files without a filename like .htaccess (on ASP.NET, check for configuration files like web.config). Change the permissions on the upload folder so the files within it are not executable. If possible, rename the files that are uploaded.

References

Related Vulnerabilities

 

File upload XSS

标签:was   ESS   web app   load   php   types   ica   dia   cut   

原文地址:https://www.cnblogs.com/chucklu/p/14479212.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有
迷上了代码!