asp网站空间过滤xss攻击的方法:1、在web.config增加httpModules节点;2、编写一个过滤器,过滤危险关键词,并增加安全的header。
具体内容如下:
1、在web.config增加httpModules节点
<httpModules><addname="HttpAccessInterceptModule"type="Org.Core.Commons.HttpAccessInterceptModule,Org.Core.Commons"/>
</httpModules>
2、再编写一个过滤器
usingSystem;usingSystem.Collections.Generic;
usingSystem.Configuration;
usingSystem.Linq;
usingSystem.Text.RegularExpressions;
usingSystem.Web;namespaceOrg.Core.Commons
{
///<summary>
///http访问拦截器模块
///1.过滤危险关键词
///2.增加安全Header
///</summary>
publicclassHttpAccessInterceptModule:IHttpModule
{
privatestaticList<string>_RegexWords;
staticHttpAccessInterceptModule()
{
_RegexWords=newList<string>()
{
@"<[^>]+>'",
@"</[^>]+>'",
@"<[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt|window|location|eval|console|debugger|new|Function|var|let)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)"
};
string[]keyWords={};
//{"'","alert","script","case","catch","const","continue","debugge","delete","export*","final","finally","for","function","goto","if","implements","import*","return","switch","synchronized","throw","throws","transient","try","break"}
//newstring[]{"select","insert","update","delete","drop","truncate"};_RegexWords.AddRange(keyWords.Select(o=>@"(^|(\W+))"+o+@"((\W+)|$)"));
}publicvoidDispose()
{
}publicvoidInit(HttpApplicationcontext)
{
context.BeginRequest+=newEventHandler(Context_BeginRequest);
context.EndRequest+=newEventHandler(Context_EndRequest);
}privatevoidContext_BeginRequest(objectsender,EventArgse)
{
HttpApplicationapp=(HttpApplication)sender;
try
{
if(IgnoreRequest(app.Request.CurrentExecutionFilePath))
return;RequestFiller(app.Request);
AddHeader(app.Response);
}
catch(Exceptionex)
{
if(!(exisPSBaseException))
PSLog4net.Error(this,ex);
app.Response.Write(ex.Message);
app.Response.Flush();
app.Response.End();
}
}privatevoidContext_EndRequest(objectsender,EventArgse)
{
HttpApplicationapp=(HttpApplication)sender;SetContentType(app);
}privatevoidRequestFiller(HttpRequestrequest)
{
stringerror="";if(request.Path.IndexOf("/log/",StringComparison.CurrentCultureIgnoreCase)>=0)
error="不允许访问/log/目录";
if(string.IsNullOrEmpty(error)&&
request.Path.IndexOf("/bak/",StringComparison.CurrentCultureIgnoreCase)>=0)
error="不允许访问/bak/目录";
if(string.IsNullOrEmpty(error))
{
foreach(stringkeyinrequest.Params.AllKeys)
{
if(key=="aspxerrorpath")
continue;
stringvalue=request.Params[key];
if(!string.IsNullOrEmpty(value)&&(value.Contains("jquery.alert")||value.Contains("image")))
continue;
if(!string.IsNullOrEmpty(key))
{
//if(Regex.IsMatch(key,@"\W+"))
//{
//error=string.Format("存在访问风险,参数[{0}={1}]无法通过“{2}”校验.",key,value,@"\W+");
//break;
//}
foreach(stringregexin_RegexWords)
{
if(Regex.IsMatch(key,regex,RegexOptions.IgnoreCase))
{
error=$"存在访问风险,参数[{key}={value}]无法通过“{regex}”校验.";
break;
}
}
}if(!string.IsNullOrEmpty(error))
break;
if(!string.IsNullOrEmpty(value))
{
foreach(stringregexin_RegexWords)
{
if(Regex.IsMatch(value,regex,RegexOptions.IgnoreCase))
{
error=$"存在访问风险,参数[{key}={value}]无法通过“{regex}”校验.";
break;
}
}
}if(!string.IsNullOrEmpty(error))
break;
}
}if(!string.IsNullOrEmpty(error))
{
Log4net.Error(this,error);
thrownewPSBaseException("存在访问风险,请求无法通过系统校验规则.");
}
}privatevoidAddHeader(HttpResponseresponse)
{}privatevoidSetContentType(HttpApplicationapp)
{
if(app.Request.Url.AbsolutePath.EndsWith(".png",StringComparison.CurrentCultureIgnoreCase))
app.Response.ContentType="image/png";
if(string.IsNullOrEmpty(app.Response.ContentType))
app.Response.ContentType="text/plain;charset=utf-8";
}privateboolIgnoreRequest(stringrequestPath)
{
if(requestPath.EndsWith(".assx",StringComparison.CurrentCultureIgnoreCase)||
requestPath.EndsWith(".sjs",StringComparison.CurrentCultureIgnoreCase)||
requestPath.EndsWith(".asmx",StringComparison.CurrentCultureIgnoreCase))
returntrue;
else
returnfalse;
}
}
}
网友留言: