The example in the link is some script attack related content, the time friend may click to look.
1. Do not believe Request.QueryString:
Believe in the ASP era, this problem is more serious, do not believe, casually to the network to find several ASP Enterprise station, find this URL "view.asp?id=xxx", changed to "View.asp?id=xxx or 1=1", I believe you will see something different, To. NET, should be very few, but last saw someone say csdn burst oh, the simple solution is to do data type validation or conversion when obtaining data. Like what:
int viewid = 0;
if (int. TryParse (request.querystring["ID"], out Viewid)) {
//...
}
2. Do not believe MaxLength:
Sometimes we want the client to enter a value of not more than a certain length, this time may be used in the input of maxlength, but maxlength 100% to ensure that the length of this value does not exceed maxlength?
<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd "> <ptml xmlns=" http://www.w3.org/1999/xhtml "> <pead> <meta http-equiv=" Content-type "content=" text/html; Charset=utf-8 "/> <title> ignore maxlength</title> </pead> <body > <input type=" text "Maxlengt H= "4"/> Under normal circumstances you can only enter 4 characters in the above input box, but the user post to our data is not necessarily <=4 characters? Copy the following code to the address bar enter look; <textarea > Javascript:alert (window.c=function () {document.getelementsbytagname ("input ") [0].value =" Do you see if I have 4 characters in length? " "} ()) </textarea> </body> </ptml>
[Ctrl + A All SELECT Note: If the need to introduce external JS need to refresh to perform]
Obviously, the maxlength is not trustworthy, the simple solution is the background code to verify the length of the data:
String UserName = request.querystring["UserName"];
if (!string. IsNullOrEmpty (UserName) &&username.length > x) {
//... Prompt for errors or truncation of data
}
3. Do not believe hidden:
Sometimes we want to save some information to the front page, and then send back, but we do not want to let customers see this information, so we put the data into the hidden inside, that the customer submitted data, hidden content is really what we put it?
<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd "> <ptml xmlns=" http://www.w3.org/1999/xhtml "> <pead> <meta http-equiv=" Content-type "content=" text/html; charset=gb2312 "/> <title> change hidden value </title> <script language=" javascript "type=" Text/javascript " > Function Showvalue () {alert ("Hidden value is:" + document.getElementById ("Type"). Value); } </script> </pead> <body > <input type= "hidden" id= "type" name= "type" value= "robot!"/> Username : <input type= "text" id= "UserName" name= "UserName"/> <input type= "Submit" value= "submitted"/> <input type= "but Ton "onclick=" Showvalue (); "Value= view hidden"/> Please click "View hidden" to view the original value. Normally, the value of the type that the client submits to you should be "robot!", But you copy the following code to the Address bar and enter, then click to see Hidden; <textarea > Javascript:alert (window.c=function () {document.getElementById ("Type"). Value = "I am not robot!"} ()) </textarea> </BODY> </ptml>
[Ctrl + A All SELECT Note: If the need to introduce external JS need to refresh to perform]
This I did not think of a good verification method, for the time being there is no special requirement that must be validated.
4. Do not trust client authentication:
For example, 2 and 3 of the problem, may be some friends feel that my client to add a verification is not OK? However, often, client-side validation is also unsafe, first of all, if the client disables the script, the client-side validation is completely invalid, and, in the case of a script, the script validation can be tampered with.
<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd "> <ptml xmlns=" http://www.w3.org/1999/xhtml "> <pead> <meta http-equiv=" Content-type "content=" text/html; charset=gb2312 "/> <title> Overlay Submit validation </title> <script language=" javascript "type=" Text/javascript " > Function Validateform () {if (document.getElementById ("UserName"). Value = = "") {alert ("User name cannot be empty!"); return false; return true; } </script> </pead> <body > <form action= "method=" POST "onsubmit=" return Validateform (); " > <input type= "text" id= "UserName" name= "UserName"/> "<input type=" Submit "value=" submitted "/> </FORM&G T Normally, the Point submit button verifies that the user name cannot be empty and prompts, but you copy the following code to the Address bar and enter, and then click Submit to see; <textarea > Javascript:alert (window.c=function () {document.getelementsbytagname ("form") [0].onsubmit= function () {alert ("I am not validating the data!"); return true;} ()) </texTarea> </body> </ptml>
[Ctrl + A All SELECT Note: If the need to introduce external JS need to refresh to perform]
QQ space in the past can be free to use this method of the yellow diamond template, do not know whether there is now. There is no good solution to this, only to verify the background again.
5. Do not trust the editor:
Sometimes, you might want to use some simple editors in your project, so, we found some editors, the unwanted features (such as: Edit the source code, insert pictures, etc.) out, become a simple editor, then this editor will have any problems?
<! DOCTYPE HTML PUBLIC "-//W3C//DTD XHTML 1.0 transitional//en" "Http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd "> <ptml xmlns=" http://www.w3.org/1999/xhtml "> <pead> <meta http-equiv=" Content-type "content=" text/html; charset=gb2312 "/> <title> Untitled document </title> <script language=" javascript "type=" Text/javascript "> Window.onload = function () {document.getElementById ("Sampleeditor"). ContentWindow.document.designMode = "on"; } </script> </pead> <body > The real editor should have some bold, slanted features, so I won't do it, taking the original IFRAME as an example. <iframe frameborder= "1" id= "Sampleeditor" ></iframe> This simple editor does not look at the function of the source code, the customer is not really can not change the contents of the inside? Copy the following code to the Address bar and enter <textarea > Javascript:alert (window.c=function () {document.getElementById () Sampleeditor "). ContentWindow.document.body.innerHTML = ';} ()) </textarea> <span > What if the user inserts a script tag inside and submits it to you? </span> <span > In fact, there is a simpler way to copy directly to another page, and then back to the editor paste, everything came. </span>;/body> </ptml>
[Ctrl + A All SELECT Note: If the need to introduce external JS need to refresh to perform]
There is no good solution for the time being, but the code that filtered the script tag has been found, but it doesn't seem to be perfect.
6. Do not trust cookies:
The web site will inevitably use cookies, but if you don't pay attention, be careful that your cookie becomes someone else's "cookie",
Http://img.jb51.net/online/demo0415/Cookie.asp
Take cookies and write cookies in the JS method is found on the Internet, the specific link can not be found. Solution, it seems to be a cookie encryption (of course, even if it is encrypted, but also try not to put sensitive data into the cookie), do not know whether there are other good experts.
7. Do not believe Request.urlreferrer:
If a friend uses this to verify the request, please note that this is not believable. See Code;
System.Net.HttpWebRequest request = System.Net.WebRequest.Create ("http://www.jb51.net/") as System.Net.HttpWebRequest;
Request. Referer = "http://www.jb51.net/";
...
Well, the urlreferrer you get at this time will be http://www.jb51.net/, but the request is bogus.
8. Do not trust users:
The user is your potential threat, the client's thing, never be credulous.
In addition, the contents of the Select label is not credible, you can try to do, arbitrarily build a page, put a SELECT, and then:
Copy Code code as follows:
Javascript:alert (Window.c=function () {var s=document.getelementsbytagname ("select") [0];for (var x = 0; x <% x + +) { S.options[x]=new option ("option" + x, x)}} ());
Welcome to the experts generous enlighten. Sample code download.
