Black Hat seo mainly refers to the adoption of "not ethical" (temporarily so to describe it!) In the way of search engine optimization.
1. Injection attacks, including SQL injection and HTML injection. I often see a talk about SQL injection prevention, but for HTML injections, a lot of people don't get enough attention. In order to show the effect of HTML injection, we imitate a common message this function.
First, it is critical that you add two property settings enableeventvalidation= "false" validaterequest= "false" in the page declaration, so that the reader can try it out if this setting does not work.
<%@ Page language= "C #" autoeventwireup= "true" codefile= "Default.aspx.cs" inherits= "_default" Enableeventvalidation= "false" validaterequest= "false"%> |
Then, the foreground page and the background code snippet are as follows:
<asp:textbox id= "Txtinput" runat= "Server" height= "95px" width= "405px" textmode= "MultiLine" ></asp:textbox > <asp:button id= "btnsubmit" runat= "Server" text= "Simple Submit" onclick= "btnSubmit_Click"/> <asp:label id= "lblshow" runat= "Server" ></asp:Label> |
protected void btnSubmit_Click (object sender, EventArgs e) { This.lblShow.Text = This.txtInput.Text; } |
The program is very simple, the user input to display the content again. Run the code and then enter our malicious code to submit.
We will find that the page automatically jumps to the http://too.much.spam/page! This is called "HTML injection". Once the page page is render to the client, the browser resolves to a normal HTML page, and when parsing to the above JS code ...
To avoid this intrusion, in asp.net, our simplest approach is to "HTML-encode" the input. Change the background code to:
protected void btnSubmit_Click (object sender, EventArgs e) { This.lblShow.Text = this. Server.HTMLEncode (This.txtInput.Text); } |
Now we run the code and find that the source code is displayed as it is in the page and is not running. Why, then? To view the source code for the output page:
<span id= "Lblshow" ><p>sanitizing !</p></span>
After finishing, we found the following mapping transformation:
<-< (less than)
>-> (Greater than)
"--" (quota)
So JS can not execute, but in the page display, we can see the "original" JS content.
But the problem is not over, in the real world, the input content in addition to malicious code, may also have the following content:
<span style= "Color:blue" > Black Hat </span> (dark hat) SEO mainly refers to the adoption of <span style= "Color:blue" > "Less ethical" </span > (for the time being!) In the way of search engine optimization. |
We want to display the blue text, but after coding, obviously can not achieve our results. To do this, we also need to filter more precisely. This is why we have to set the enableeventvalidation= "false" validaterequest= "false" the real reason.
In fact, my first thought was to encode the entire content first and then replace the HTML tags we allowed to use. This is quite safe, but in the specific operation, encountered a lot of problems, this depressed AH ~ ~ ~ (if anyone has this implementation code, we must take out to share it).
Let me introduce another scenario:
The first step is to remove the tags, such as <span style= "Color:blue" >, </span> and <script, and our replacement range is limited to the content between the tags < >.
Then get all the tag names, the names and values of the attributes, and replace them if there are any prohibited content. The possible forms of malicious code are as follows:
Name of label: <script </script
tags in the attribute: <span onclick
Value of property: