Recently, the company's website needs to improve security. Prevents malicious attacks.
Divided into several attacks
1. XSS cross-site scripting attack.
2. SQL injection attacks.
I didn't think the web can be attacked so easily before. The Netsparker tool is used to scan the website to detect SQL injection and cross-network scripting attacks. (This software can be downloaded through http://www.mavitunasecurity.com/communityedition/this network region.) It is mainly caused by the following reasons:
1. front-end and back-end input verification is not standardized and complete.
2. It is dangerous to fully trust the data entered by the user without encoding or filtering malicious characters.
For example, visit a URL:/product/productSearch. aspx? ? Coid = 3 & pmid = D710 % 20 (Epic % 204G % 20 Touch) & kw = % 22% 2 Balert (9) % 2B % 22 & IsPromotion = 0
The third parameter kw is encoded in the URL. the actual value of the parameter is "+ alert (9) + ".
On the productSearch. aspx page, the parameter value is not hmtl encoded. The backend C # program has a class variable searchkw assigned "+ alert (9) + ".
The page front-end executes the following JavaScript code
<Script type = "text/javascript">
GetNews ("searchDisplay. aspx? Pcid = <% = currentPcid %> & pmid = <% = pmid %> & coid = <% = coid %> & psid = & counter = <% = currentCount %> & kw = searchkw %> & isPromotion = <% = isPromotion %> ", "searchDiv1 ");
</Script>
In this case, the first double quotation mark "+ alert (9) +" truncates the previous code, and the second double quotation mark truncates the subsequent code. Only alert (9) is left in the middle, and the alert (9) code is executed. This code can be replaced with any attacking javascript code segment, for example, the cookie value x = document. cookie is obtained, and then submitted to the attacker.
My solution is to use the AntiXssLibrary. dll tool of Microsoft to encode the value of this parameter. This tool can download http://wpl.codeplex.com/from this website, which is an open source project.
Here is a document for msdn reference: http://msdn.microsoft.com/en-us/library/aa973813.aspx
3. The database query does not use the safe parameter operation in asp.net.
To solve these problems, follow these three steps.
1. verify the correctness of the Data Type for numeric parameter values, user input frontend and backend.
2. backend users can use AntiXssLibrary. dll to encode strings for string-type parameters or user-input parameters.
3. All concatenated strings in all SQL statements use the SqlParameter class to encapsulate input SQL parameters.