. Net cross-site scripting (XSS) vulnerability SolutionDescription:1. Cross-Site Scripting refers to a malicious attacker inserting a piece of malicious code into the webpage. When a user browses the webpage, the malicious code embedded in the webpage will be executed. Attackers can exploit this vulnerability to steal browser cookies. 2. Cross-Site Scripting (CSS) is also called XSS. A malicious attacker inserts a malicious code into a Web page. When a user browses the page, the malicious code embedded in the Web page is executed, to achieve the Special Purpose of malicious attackers.Hazards:1. Malicious users can exploit this vulnerability to steal user account information, simulate logon with other user identities, and even modify the content displayed on the webpage to other users.Solution:1. One of the methods to avoid XSS is to filter the content input and output provided by the user. Server. HtmlEncode () of ASP. NET or a more powerful Microsoft Anti-Cross Site Scripting Library. 2. The following is a general method for filtering the overall website.
public class safe_process { private const string StrRegex = @"<[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)"; public static bool PostData() { bool result = false; for (int i = 0; i < HttpContext.Current.Request.Form.Count; i++) { result = CheckData(HttpContext.Current.Request.Form[i].ToString()); if (result) { break; } } return result; } public static bool GetData() { bool result = false; for (int i = 0; i < HttpContext.Current.Request.QueryString.Count; i++) { result = CheckData(HttpContext.Current.Request.QueryString[i].ToString()); if (result) { break; } } return result; } public static bool CookieData() { bool result = false; for (int i = 0; i < HttpContext.Current.Request.Cookies.Count; i++) { result = CheckData(HttpContext.Current.Request.Cookies[i].Value.ToLower()); if (result) { break; } } return result; } public static bool referer() { bool result = false; return result = CheckData(HttpContext.Current.Request.UrlReferrer.ToString()); } public static bool CheckData(string inputData) { if (Regex.IsMatch(inputData, StrRegex)) { return true; } else { return false; } } }
In Application_BeginRequest of Global. asax, call the above method for processing. The Code is as follows:
Protected void Application_BeginRequest (Object sender, EventArgs e) {string q = "<div style = 'position: fixed; top: 0px; width: 100%; height: 100%; background-color: white; color: green; font-weight: bold; border-bottom: 5px solid #999; '> <br> your submission contains invalid parameters! </Div> "; if (Request. Cookies! = Null) {if (SteelMachining. Common. safe_360.CookieData () {Response. Write (q); Response. End () ;}} if (Request. UrlReferrer! = Null) {if (SteelMachining. common. safe_360.referer () {Response. write (q); Response. end () ;}} if (Request. requestType. toUpper () = "POST") {if (SteelMachining. common. safe_360.PostData () {Response. write (q); Response. end () ;}} if (Request. requestType. toUpper () = "GET") {if (SteelMachining. common. safe_360.GetData () {Response. write (q); Response. end ();}}}
This is roughly the case. You can modify it based on your website. Practice is the only criterion for testing truth, hoping to help everyone!
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
