. NET MVC prevents XSS and CSRF

CSRF (Cross-site request forgery cross-site solicitation forgery, also known as "one click Attack" or session riding, usually abbreviated as CSRF or XSRF, is a malicious use of the site. Although it sounds like a cross-site script (XSS), it is very different from XSS and is almost at odds with the way it is attacked. XSS leverages trusted users within the site, while CSRF leverages trusted sites by disguising requests from trusted users. Compared to XSS attacks, csrf attacks are often less prevalent (and therefore have very few resources to protect against them) and are difficult to guard against, so they are considered more dangerous than XSS.

CSRF attack Scenario: The CSRF attack relies on the following assumptions: An attacker knows the victim's site where the attacker's target site has a persistent authorization cookie or the victim has a secondary authorization of the current session cookie target site that does not have a second license to the user's behavior on the site, ASP. VC built-in to the CSRF to defend the method as follows:1. Use in the form table between view<%=html.antiforgerytoken ()%>For example:<%using(Html.BeginForm ("Login","Admin", FormMethod.Post)) { %> <%=html.antiforgerytoken ()%> <%= html.validationsummary (true,"login is unsuccessful. Please correct the error and try again. ")%> <div> <fieldset> <legend> account information </legend> <divclass="Editor-label"> <%= html.labelfor (m = m.username)%> </div> <divclass="Editor-field"> <%= html.textboxfor (m = m.username)%> <%= html.validationmessagefor (m = M.username)%> <label id="Usernametip"></label> </div> <divclass="Editor-label"> <%= html.labelfor (m = m.password)%> </div> <divclass="Editor-field"> <%= html.passwordfor (m = m.password)%> <%= html.validationmessagefor (M =&gt ; M.password)%> </div> <p> <input type="Submit"Value="Login"/> </p> </fieldset> </div> <%}%>2. D is identified by [Validateantiforgerytoken] in the corresponding action:[Httppost][validateantiforgerytoken] Publicactionresult Login (usr usr) {if(modelstate.isvalid) {varModel = DB. Context.single<usr> (p = P.systemuser = =true&& p.username = = usr. UserName && P.password = =usr.        Password); if(Model! =NULL) {Authenticate. Login (usr. UserName, usr.            Role); returnRedirecttoaction ("userlist","Admin"); }        Else{modelstate.addmodelerror ("","the user name or password provided is incorrect. "); }    }    returnView (usr);}

Transfer from: http://www.cnblogs.com/leleroyn/archive/2010/12/30/1921544.html

It seems to be difficult to explain the specific differences between Antixss.htmlencode and Httputility.htmlencode and Server.HTMLEncode, but they can basically be used to prevent the site from being attacked by malicious script injections. As explained by MSDN, HTMLEncode can only be used to'<'，'>'，'&'And'"'And also includes ASCII codes larger than 0x80, although this depends on the environment of the server, with different versions of IIS escaping.　　For example, there is a difference between publishing a site to IIS6 and publishing to IIS7, and if you're just debugging a Web application on VS, HTMLEncode's escape is different. As to what are cross-site scripting attacks and why are they preventing cross-site scripting attacks? You can refer to this article "blog Park" http://www.cnblogs.com/alilang/archive/2013/01/28/2879589.htmlfor an introduction to AntiXss.dll, you can refer to this article of MSDN on http://msdn.microsoft.com/en-us/library/aa973813.aspxConsider the following scenario:&LT;BR/>'Img<%=server.htmlencode (request.querystring["UserId"])%>'Src='/image.gif'/><br/><br/>An attacker could inject client-side script here by setting UserId to:'Onload=alert ('Xss') alt='<br/>There is a risk that the above HTML code will inject scripting attacks in certain environments. For example, the user passes such parameters after the URL of the requested page:? userid='Onload=alert (XSS) alt'The page will execute the injected script successfully! The reason may be that Server.HTMLEncode does not effectively filter out malicious characters in user input, and the same situation may occur in Httputility.htmlencode. When this happens, consider replacing it with the Antixss.htmlencode method

Transfer from: http://www.cnblogs.com/jaxu/archive/2013/03/16/2962449.html

. NET MVC prevents XSS and CSRF