In the Asp.net release, most security problems are caused by the following three aspects:
1. Upload
2. Cross-Site
3. Injection
The upload security issue is not covered in this article. Here we only discuss the issue of cross-site and injection, and both of them can be basically handled through filtering! Put the injection at the end of this article because after so many years of experience in SQL injection, we should have some prevention measures. As long as you pay a little attention, there are still quite a few injections on asp.net! Note the following points.
1. All parameters. If it is of the int type, convert it to int type before processing! Don't take packing and unpacking for details! It is estimated that we will not splice SQL statements directly on the web. At least we need to use several classes and some simple logic processing in the middle! Type conversion still needs to be involved
2. Use parameterized query whenever possible!
3. At least pay attention to filtering single quotes (in fact, if you use parameterized queries, it will be okay if you do not filter them, but I still use regular filtering )!
4. Do not expose errors to users! This is not only to prevent injection, but also a user experience problem! It can be well handled by rewriting the OnError event and inheriting it!
Compared with the Cross-Site solution, anti-in-ear monitoring is much more troublesome. filtering has always been a tangle of things. filtering is too strict, affecting normal use and not filtering well, it also causes security problems! I have taken out the filter class I just wrote. Maybe there is something I haven't considered. I hope you can give me some advice,
Copy codeThe Code is as follows: public static string StringFilters (string input)
{
If (string. IsNullOrEmpty (input ))
Return input;
/* Cross-Site attack considerations */
Input = input. Replace ("", "& #"); // filter attack methods
Input = Regex. Replace (input, @ "javascript:", "Javascript:", RegexOptions. IgnoreCase); // filter javascript attack methods: javascript: alert ('xsss ');
Input = Regex. Replace (input, @ "vbscript:", "Vbscript:", RegexOptions. IgnoreCase); // filter JS attack methods: vbscript: msgbox ('xss ');
Input = Regex. replace (input, @ "j * a * v * a * s * c * r * I * p * t:", "Vbscript:", RegexOptions. ignoreCase); // attack method: java script: alert ('xsss ');
Input = Regex. Replace (input, @ "\/\ * [sS] * \/", "<! -- Code --> ", RegexOptions. IgnoreCase );
Input = Regex. Replace (input, @ "expression", "expression", RegexOptions. IgnoreCase );
Input = Regex. Replace (input, @ "<[\ u0020] * style [^>] *>", "S: yle", RegexOptions. IgnoreCase );
Input = Regex. replace (input, @ "<[^>] * object [^>] *>", "ojec & $58", RegexOptions. ignoreCase); // attack method <object type = "text/x-scriptlet" DATA = "http://www.cnblog.cn"> </OBJECT> note that FLASH cannot be used after filtering
/* Various Event Filtering */
Input = Regex. replace (input, @ "<[^>] * [\ u0020] + on [A-Za-z] {3, 20} [\ u0020] * = [\ u0020] * [^>] *> ", "Js Event", RegexOptions. ignoreCase );//
Input = input. Replace ("'", "'"); // single quotes prevent SQL Injection
Input = Regex. Replace (input, @ "script", "Script", RegexOptions. IgnoreCase); // prevents script attacks
Input = Regex. Replace (input, @ "frame", "frame", RegexOptions. IgnoreCase); // prevents iframe Trojans
Input = Regex. Replace (input, @ "form", "form", RegexOptions. IgnoreCase); // disable form submission
Input = Regex. Replace (input, @ "meta", "meta", RegexOptions. IgnoreCase); // prevents the use of meta to redirect to an illegal webpage
Return input;
}
To add this question, do not leave the character string empty when filtering. In this way, security issues also exist. You must consider another character string, then you can build such a character "you are good". After using Replace ("hello", ""), I will know the output!
In addition, HTML is supported, so angle brackets are not taken into consideration!
