Asp. NET script filtering-prevent cross-site scripting attacks (collect others ')

ASP. NET 1.1 introduces the ability to submit a form to automatically check for XSS (cross-site scripting attacks). When the user tries to use input such as <xxxx> to affect the page return results, ASP. NET engine will cause a httprequestvalidationexceptioin. Pages with the following text are returned by default:

server Error in '/yourapplicationpath ' application a potentially dangerous Request.Form value was detected from the client (txtname= "<b>"). description: request Validation has detected a potentially dangerous Client input value, and processing of the request has been aborted. This value is indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting Validaterequest=false in the Page directive or in the configuration section. However, it is strongly recommended the your application explicitly check all inputs in the this case. Exception details: system.web.httprequestvalidationexception:a potentially dangerous Request.Form Value is detected from the client (txtname= "<b>"). ....

This is an important security feature provided by ASP. Because many programmers have no concept of security, and even do not know the existence of XSS attacks, know that the active to protect the less. Asp. NET at this point to do the default security. This allows programmers who are not very knowledgeable about security to still write websites that have a certain degree of security protection.

But when I google search  HttpRequestValidationException  or "A potentially dangerous Request.Form value was Detected from the client, it was amazing to find out that most people gave the solution to disable this feature in the ASP. NET page description by setting  validateRequest=false . Instead of worrying about whether the programmer's website really does not need this feature. It's a scary sight to me. Security awareness should be in every programmer's heart, no matter how much you know about the concept of security, an active consciousness in the brain, your site will be much safer.

Why do many programmers want to ban validaterequest? A part of it really requires the user to enter characters such as "<>". That doesn't have to be said. There is also a part of the fact that users are not allowed to enter the characters that cause XSS, but hate the form of this error, After all, a large segment of English plus a typical error message ASP. NET, it appears this site error, and not the user entered the illegal characters, but they do not know how not to let it error, their own to deal with the error.

For those who want to handle this error message well without using the default ASP. NET exception error message, you should not disable Validaterequest=false.

It is a good practice to add the Page_Error () function on your current page to capture exceptions that occurred during all page processing without processing. Then give the user a legitimate error message. If the current page does not have Page_Error (), this exception will be sent to Global.asax's Application_Error () to handle, you can also write a generic exception error handling function there. If no exception handler is written in two places, the default error page is displayed.

For example, dealing with this exception requires only a short, small piece of code. Add such a piece of code to the Code-behind page of the page:
 

protected void Page_Error (object sender, EventArgs e)
{
Exception ex = Server.GetLastError ();
If (ex is httprequestvalidationexception)
{
Response.Write ("Please enter a valid string.") ");
Server.ClearError (); If you do not ClearError () This exception will continue to be propagated to Application_Error ().
}
}

This program can intercept the httprequestvalidationexception exception, and can return a reasonable error message according to the programmer's wishes.

This code is very simple, so I hope all are not really to allow users to enter <xxx> characters such as friends, do not arbitrarily prohibit this security feature, if you just need exception handling, then use similar to the above code to handle it.

And for those programmers who explicitly forbid this feature, they must understand what they are doing, and be sure to manually check the strings that must be filtered, otherwise your site can easily cause cross-site scripting attacks.

What should I do with a page that has rich Text editor?

If the page has a rich Text editor control, it will inevitably result in a <xxx> class HTML tag being submitted back. In this case, we have to put validaterequest= "false". So how is security handled? How to maximize the prevention of cross-site scripting attacks in this situation?

According to Microsoft's recommendation, we should take a security policy called "Default prohibition, explicit allow".

First, we encode the input string with Httputility.htmlencode (), which completely disables the HTML tag.

We then replace it with replacement (), which we are interested in and that is the security label. For example, we would like to have a "<b>" tag, then we will "&lt;b&gt;" Replace the "<b>" with an explicit replacement.

The sample code is as follows:

void SubmitBtn_Click (object sender, EventArgs e)
{
Encode the input string so that all HTML tags are invalidated.
StringBuilder sb = new StringBuilder (
Httputility.htmlencode (Htmlinputtxt.text));
Then we selectively allow <b> and <i>
Sb. Replace ("&lt;b&gt;", "<b>");
Sb. Replace ("&lt;/b&gt;", "");
Sb. Replace ("&lt;i&gt;", "<i>");
Sb. Replace ("&lt;/i&gt;", "");
Response.Write (sb.) ToString ());
}

This allows us to allow some HTML tags, and to prohibit dangerous tags.

According to Microsoft's recommendations, we want to be cautious about allowing the following HTML tags, because these HTML tags are likely to lead to cross-site scripting attacks.

• <applets>
• <body>
• <embed>
• <frame>
• <script>
• <frameset>
• <HTML>
• <iframe>
• <img>
• <style>
• <layer>
• <link>
• <Ilayer>
• <meta>
• <object>

Perhaps the most incomprehensible thing here is . However, once you have seen the following code, you should be aware of its dangers.

The tag is likely to lead to JavaScript execution, so the attacker can do anything he wants to disguise.

The same is true for <style>:

<style type= "Text/javascript" >
Alert (' Hello ');
</style>

Reference:

How to: Use Visual C #. NET To create custom error reports in ASP.
HTTP://SUPPORT.MICROSOFT.COM/KB/306355/ZH-CN

HttpRequestValidationException Class (System.Web)
http://msdn2.microsoft.com/zh-cn/library/system.web.httprequestvalidationexception (vs.80). aspx


Msdn:how to:prevent cross-site Scripting in ASP.
http://msdn2.microsoft.com/en-us/library/ms998274.aspx

Recommend you read Microsoft about. NET security in a series of articles:
http://msdn2.microsoft.com/en-us/library/ms978512.aspx

For cross-site scripting attacks, refer to:

Wikipedia wiki Encyclopedia
http://en.wikipedia.org/wiki/Cross_site_scripting

Xfocus
http://www.xfocus.org/articles/200607/874.html

Google
Http://www.google.com/search?q=%E8%B7%A8%E7%AB%99%E8%84%9A%E6%9C%AC%E6%94%BB%E5%87%BB

trackback:http://tb.blog.csdn.net/trackback.aspx?postid=1560171

Asp. NET script filtering-prevent cross-site scripting attacks (collect others ')