In ASP.net, most of the security problems arise from the following three areas:
1. Upload
2. Cross-station
3. Inject
The security issue of uploading is beyond the scope of this article, where only the problem of Cross station and injection is discussed, both of which are basically filtered! Put the injection in the back is because, SQL injection played for so many years, we should have a certain precautions, as long as a little attention, can play on the asp.net above the injection is still quite small! Note the following points.
1. All the parameters. If it is of type int, please convert to int again! Don't take boxes and unboxing! It is estimated that now everyone will not put the SQL statement directly in the Web stitching, at least to use a few classes, the middle of some simple logic to deal with! Type conversions are still involved.
2. Use parameterized query as far as possible!
3. At least pay attention to filter single quotes (in fact, if the use of parameterized query, do not filter is OK, but I still habitually filter)!
4. Do not directly to the wrong naked exposed to the user! This is not just to prevent injection, but also a user experience problem! By rewriting the OnError event, inheriting again, can be handled very well!
and relative to cross station, anti-wash ear fan up on a lot of trouble, filtration has been a very tangled things, filtration is too strict, the impact of normal use, did not filter good, but also caused security problems! I have just written the filter class out, perhaps there is no consideration of the place, I hope that everyone to guide,
Copy Code code as follows:
public static string Stringfilters (String input)
{
if (string. IsNullOrEmpty (input))
return input;
* * Cross Station attack
input = input. Replace ("&#", "&#");/filter &# attack mode Javascript:alert (' XSS ')
input = Regex.Replace (input, @ "javascript:", "javascript:", regexoptions.ignorecase);/filter JS attack mode: Javascript:alert (' XSS ");
input = Regex.Replace (input, @ "VBScript:", "VBScript:", regexoptions.ignorecase);//Filter JS attack mode: Vbscript:msgbox (' XSS ');
input = Regex.Replace (input, @ "J *a *v *a *s *c *r *i *p *t:", "VBScript:", regexoptions.ignorecase);//attack mode: Java Script:al ERT (' XSS ');
input = Regex.Replace (input, @ "\/\*[ss]*\*\/", "<!--code-->", regexoptions.ignorecase);
input = Regex.Replace (input, @ "expression", "expression", regexoptions.ignorecase);
input = Regex.Replace (input, @ "<[\u0020]*style[^>]*>", "S:yle", regexoptions.ignorecase);
input = Regex.Replace (input, @ "<[^>]*object[^>]*>", "objec&$58", regexoptions.ignorecase);//Attack mode <object type= "Text/x-scriptlet" Data= "http://www.cnblog.cn" ></OBJECT> note that you will not be able to use flash after filtering
/* All kinds of event filtration * *
input = Regex.Replace (input, @ "<[^>]*[\u0020]+on[A-Za-z]{3,20}[\u0020]*=[\u0020]*[^>]*>", "Js Event", Regexoptions.ignorecase);//
input = input. Replace ("'", "'");//single quotation mark prevents SQL injection
input = Regex.Replace (input, @ "script", "script", regexoptions.ignorecase);//Prevent script attack
input = Regex.Replace (input, @ "frame", "frame", regexoptions.ignorecase);//prevent IFrame from hanging horses
input = Regex.Replace (input, @ "form", "form", regexoptions.ignorecase);//Prohibit form submission
input = Regex.Replace (input, @ "meta", "meta", regexoptions.ignorecase);//prevent meta jump to illegal web page
return input;
}
Add, filter do not put strings into empty, this also has security problems, must be more than another string, such as filtering Hello, then the user can build such a character "You are good", through the replace ("Hello", ""), the output results, I do not say everyone knows!
In addition, this is considered to support the HTML situation, so there is no direct worry about the angle bracket!
