Expose my web Filter

Source: Internet
Author: User

Background

Xss cross-site scripting troubles most programmers should have encountered. For cross-site instances, see here. It is easy to control the project in the early stage of project development, but it is still very large in history projects. This chapter introduces a solution. Of course, as a filter itself is not just a function of preventing cross-site attacks.

Overview

1. You can configure Regular Expressions for pages and controls.
2. Provide post, get, head, and cookiesfiltering when submitting data
3. check the server control and check and update the page output stream are provided during page browsing.
4. The application generates detailed Xss alarm logs and exception logs.
5. Collect common Xss alarms and user input on the server.
6. IP black/white Filtering

Demo summary process

Step 1 configure the filtering category post get head cookies other which everyone knows is custom extension outputcontrol for server side controls check outputhtml for page output stream

Step 2. Take the get method as an example. Application Type 1 indicates that the get filter regular expression is used as a reference without escaping. Because the final configuration medium is xml, the following describes the cause.

Step. 3 set parameters based on the configuration type. Take the post method as an example. For example, the UserInfo. aspx page filters all parameters on the Email, ICQ, and QQ pages by default.

Step.4 generate Xml fixed text on the configuration category page. In order to reduce the complexity of the master site, and each application site can flexibly expand its own features, the most important thing is to ignore the risk of network transmission exceptions. After all, security the highest priority

Step.5 additional components on the application end detailed descriptions will be given in the Outline Design below for the components

Step. 6. Take the get method as an example.

Add some sensitive characters to set abnormal jump page as http://t.163.com/notfound

 

 

Press ENTER

 Outline Design

This web filter is not at the system level, and is mainly a design concept. I think many of you will suddenly feel this simple after reading the article. Yes. You will find a lot of interesting and useful content when you are concerned about the details around the project .. One advantage of the net project is that it can be well controlled in most aspects of the application cycle. Many people may think of AOP for the above functions, but it is not universal.

The following shows how filters look.

You are not mistaken. It is true that this is the only one.

XssCheck is responsible for the actual check action.

For example, if an IP address outside the whitelist has been maliciously accessed for more than five times, the application's cache records that the application has been denied for 12 hours-no alert data is collected on the page for malicious access for five times, drop access to jump to a custom page.

Perform different check actions based on different configuration types

The processing of the page output stream is special. For the stream processing bug, there are two types: check only or include update operations. Here we need to distinguish two concepts: HttpModule and HttpHandler.

Original explanation of HttpModule msdn

An HTTP module is an assembly that is called on every request made to your application. HTTP modules are called as part of the ASP. NET request pipeline and have access to life cycle events throughout the request. HTTP modules therefore give you the opportunity to examine incoming and outgoing requests and take action based on the request. the topics in this section provide information on how HTTP modules work and how to create them.

In a word, we can customize the programming HttpModule to process or filter the content in HttpRequest. That is, subscribe to pipeline events and perform the required operations in the event processor.

For specific pipeline event reference
Http://msdn.microsoft.com/library/chs/default.asp? Url =/library/CHS/cpref/html/frlrfsystemwebhttpapplicationclasstopic. asp

Original explanation of HttpHanlder msdn

Defines the Protocol implemented by ASP. NET to use a custom HTTP handler to synchronously process HTTP Web requests.

In a word, HttpHandler is the real processing center of HTTP requests. In this HttpHandler container, ASP. NET Framework is truly compiling and executing the server pages requested by the client ,.

The relationship between HttpModule and HttpHanlder.

HttpHanlder attaches the processed information to the HTTP request information stream and returns it to HttpModule again.

When an HTTP request is passed to the HttpHandler container by the same HttpModule container, ASP. NET Framework calls the ProcessRequest member method of HttpHandler to process the HTTP request. Take An ASPX page as an example. It is in this case that An ASPX page is parsed by the system, and the processed result is passed through HttpModule until it reaches the client. The transition method in HttpHanlder is PostRequestHandlerExecute. For more details, refer to ASP. NET pipeline processing in msdn.

After learning about the above concepts, you should understand the stage of stream processing. This is because the page output stream is the first time that the server sends data to the client after processing the request. Here we put stream processing in HttpHanlder, how to jump to the Handler link in the BeginRequest pipeline event in HttpModule, here the bug uses a clever method, careful students have discovered

<Add verb = "*" path = "*. xss. aspx" type = "BBS. XssCheck. XssHandler, BBS. XssCheck"/>

The worm overwrites the URL. In the second request, other pipeline methods are directly passed to HttpHanlder Based on the url. The specific process will not be described in detail.

It is worth mentioning that the method for obtaining the check server-side control of the server-side control

Some of the Code is ugly. Now, I'm too lazy to change my mind.

int nPageControls = page.Controls.Count;            System.Collections.Specialized.NameValueCollection controlcollection = new System.Collections.Specialized.NameValueCollection();            for (int i = 0; i < nPageControls; i++)            {                foreach (System.Web.UI.Control control in page.Controls[i].Controls)                {                    if (control is Button)                    {                        controlcollection.Add(control.ID, ((Button)control).Text);                    }                    else if (control is Label)                    {                        controlcollection.Add(control.ID, ((Label)control).Text);                    }                    else if (control is HtmlAnchor)                    {                        controlcollection.Add(control.ID, ((HtmlAnchor)control).HRef);                    }                    else if (control is TextBox)                    {                        controlcollection.Add(control.ID, ((TextBox)control).Text);                    }                    else if (control is HtmlImage)                    {                        controlcollection.Add(control.ID, ((HtmlImage)control).Src);                    }                    if (mode)                    {                        try                        {                            if (r.IsMatch(controlcollection[control.ID]))                            {                                XssLog(context, 5, control.ID, controlcollection[control.ID]);                                break;                            }                        }                        catch { }                    }                }            }

XssControl implements IHttpModule

Get, post, head, and cookies are all in the BeginRequest pipeline.

The server-side control check is performed in the PostRequestHandlerExecute pipeline event

XssHandler implementation IHttpHandler

XssWebUtils implements some common web Processing Methods

 

 

This is probably the case. You are welcome to share your opinion.

 

This article is from the "follow the Internet" blog, please be sure to keep this source http://dubing.blog.51cto.com/3911153/714335

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.