ASP. net mvc application security (1) -- custom error handling, asp. netmvc

ASP. net mvc application security (1) -- custom error handling, asp. netmvc

Many ASP. net mvc developers write high-performance code and deliver software well. However, there is no security plan.

An attack is that an attacker intercepts the form data submitted by the end user, changes the data, and then sends the modified data to the server.

In this case, developers need to perform appropriate verification, but the server information may be leaked from a large number of error messages displayed during verification.

For example, common 404 and 500 pages (commonly known as yellow pages ):

 

Solution:

• Disable the custom error and set the mode of the customErrors node in the Web. config configuration file to Off.

1 <system.web>2     <customErrors mode="Off"></customErrors>3     <compilation debug="true" targetFramework="4.5"/>4     

 

 
  
Cancel HandleErrorAttribute registration in GlobalFilter global Filter

 
1     public class FilterConfig2     {3         public static void RegisterGlobalFilters(GlobalFilterCollection filters)4         {5             //filters.Add(new HandleErrorAttribute());6         }7 8     }

 

 
  
Add the Application_Error Event code to the Global. asax file.

 
1 protected void Application_Error (Object sender, EventArgs e) 2 {3 Exception exception = Server. GetLastError (); 4 if (Exception! = Null) 5 {6 HttpException httpException = exception as HttpException; 7 if (httpException! = Null) 8 {9 int errorCode = httpException. getHttpCode (); 10 if (errorCode = 400 | errorCode = 404) 11 {12 Response. statusCode = 404; 13 Response. redirect (string. format ("~ /Error/Error404 "), true); 14 Server. clearError (); 15 return; 16} 17} 18 19 var postData = string. empty; 20 try21 {22 using (System. IO. stream stream = Request. inputStream) 23 {24 using (System. IO. streamReader streamReader = new System. IO. streamReader (stream, System. text. encoding. UTF8) 25 {26 postData = streamReader. readToEnd (); 27} 28} 29} 30 catch {} 31 32 // This method is the method for writing error logs and sending error emails to developers (negligible) 33 LogCache. instan Ce. saveToLog (Request, AppDomain. currentDomain. baseDirectory + @ "\ privateFolder \ SysLog \ Error \", DateTime. now. toString ("yyyyMMddHH") + ". log ", postData, exception. toString (); 34 35 Response. statusCode = 500; 36 Response. redirect (string. format ("~ /Error/Error500 "), true); 37 Server. ClearError (); 38} 39}

 

 
  
Add custom 404 and 500 pages

 
 
Final effect:

 
Advantages of using global errors of applications:
The first point is good compatibility. Both Web Form and MVC can be used. If the old Web Form project uses Application_Error to handle global exceptions, the new MVC project can be easily transplanted! In addition, the flexibility is relatively high. Compared with the custom errors inherent in ASP. NET and the HandleError feature of MVC, you can write flexible business code more freely.
In addition, you can set HTTP Error Codes as needed. This is also an issue of SEO. After all, ASP. NET's custom error wit uses 302 to rewrite the redirection, which is not conducive to SEO. Although the redirectMode attribute of the customErrors node can be set to "ResponseRewrite" (rewrite), if the HTTP Error code is not set on the redirected page, the HTTP status code is 200.
Application_Error:
The Application_Error event cannot handle exceptions that have been handled, such as exceptions captured in try-catch. In addition, because it is an application-level event, the operation method or controller-level exceptions cannot be handled. For now, I only think of these limitations, generally, this event can be used to handle custom exceptions as long as the project has no special requirements.