ASP. net mvc 1.0 Anti Attack

For websites, common Attack methods include "XSS (Cross-Site Scripting Attack)", "CSRF (Cross-Site Request Forgery)", and "SQL Injection Attack ".

1. XSS

XSS is the most common attack method. ASP. NET itself has security measures to block this attack. By default, MVC enables Request verification for all requests. That is to say, any dangerous Request parameters may cause exceptions.

Server Error in '/'application.
--------------------------------------------------------------------------------

A potentially dangerous Request. Form value was detected from the client (text = "<script> alert ('Hi! ')...").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. this value may be indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. you can disable request validation by setting validateRequest = false in the Page directive or in the configuration section. however, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System. Web. HttpRequestValidationException: A potentially dangerous Request. Form value was detected from the client (text = "<script> alert ('Hi! ')...").

In ControllerActionInvoke. InvokeAction, MVC starts this security verification function.

Public class ControllerActionInvoker: IActionInvoker
{
Public virtual bool InvokeAction (ControllerContext controllerContext, string actionName)
{
...
If (controllerContext. Controller. ValidateRequest)
{
ValidateRequest (controllerContext. HttpContext. Request );
}
...
}

Private static void ValidateRequest (HttpRequestBase request)
{
// DevDiv 214040: Enable Request Validation by default for all controller requests
//
// Note that we grab the Request's RawUrl to force it to be validated. Calling ValidateInput ()
// Doesn't actually validate anything. It just sets flags indicating that on the next usage
// Certain inputs that they shocould be validated. We special case RawUrl because the URL has already
// Been consumed by routing and thus might contain dangerous data. By forcing the RawUrl to be
// Re-read we're making sure that it gets validated by ASP. NET.

Request. ValidateInput ();
String rawUrl = request. RawUrl;
}
}

Public abstract class ControllerBase: MarshalByRefObject, IController
{
Private bool _ validateRequest = true;

Public bool ValidateRequest
{
Get {return _ validateRequest ;}
Set {_ validateRequest = value ;}
}
}

Because HttpRequest. ValidateInput () is called in the program, it means that it is useless to disable verification in Web. config.

<Pages validateRequest = "false">

However, MVC provides ValidateInputAttribute, which allows us to disable verification.

[AttributeUsage (AttributeTargets. Class | AttributeTargets. Method,...)]
Public class ValidateInputAttribute: FilterAttribute, IAuthorizationFilter
{
Public ValidateInputAttribute (bool enableValidation)
{
EnableValidation = enableValidation;
}

Public bool EnableValidation {get; private set ;}

Public virtual void OnAuthorization (AuthorizationContext filterContext)
{
FilterContext. Controller. ValidateRequest = EnableValidation;
}
}

We can disable the verification of the entire Controller or a single Action.

[ValidateInput (false)]
Public class TestController: Controller
{
Public ActionResult Index ()
{
Return View ();
}

[ValidateInput (true)]
Public ActionResult Test (string text)
{
Return View ();
}
}

Of course, you can also directly set the Controller. ValidateRequest attribute to enable or disable verification. In addition, remember to use HtmlEncode to encode the user input information to be displayed.

HttpUtility. HtmlEncode ();
<% = Html. Encode () %>

• Three pages in total:
• Previous Page
• 1
• 2
• 3
• Next Page