The XSS attack, the Universal Cross Site Scripting Attack (Scripting), is a computer security vulnerability in Web applications that allows malicious Web users to embed code, such as HTML code and client script, into pages that are available to other users. To prevent XSS attacks, you must determine whether the user's input is legitimate before processing the client request, and intercept if it is not legal. There is a global program file Global.asax file at the root of the ASP. Each time the IIS request executes the different events in this file sequentially. Where the Application_BeginRequest event is triggered when ASP. NET starts processing each request, the code in this event processing executes before the page or service processes the request. We can write code here to verify that the client request is legitimate.
First create a Xssfilter class under the App_Code folder, which is the default storage class when ASP. NET creates a Web site
1 usingSystem;2 usingSystem.Collections.Generic;3 usingSystem.Linq;4 usingsystem.web;5 usingSystem.Text.RegularExpressions;6 7 /// <summary>8 ///Summary description of Xssfilter9 /// </summary>Ten Public classXssfilter One { A PublicXssfilter () {} - - Private Const stringStrregex =@"<[^>]+?style=[\w]+?:expression\ (|\b (alert|confirm|prompt) \b|^\+/v (8|9) |<[^>]*?=[^>]*?&# [^>]*?>|\b (And|or) \b.{1,6}? (=|>|<|\bin\b|\blike\b) |/\*.+?\*/|<\s*script\b|<\s*img\b|\bexec\b| Union.+? Select| Update.+? Set| Insert\s+into.+? values| (select| DELETE). +? From| (create| alter| drop| TRUNCATE) \s+ (table| DATABASE)"; the Public Static BOOLpostdata () - { - BOOLresult =false; - Try + { - for(inti =0; i < HttpContext.Current.Request.Form.Count; i++) + { Aresult =Checkdata (Httpcontext.current.request.form[i]. ToString ()); at if(Result) - { - Break; - } - } - } in Catch(HttpRequestValidationException ex) - { to return true; + } - returnresult; the } * $ Public Static BOOLGetData ()Panax Notoginseng { - BOOLresult =false; the Try + { A for(inti =0; i < HttpContext.Current.Request.QueryString.Count; i++) the { +result =Checkdata (Httpcontext.current.request.querystring[i]. ToString ()); - if(Result) $ { $ Break; - } - } the } - Catch(HttpRequestValidationException ex)Wuyi { the return true; - } Wu returnresult; - } About $ Public Static BOOLCookiedata () - { - BOOLresult =false; - Try A { + for(inti =0; i < HttpContext.Current.Request.Cookies.Count; i++) the { -result =Checkdata (Httpcontext.current.request.cookies[i]. Value.tolower ()); $ if(Result) the { the Break; the } the } - } in Catch(HttpRequestValidationException ex) the { the return true; About } the returnresult; the the } + - Public Static BOOLReferer () the {Bayi BOOLresult =false; the returnresult =Checkdata (HttpContext.Current.Request.UrlReferrer.ToString ()); the } - - Public Static BOOLCheckdata (stringinputdata) the { the if(Regex.IsMatch (Inputdata, Strregex)) the { the return true; - } the Else the { the return false;94 } the } the}
Then add the following code to the Global.asax Application_BeginRequest event:
1 voidApplication_BeginRequest (Objectsender, EventArgs e)2 {3 if(Request.Cookies! =NULL)4 {5 if(Xssfilter.cookiedata ())6 {7Response.Write ("the cookie data you submitted has malicious characters! ");8 Response.End ();9 }Ten } One if(Request.urlreferrer! =NULL) A { - if(Xssfilter.referer ()) - { theResponse.Write ("the referrer data you submitted has malicious characters! "); - Response.End (); - } - } + if(Request.RequestType.ToUpper () = ="POST") - { + if(Xssfilter.postdata ()) A { atResponse.Write ("The post data you submitted has malicious characters! "); - Response.End (); - } - } - if(Request.RequestType.ToUpper () = ="GET") - { in if(Xssfilter.getdata ()) - { toResponse.Write ("The Get data you submitted has malicious characters! "); + Response.End (); - } the } *}
Test, when submitting the form or manually modify the URL to enter a line of script <script>alert (' Test '), </script>, will jump to the error prompt page.
If you are using asynchronous Ajax submissions, make a judgment call in the callback function.
Using Global.asax's Application_BeginRequest event filtering client XSS malicious script submission