软件下载 | 资讯教程 | 最近更新 | 下载排行 | 一键转帖 | 发布投稿
您的位置:最火下载站 > 网络编程 > ASP.NET > ASP.NET MVC 1.0 Anti Attack

ASP.NET MVC 1.0 Anti Attack

对网站而言,常见的攻击手段包括 "XSS (Cross-Site Scripting Attack)"、"CSRF (Cross-Site Request Forgery)" 以及 "SQL Injection Attack"。

1. XSS

XSS 是最常见的一种攻击手段,ASP.NET 本身就具备屏蔽该攻击的安全措施。默认情况下,MVC 会对所有请求启用 Request 验证,也就是说任何危险的请求参数都会导致异常。

Server Error in '/' Application.
--------------------------------------------------------------------------------

A potentially dangerous Request.Form value was detected from the client (text="<script>alert('Hi!')...").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (text="<script>alert('Hi!')...").

在 ControllerActionInvoke.InvokeAction 中,MVC 启动了这个安全验证功能。

public class ControllerActionInvoker : IActionInvoker
{
public virtual bool InvokeAction(ControllerContext controllerContext, string actionName)
{
...
if (controllerContext.Controller.ValidateRequest)
{
ValidateRequest(controllerContext.HttpContext.Request);
}
...
}

private static void ValidateRequest(HttpRequestBase request)
{
// DevDiv 214040: Enable Request Validation by default for all controller requests
//
// Note that we grab the Request's RawUrl to force it to be validated. Calling ValidateInput()
// doesn't actually validate anything. It just sets flags indicating that on the next usage of
// certain inputs that they should be validated. We special case RawUrl because the URL has already
// been consumed by routing and thus might contain dangerous data. By forcing the RawUrl to be
// re-read we're making sure that it gets validated by ASP.NET.

request.ValidateInput();
string rawUrl = request.RawUrl;
}
}

public abstract class ControllerBase : MarshalByRefObject, IController
{
private bool _validateRequest = true;

public bool ValidateRequest
{
get { return _validateRequest; }
set { _validateRequest = value; }
}
}

由于在程序中调用了 HttpRequest.ValidateInput(),这意味着我们在 Web.config 中禁用验证也没用。

<pages validateRequest="false">

不过,MVC 提供了一种 ValidateInputAttribute,让我们关闭验证。

[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, ...)]
public class ValidateInputAttribute : FilterAttribute, IAuthorizationFilter
{
public ValidateInputAttribute(bool enableValidation)
{
EnableValidation = enableValidation;
}

public bool EnableValidation { get; private set; }

public virtual void OnAuthorization(AuthorizationContext filterContext)
{
filterContext.Controller.ValidateRequest = EnableValidation;
}
}

我们即可以关闭整个 Controller 的验证,也可以是单个 Action。

[ValidateInput(false)]
public class TestController : Controller
{
public ActionResult Index()
{
return View();
}

[ValidateInput(true)]
public ActionResult Test(string text)
{
return View();
}
}

当然,我们也可以直接设置 Controller.ValidateRequest 属性来启用或关闭验证。另外就是记得对于要显示的用户输入信息,一定用用 HtmlEncode 进行编码。

HttpUtility.HtmlEncode();
<%= Html.Encode() %>

相关阅读
网友评论
栏目导航
推荐软件