asp网站空间如何过滤xss攻击(xss过滤js脚本)

asp网站空间如何过滤xss攻击(xss过滤js脚本)

扫码添加渲大师小管家,免费领取渲染插件、素材、模型、教程合集大礼包!

asp网站空间过滤xss攻击的方法:1。在web.config增加httpModules节点;2。编写一个过滤器。过滤危险关键词。并增加安全的header。

具体内容如下:

1。在web.config增加httpModules节点

<httpModules>

<addname="HttpAccessInterceptModule"type="Org.Core.Commons.HttpAccessInterceptModule,Org.Core.Commons"/>

</httpModules>

2。再编写一个过滤器

usingSystem;

usingSystem.Collections.Generic;

usingSystem.Configuration;

usingSystem.Linq;

usingSystem.Text.RegularExpressions;

usingSystem.Web;namespaceOrg.Core.Commons

{

///<summary>

///http访问拦截器模块

///1.过滤危险关键词

///2.增加安全Header

///</summary>

publicclassHttpAccessInterceptModule:IHttpModule

{

privatestaticList<string>_RegexWords;

staticHttpAccessInterceptModule()

{

_RegexWords=newList<string>()

{

@"<[^>]+>'",

@"</[^>]+>'",

@"<[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt|window|location|eval|console|debugger|new|Function|var|let)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)"

};

string[]keyWords={};

//{"'","alert","script","case","catch","const","continue","debugge","delete","export*","final","finally","for","function","goto","if","implements","import*","return","switch","synchronized","throw","throws","transient","try","break"}

//newstring[]{"select","insert","update","delete","drop","truncate"};_RegexWords.AddRange(keyWords.Select(o=>@"(^|(\W+))"+o+@"((\W+)|$)"));

}publicvoidDispose()

{

}publicvoidInit(HttpApplicationcontext)

{

context.BeginRequest+=newEventHandler(Context_BeginRequest);

context.EndRequest+=newEventHandler(Context_EndRequest);

}privatevoidContext_BeginRequest(objectsender,EventArgse)

{

HttpApplicationapp=(HttpApplication)sender;

try

{

if(IgnoreRequest(app.Request.CurrentExecutionFilePath))

return;RequestFiller(app.Request);

AddHeader(app.Response);

}

catch(Exceptionex)

{

if(!(exisPSBaseException))

PSLog4net.Error(this,ex);

app.Response.Write(ex.Message);

app.Response.Flush();

app.Response.End();

}

}privatevoidContext_EndRequest(objectsender,EventArgse)

{

HttpApplicationapp=(HttpApplication)sender;SetContentType(app);

}privatevoidRequestFiller(HttpRequestrequest)

{

stringerror="";if(request.Path.IndexOf("/log/",StringComparison.CurrentCultureIgnoreCase)>=0)

error="不允许访问/log/目录";

if(string.IsNullOrEmpty(error)&&

request.Path.IndexOf("/bak/",StringComparison.CurrentCultureIgnoreCase)>=0)

error="不允许访问/bak/目录";

if(string.IsNullOrEmpty(error))

{

foreach(stringkeyinrequest.Params.AllKeys)

{

if(key=="aspxerrorpath")

continue;

stringvalue=request.Params[key];

if(!string.IsNullOrEmpty(value)&&(value.Contains("jquery.alert")||value.Contains("image")))

continue;

if(!string.IsNullOrEmpty(key))

{

//if(Regex.IsMatch(key,@"\W+"))

//{

//error=string.Format("存在访问风险。参数[{0}={1}]无法通过“{2}”校验.",key,value,@"\W+");

//break;

//}

foreach(stringregexin_RegexWords)

{

if(Regex.IsMatch(key,regex,RegexOptions.IgnoreCase))

{

error=$"存在访问风险。参数[{key}={value}]无法通过“{regex}”校验.";

break;

}

}

}if(!string.IsNullOrEmpty(error))

break;

if(!string.IsNullOrEmpty(value))

{

foreach(stringregexin_RegexWords)

{

if(Regex.IsMatch(value,regex,RegexOptions.IgnoreCase))

{

error=$"存在访问风险。参数[{key}={value}]无法通过“{regex}”校验.";

break;

}

}

}if(!string.IsNullOrEmpty(error))

break;

}

}if(!string.IsNullOrEmpty(error))

{

Log4net.Error(this,error);

thrownewPSBaseException("存在访问风险。请求无法通过系统校验规则.");

}

}privatevoidAddHeader(HttpResponseresponse)

{}privatevoidSetContentType(HttpApplicationapp)

{

if(app.Request.Url.AbsolutePath.EndsWith(".png",StringComparison.CurrentCultureIgnoreCase))

app.Response.ContentType="image/png";

if(string.IsNullOrEmpty(app.Response.ContentType))

app.Response.ContentType="text/plain;charset=utf-8";

}privateboolIgnoreRequest(stringrequestPath)

{

if(requestPath.EndsWith(".assx",StringComparison.CurrentCultureIgnoreCase)||

requestPath.EndsWith(".sjs",StringComparison.CurrentCultureIgnoreCase)||

requestPath.EndsWith(".asmx",StringComparison.CurrentCultureIgnoreCase))

returntrue;

else

returnfalse;

}

}

}

分享到 :
相关推荐

韩国多ip站群服务器有哪些优点(韩国服务器纯ip)

韩国多IP站群服务器具有以下优点:1。多IP地址韩国多IP站群服务器提供多个IP[&...

WebsitePanel、DirectAdmin和cPanel虚拟主机管理系统哪个好

WebsitePanel。DirectAdmin和cPanel都属于受欢迎的虚拟主机...

香港vps云服务器租用配置怎么选择(香港vps云服务器租用配置怎么选择)

香港vps云服务器租用配置选择的方法:1。按网站的实际情况选择空间大小。如有100M...

Debian 10 Linux上安装GCC编译器教程(Debian安装gcc)

GNU编译器集合(GCC)是支持C。C++。Objective-C。Fortran[...

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注