asp网站服务器怎么过滤xss攻击

asp网站主机如何过滤xss攻击

asp网站主机过滤xss攻击的方法：1、在web.config增加httpModules节点；2、编写一个过滤器，过滤危险关键词，并增加安全的header。

下面是详细介绍：

1、在web.config增加httpModules节点

<httpModules>
<addname="HttpAccessInterceptModule"type="Org.Core.Commons.HttpAccessInterceptModule,Org.Core.Commons"/>
</httpModules>

2、再编写一个过滤器

usingSystem;
usingSystem.Collections.Generic;
usingSystem.Configuration;
usingSystem.Linq;
usingSystem.Text.RegularExpressions;
usingSystem.Web;namespaceOrg.Core.Commons
{
///<summary>
///http访问拦截器模块
///1.过滤危险关键词
///2.增加安全Header
///</summary>
publicclassHttpAccessInterceptModule:IHttpModule
{
privatestaticList<string>_RegexWords;
staticHttpAccessInterceptModule()
{
_RegexWords=newList<string>()
{
@"<[^>]+>'",
@"</[^>]+>'",
@"<[^>]+?style=[w]+?:expression(|(alert|confirm|prompt|window|location|eval|console|debugger|new|Function|var|let)|^+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|(and|or).{1,6}?(=|>|<|in|like)|/*.+?*/|<s*script|EXEC|UNION.+?SELECT|UPDATE.+?SET|INSERTs+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)s+(TABLE|DATABASE)"
};
string[]keyWords={};
//{"'","alert","script","case","catch","const","continue","debugge","delete","export*","final","finally","for","function","goto","if","implements","import*","return","switch","synchronized","throw","throws","transient","try","break"}
//newstring[]{"select","insert","update","delete","drop","truncate"};_RegexWords.AddRange(keyWords.Select(o=>@"(^|(W+))"+o+@"((W+)|$)"));
}publicvoidDispose()
{
}publicvoidInit(HttpApplicationcontext)
{
context.BeginRequest+=newEventHandler(Context_BeginRequest);
context.EndRequest+=newEventHandler(Context_EndRequest);
}privatevoidContext_BeginRequest(objectsender,EventArgse)
{
HttpApplicationapp=(HttpApplication)sender;
try
{
if(IgnoreRequest(app.Request.CurrentExecutionFilePath))
return;RequestFiller(app.Request);
AddHeader(app.Response);
}
catch(Exceptionex)
{
if(!(exisPSBaseException))
PSLog4net.Error(this,ex);
app.Response.Write(ex.Message);
app.Response.Flush();
app.Response.End();
}
}privatevoidContext_EndRequest(objectsender,EventArgse)
{
HttpApplicationapp=(HttpApplication)sender;SetContentType(app);
}privatevoidRequestFiller(HttpRequestrequest)
{
stringerror="";if(request.Path.IndexOf("/log/",StringComparison.CurrentCultureIgnoreCase)>=0)
error="不允许访问/log/目录";
if(string.IsNullOrEmpty(error)&&
request.Path.IndexOf("/bak/",StringComparison.CurrentCultureIgnoreCase)>=0)
error="不允许访问/bak/目录";
if(string.IsNullOrEmpty(error))
{
foreach(stringkeyinrequest.Params.AllKeys)
{
if(key=="aspxerrorpath")
continue;
stringvalue=request.Params[key];
if(!string.IsNullOrEmpty(value)&&(value.Contains("jquery.alert")||value.Contains("image")))
continue;
if(!string.IsNullOrEmpty(key))
{
//if(Regex.IsMatch(key,@"W+"))
//{
//error=string.Format("存在访问风险，参数[{0}={1}]没法通过“{2}”校验.",key,value,@"W+");
//break;
//}
foreach(stringregexin_RegexWords)
{
if(Regex.IsMatch(key,regex,RegexOptions.IgnoreCase))
{
error=$"存在访问风险，参数[{key}={value}]没法通过“{regex}”校验.";
break;
}
}
}if(!string.IsNullOrEmpty(error))
break;
if(!string.IsNullOrEmpty(value))
{
foreach(stringregexin_RegexWords)
{
if(Regex.IsMatch(value,regex,RegexOptions.IgnoreCase))
{
error=$"存在访问风险，参数[{key}={value}]没法通过“{regex}”校验.";
break;
}
}
}if(!string.IsNullOrEmpty(error))
break;
}
}if(!string.IsNullOrEmpty(error))
{
Log4net.Error(this,error);
thrownewPSBaseException("存在访问风险，要求没法通过系统校验规则.");
}
}privatevoidAddHeader(HttpResponseresponse)
{}privatevoidSetContentType(HttpApplicationapp)
{
if(app.Request.Url.AbsolutePath.EndsWith(".png",StringComparison.CurrentCultureIgnoreCase))
app.Response.ContentType="image/png";
if(string.IsNullOrEmpty(app.Response.ContentType))
app.Response.ContentType="text/plain;charset=utf⑻";
}privateboolIgnoreRequest(stringrequestPath)
{
if(requestPath.EndsWith(".assx",StringComparison.CurrentCultureIgnoreCase)||
requestPath.EndsWith(".sjs",StringComparison.CurrentCultureIgnoreCase)||
requestPath.EndsWith(".asmx",StringComparison.CurrentCultureIgnoreCase))
returntrue;
else
returnfalse;
}
}
}