• 网站安全通用防护代码在ASP.NET MVC 中的应用实例(接上一篇)


    处理Get、Post等网站请求及Cookie数据监测等,防护网站。

    拦截攻击者注入恶意代码,防御诸如跨站脚本攻击(XSS)、SQL注入攻击等恶意攻击行为。

    1、在Global.asax.cs文件中添加如下代码:

     #region  网站安全防护代码
    
    
            /// <summary>
            /// 在此处进行安全检测和防范
            /// Application_BeginRequest
            /// </summary>
            /// <param name="sender"></param>
            /// <param name="e"></param>
            protected void Application_AcquireRequestState(object sender, EventArgs e)
            {
                HttpContext context = HttpContext.Current;
                string putData = string.Empty;
                if (Request.Cookies != null)
                {
                    if (SafeUtils.CookieData(out putData))
                    {
                        ResponseWarnMessage(context, "Cookie数据有恶意字符!", putData);
                    }
                }
                if (Request.UrlReferrer != null)
                {
                    if (SafeUtils.Referer(out putData))
                    {
                        ResponseWarnMessage(context, "Referrer数据有恶意字符!", putData);
                    }
                }
                if (Request.RequestType.ToUpper() == "POST")
                {
                    if (SafeUtils.PostData(out putData))
                    {
                        ResponseWarnMessage(context, "Post数据有恶意字符!", putData);
                    }
                }
                if (Request.RequestType.ToUpper() == "GET")
                {
                    if (SafeUtils.GetData(out putData))
                    {
                        ResponseWarnMessage(context, "Get数据有恶意字符!", putData);
                    }
                }
            }
            /// <summary>
            /// 非安全行为 输出警告信息
            /// </summary>
            /// <param name="errorMessage"></param>
            /// <param name="putData"></param>
            private void ResponseWarnMessage(HttpContext context, string errorMessage, string putData)
            {
                //记录一下恶意攻击行为
                string ipAddress = IpHelper.GetIP();
                //把攻击日志记录到日志文本文件中
                LogHelper.WriteLog("恶意访问行为  " + "来自IP:" + ipAddress + "的访问存在恶意行为:" + errorMessage + "  字符内容:" + putData, 1);
    
                //BaseUserInfo userInfo = context.Session[DotNet.Business.Utilities.SessionName] as BaseUserInfo;
                //非安全行为同时记录到数据库和文本文件中
                //LogHelper.WriteLog(userInfo, "恶意访问行为", "来自IP:" + ipAddress + "的访问存在恶意行为:" + errorMessage + "字符内容:" + putData, " private void ResponseErrorMessage(string errorMessage, string putData)", typeof(MvcApplication), null);
               
                //跳转相应提醒页面
                RouteData routeData = new RouteData();
                routeData.Values.Add("controller", "Error");
                routeData.Values.Add("action", "General");
                routeData.Values.Add("title", "非法访问与请求提醒");
                routeData.Values.Add("error", "你提交的" + errorMessage + "字符内容:" + putData);
                IController errorController = new ErrorController();
                errorController.Execute(new RequestContext(new HttpContextWrapper(Context), routeData));
                context.Response.End();
            }
    
           #endregion

    2、在网站Web.config文件中添加如下配置:

      (1)、在system.web节点下的httpRuntime节点添加:requestValidationMode="2.0

     (2)、在system.web节点下的pages节点添加:validateRequest="false"

    目的:   用于比如从客户端中检测到有潜在危险的 Request.QueryString 值等情况的报错,让后台可以正常获取到危险字符。

    <system.web>
        <httpRuntime     requestValidationMode="2.0" />
    
    
    
    <pages validateRequest="false" >

    3、新增控制器:ErrorController        。并在其内添加视图页:General

     public ActionResult General(string title, string error, int icon = 5, string returnUrl = "/Home/Index")
            {
                ViewBag.Title = title;
                ViewBag.Msg = error?? "系统出错或您无权访问!";
                ViewBag.Icon = icon;
                ViewBag.ReturnUrl = returnUrl;
                return View();
            }

    4、General视图页代码如下(引用到了LayUI框架):

    @{
        Layout = null;
    }
    
    @{
        var title = ViewBag.Title;
        var msg = ViewBag.Msg;
        var icon = ViewBag.Icon;
        var returnUrl = ViewBag.ReturnUrl;
    }
    
    <!DOCTYPE html>
    
    <html>
    <head>
        <meta charset="utf-8">
        <meta http-equiv="X-UA-Compatible" content="IE=ie10,chrome=1">
        <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    
        <link rel="Shortcut Icon" href=/favicon.ico> 
        <title>@(title)</title>
        <link href="~/Content/layui/src/css/layui.css" rel="stylesheet"/>
    </head>
    <body>
    <div>
    
    </div>
    </body>
    
    <script type="text/javascript" src="~/Content/layui/src/layui.js"></script>
    <script type="text/javascript">
        //JavaScript代码区域
        layui.use(['form', 'element', 'jquery', 'layer'], function() {
            var element = layui.element;
            var form = layui.form,
                layer = layui.layer,
                $ = layui.jquery;
    
        });
    </script>
    
    
    <script type="text/javascript">
            layui.use(['layer'], function () {
    
                var layer = layui.layer;
    
    
                layer.alert('@msg',
                {
                    icon: '@icon',  // 1:勾 2:× 3:问号 4:锁  5:提醒 6:笑脸  7:叹号
                    closeBtn: 0,//不显示关闭按钮
                }, function () {
                    window.location.href = '@returnUrl';
                });
    
    
            });
    
    
    </script>
    
    
    
    </html>

    以下为测试效果图:

    测试:在地址后加入"?action=delete from user"
               

  • 相关阅读:
    socket学习笔记——获取域名与IP(linux)
    socket学习笔记——实现收发文件(Windows)
    socket学习笔记——IO口的基本操作(读、写)
    Microsoft Visual C++ 2010(86) Redistributable不能安装完美解决
    AD转换精度的计算
    cuda编程基础
    CUDA中并行规约(Parallel Reduction)的优化
    Warp divergence
    提取图片中文字
    GPU基本概念详解
  • 原文地址:https://www.cnblogs.com/sharing1986687846/p/10281728.html
Copyright © 2020-2023  润新知