网站安全通用防护代码在ASP.NET MVC 中的应用实例(接上一篇)
处理Get、Post等网站请求及Cookie数据监测等,防护网站。
拦截攻击者注入恶意代码,防御诸如跨站脚本攻击(XSS)、SQL注入攻击等恶意攻击行为。
1、在Global.asax.cs文件中添加如下代码:
#region 网站安全防护代码 /// <summary> /// 在此处进行安全检测和防范 /// Application_BeginRequest /// </summary> /// <param name="sender"></param> /// <param name="e"></param> protected void Application_AcquireRequestState(object sender, EventArgs e) { HttpContext context = HttpContext.Current; string putData = string.Empty; if (Request.Cookies != null) { if (SafeUtils.CookieData(out putData)) { ResponseWarnMessage(context, "Cookie数据有恶意字符!", putData); } } if (Request.UrlReferrer != null) { if (SafeUtils.Referer(out putData)) { ResponseWarnMessage(context, "Referrer数据有恶意字符!", putData); } } if (Request.RequestType.ToUpper() == "POST") { if (SafeUtils.PostData(out putData)) { ResponseWarnMessage(context, "Post数据有恶意字符!", putData); } } if (Request.RequestType.ToUpper() == "GET") { if (SafeUtils.GetData(out putData)) { ResponseWarnMessage(context, "Get数据有恶意字符!", putData); } } } /// <summary> /// 非安全行为 输出警告信息 /// </summary> /// <param name="errorMessage"></param> /// <param name="putData"></param> private void ResponseWarnMessage(HttpContext context, string errorMessage, string putData) { //记录一下恶意攻击行为 string ipAddress = IpHelper.GetIP(); //把攻击日志记录到日志文本文件中 LogHelper.WriteLog("恶意访问行为 " + "来自IP:" + ipAddress + "的访问存在恶意行为:" + errorMessage + " 字符内容:" + putData, 1); //BaseUserInfo userInfo = context.Session[DotNet.Business.Utilities.SessionName] as BaseUserInfo; //非安全行为同时记录到数据库和文本文件中 //LogHelper.WriteLog(userInfo, "恶意访问行为", "来自IP:" + ipAddress + "的访问存在恶意行为:" + errorMessage + "字符内容:" + putData, " private void ResponseErrorMessage(string errorMessage, string putData)", typeof(MvcApplication), null); //跳转相应提醒页面 RouteData routeData = new RouteData(); routeData.Values.Add("controller", "Error"); routeData.Values.Add("action", "General"); routeData.Values.Add("title", "非法访问与请求提醒"); routeData.Values.Add("error", "你提交的" + errorMessage + "字符内容:" + putData); IController errorController = new ErrorController(); errorController.Execute(new RequestContext(new HttpContextWrapper(Context), routeData)); context.Response.End(); } #endregion
2、在网站Web.config文件中添加如下配置:
(1)、在system.web节点下的httpRuntime节点添加:requestValidationMode="2.0"
(2)、在system.web节点下的pages节点添加:validateRequest="false"
目的: 用于比如从客户端中检测到有潜在危险的 Request.QueryString 值等情况的报错,让后台可以正常获取到危险字符。
<system.web> <httpRuntime requestValidationMode="2.0" /> <pages validateRequest="false" >
3、新增控制器:ErrorController 。并在其内添加视图页:General
public ActionResult General(string title, string error, int icon = 5, string returnUrl = "/Home/Index") { ViewBag.Title = title; ViewBag.Msg = error?? "系统出错或您无权访问!"; ViewBag.Icon = icon; ViewBag.ReturnUrl = returnUrl; return View(); }
4、General视图页代码如下(引用到了LayUI框架):
@{ Layout = null; } @{ var title = ViewBag.Title; var msg = ViewBag.Msg; var icon = ViewBag.Icon; var returnUrl = ViewBag.ReturnUrl; } <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=ie10,chrome=1"> <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"> <link rel="Shortcut Icon" href=/favicon.ico> <title>@(title)</title> <link href="~/Content/layui/src/css/layui.css" rel="stylesheet"/> </head> <body> <div> </div> </body> <script type="text/javascript" src="~/Content/layui/src/layui.js"></script> <script type="text/javascript"> //JavaScript代码区域 layui.use(['form', 'element', 'jquery', 'layer'], function() { var element = layui.element; var form = layui.form, layer = layui.layer, $ = layui.jquery; }); </script> <script type="text/javascript"> layui.use(['layer'], function () { var layer = layui.layer; layer.alert('@msg', { icon: '@icon', // 1:勾 2:× 3:问号 4:锁 5:提醒 6:笑脸 7:叹号 closeBtn: 0,//不显示关闭按钮 }, function () { window.location.href = '@returnUrl'; }); }); </script> </html>
以下为测试效果图:
测试:在地址后加入"?action=delete from user"