最常见的网络攻击就是跨站脚本攻击和SQL注入。
其他的只要注意数据安全,即数据库返回的数据与前台展示的数据分离,最好不要公用model,一般的等保测试就没问题。
以下针对未在过滤器中统一处理的情况补加单独处理的方式。
如果在过滤器中处理,也是使用以下正则去匹配,总体模式相似。
//要放在静态类中才能使用
/// <summary>
///过滤单引号及数据库敏感字符
/// </summary>
/// <param name="strInput">要过滤的字符串</param>
/// <returns></returns>
public static string FilterString(this object strInput)
{
string strRtn = string.Empty;
try
{
if (strInput == null)
{
strRtn = string.Empty;
}
else
{
strRtn = strInput.ToString();
删除脚本
strRtn = Regex.Replace(strRtn, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);
//删除HTML
strRtn = Regex.Replace(strRtn, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"-->", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"<!--.*", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"&(quot|#34);", "\"", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"&(iexcl|#161);", "\xa1", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"&(cent|#162);", "\xa2", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"&(pound|#163);", "\xa3", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"&(copy|#169);", "\xa9", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, @"&#(\d+);", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "xp_cmdshell", "", RegexOptions.IgnoreCase);
//删除与数据库相关的词
strRtn = Regex.Replace(strRtn, "insert", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "DELETE from", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "count''", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "drop table", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "truncate", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "asc", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "'", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "alert", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "iframe", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "onmouseover", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "onload", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "prompt", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "body", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "xp_cmdshell", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "exec master", "", RegexOptions.IgnoreCase);
strRtn = Regex.Replace(strRtn, "net localgroup administrators", "", RegexOptions.IgnoreCase);
strRtn = strRtn.Replace("'", "''");
}
}
catch
{
strRtn = string.Empty;
}
return strRtn;
}