URL,post跨站攻击,就是需要过滤关键词,.net网站在根目录下新建一个文件名为Global.asax的文件,代码如下:
<%@ Application Language="C#" %>
<script runat="server">
void Application_Start(object sender, EventArgs e)
{
// 在应用程序启动时运行的代码
try
{
//微信接口
}
catch
{
System.Web.HttpContext.Current.Response.Redirect("/Err.aspx");
}
}
protected void Application_BeginRequest(object sender, EventArgs e)
{
//验证是否盗链
if (Request.RawUrl.Contains("images/"))
{
if (Request.UrlReferrer == null || !IsSameDomain(Request.UrlReferrer, Request.Url))
{
Response.ContentType = "image/jpeg";
string path = Request.MapPath("~/daolian.jpg");
Response.WriteFile(path);
//结束请求
Response.End();
}
}
//遍历Post参数,隐藏域除外
if (Regex.IsMatch(Request.RawUrl.ToLower(), @"/teacher/") == false && Regex.IsMatch(Request.RawUrl.ToLower(), @"/user/") == false && Regex.IsMatch(Request.RawUrl.ToLower(), @"/webadmin/") == false && Regex.IsMatch(Request.RawUrl.ToLower(), @"/ashx/") == false)
for (int i = 0; i < Request.Form.Count; i++)
{
if (Request.Form[i].ToString() == "__VIEWSTATE") continue;
if (IsDanger(Request.Form[i].ToString()))
{
Response.Write("The content you submitted contains illegal characters that have been rejected.");
Response.End();
}
}
//过滤所有Url中的危险字符串
if (Request.QueryString.Count > 0 && Regex.IsMatch(Request.RawUrl.ToLower(), @".aspx") == true && Regex.IsMatch(Request.RawUrl.ToLower(), @"fckeditor") == false)//如果防止截获fckeditor正常的Url,必须验证".aspx"
{
string Temp = "";
//string Url = Request.Url.AbsoluteUri.Substring(0, Request.Url.AbsoluteUri.LastIndexOf("?"));
string Url = Request.RawUrl.Substring(0, Request.RawUrl.LastIndexOf("?"));
for (int i = 0; i < this.Request.QueryString.Count; i++)
{
try
{
//Temp = HandleRequestParam(this.Request.QueryString[i].ToString());
Temp = (this.Request.QueryString[i].ToString());
//Response.Write(this.Request.QueryString[i].ToString());
Url += i == 0 ? "?" : "&";
Url += Request.QueryString.Keys[i].ToString() + "=" + Temp;
}
catch { }
}
//if (Url.Length < Request.Url.AbsoluteUri.Length)
// Response.Redirect(Url);
Context.RewritePath(Url);//可以用Response.Redirect和Context.RewritePath
}
}
void Application_End(object sender, EventArgs e)
{
// 在应用程序关闭时运行的代码
}
void Application_Error(object sender, EventArgs e)
{
// 在出现未处理的错误时运行的代码
}
void Session_Start(object sender, EventArgs e)
{
// 在新会话启动时运行的代码
}
void Session_End(object sender, EventArgs e)
{
// 在会话结束时运行的代码。
// 注意: 只有在 Web.config 文件中的 sessionstate 模式设置为
// InProc 时,才会引发 Session_End 事件。如果会话模式设置为 StateServer
// 或 SQLServer,则不会引发该事件。
}
//判断两个域名是否相等
bool IsSameDomain(Uri u1,Uri u2)
{
return Uri.Compare(u1, u2, UriComponents.HostAndPort, UriFormat.SafeUnescaped, StringComparison.CurrentCultureIgnoreCase) == 0 ? true : false;
}
protected string HandleRequestParam(string str)
{
string RetStr = "";
char[] strC = str.ToLower().ToCharArray();
for (int i = 0; i < strC.Length; i++)
{
if (Convert.ToInt32(strC[i]) >= 48 && Convert.ToInt32(strC[i]) <= 57)
RetStr += strC[i].ToString();
else
break;
}
return RetStr;
}
protected bool IsDanger(string InText)
{
string word = @"exec|insert|select|delete|update|master|truncate|char|declare|join|iframe.|href|script.|<|>|request";
if (InText == null)
return false;
if (Regex.IsMatch(InText,word))
return true;
return false;
}
</script>