zoukankan      html  css  js  c++  java
  • 如何让Asp.net Web Api全局预防Xss攻击

    一、概述

    二、什么是XSS

    三、预防方法

    四、在WebApi中如何实现

      在实现之前,需要了解ASP.NET WEB API的pipeline机制。

    如上,可以采用多种方式进行参数的过滤

    1、重写DelegatingHandler的SendAsync方法进行过滤,结合AntiXss类库实现

    using System;
    using System.Collections.Generic;
    using System.Linq;
    using System.Web;
    using System.Web.Http;
    using System.Web.Mvc;
    using System.Web.Optimization;
    using System.Web.Routing;
    using System.Web.Http.Controllers;
    using Microsoft.Security.Application;
    using System.Reflection;
    using System.ComponentModel;
    using System.Threading;
    using System.Net.Http;
    
    namespace MyNamespace
    {
        public class AntiXssHttpMessageHandler : DelegatingHandler
        {
            protected override System.Threading.Tasks.Task<HttpResponseMessage> SendAsync(HttpRequestMessage Request, System.Threading.CancellationToken cancellationToken)
            {
                foreach (var key in Request.RequestUri.ParseQueryString().AllKeys)
                {
                    var value = Sanitizer.GetSafeHtmlFragment(Request.RequestUri.ParseQueryString()[key]);
                    if (value != Request.RequestUri.ParseQueryString()[key])
                    {
                        throw new Exception();
                    }
                }
                return base.SendAsync(Request, cancellationToken);
            }
        }
    }
     public static class WebApiConfig
        {
            public static void Register(HttpConfiguration config)
            {
                config.Routes.MapHttpRoute(
                    name: "DefaultApi",
                    routeTemplate: "api/{controller}/{id}",
                    defaults: new { id = RouteParameter.Optional }
                );
    
                config.EnableSystemDiagnosticsTracing();
                config.MessageHandlers.Add(new AntiXssHttpMessageHandler());
            }
        }

    2、重写ApiControllerActionInvoker的InvokeActionAsync方法

    public class XssActionInvoker : ApiControllerActionInvoker {
            public override System.Threading.Tasks.Task<System.Net.Http.HttpResponseMessage> InvokeActionAsync(HttpActionContext filterContext, System.Threading.CancellationToken cancellationToken)
            {
                Dictionary<string, object> changeDictionary = new Dictionary<string, object>();
                foreach (var para in filterContext.ActionArguments)
                {
                    if (para.Value.GetType()==typeof(string))
                    {
                        var value = para.Value as string;
                        if (!string.IsNullOrWhiteSpace(value))
                        {
                            value = Sanitizer.GetSafeHtmlFragment(value);
                            changeDictionary.Add(para.Key, value);
                        }
                    }
                }
                foreach (var changePara in changeDictionary)
                {
                    filterContext.ActionArguments[changePara.Key] = changePara.Value;
                }
                return base.InvokeActionAsync(filterContext, cancellationToken);
            }
        }
     public class WebApiApplication : System.Web.HttpApplication
        {
            protected void Application_Start()
            {
    
                GlobalConfiguration.Configuration.Services.Replace(typeof(IHttpActionInvoker), new XssActionInvoker());
            }
        }
  • 相关阅读:
    表单参数使用场景
    [自己项目中的]表单定制的限制
    堂妹发给我的
    处理针式打印的宽度超界的一些办法(一)
    delegate或event序列化的一个问题
    让图片出现幻影效果的CSS代码
    鼠标悬停出现图片提示的代码
    用CSS实现的图片透明度链接效果代码
    让图片水平循环飞舞的JavaScript代码
    Javascript+CSS实现漂亮带缓冲效果的图片展示代码
  • 原文地址:https://www.cnblogs.com/ruanyifeng/p/4739807.html
Copyright © 2011-2022 走看看