asp.net 安全
1、输入安全
安全隐患:xss
方案: 使用微软提供的antixss
使用方法:
1. Use the Confi guration Generation tool to analyze your Web application project and generate
a confi guration fi le, which must be copied to your Web application root directory. The confi
guration tool examines the assemblies produced when you compile a Web application. If
you are using Visual Studio ’s Web site approach, assemblies are not produced because there
is no compilation stage. In this case you can use the supplied default confi guration fi le that
will provide protection for the standard ASP.NET controls but may not protect any customized
controls.
2. Copy the SRE run- time DLLs from the Security Runtime Engine\Module folder to your
Web application \bin folder.
3. Enable the SRE run -time by editing your web.config fi le. If you are using IIS6 or IIS7 in
Classic ASP.NET mode, then add the following to the <h ttpModules > list in the s ystem.
web section. If you are using IIS7 in integrated pipeline mode, add the following to the
<m odules > list in the s ystem.webmodules section.
<a dd name="AntiXssModule" type=
"Microsoft.Security.Application.SecurityRuntimeEngine.AntiXssModule"/ >
You can exclude pages or individual controls from the SRE via the confi guration fi le, or
declaratively in code by applying the SupressAntiXssEncoding attribute to a page or a control.
Following is an example:
[Microsoft.Security.Application.SecurityRuntimeEngine.SupressAntiXssEncoding()]
public partial class _Default : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
...
}
}
具体的语句内容含义
HtmlEncode : Use this when untrusted input is assigned to HTML output,unless it is assigned to an HTML attribute.
HtmlAttributeEncode: Use this when untrusted input is assigned to an HTML attribute (such as id, name, width or height).
JavaScriptEncode: Use this when untrusted input is used within JavaScript.
UrlEncode: Use this when untrusted input is used to produce (or is used within) a URL.
VisualBasicScriptEncode: Use this when untrusted input is used within VBScript.
XmlEncode: Use this when untrusted input is assigned to XML output,unless it is assigned to an XML attribute.
XmlAttributeEncode: Use this when untrusted input is assigned to an XML attribute.
GetSafeHtmlFragment :对传入的内容进行判断,自动甄别安全隐患并排出
GetSafeHtml :针对传入的信息,自动甄别安全隐患并排出,但网页上下都加上<html><body></body></html> ====自动产生网页时候有用。
2、cookie安全
添加httponlycookie为true
< system.web >
< httpCookies httpOnlyCookies="true"/ >
除以上办法外,还可以 进行灵活的
HttpCookie protectedCookie = new HttpCookie("protectedCookie");
protectedCookie.HttpOnly = true;
3、从输入验证
asp.net提供了一套验证控件
主要原则列表
Review all inputs to a system and decide if they are trustworth. y— Remember that all
inputs should be considered untrustworthy by default. If input must be trusted and comes
from outside your application, it must be validated and sanitized. A good practice is to
perform validation for all inputs, trusted or not.
Review code that generates outpu. t— Remember that XSS attacks are dependent on using
untrusted input as direct output. Examine your code. Look for R esponse.Write , <%= and
setting Text of Web Controls as well as other properties on ASP.NET controls.
Examine output functions and determine if they use untrusted input paramete r.s — Once
all output parameters have been discovered, examine the values they are using to generate
output. If they are using untrusted input, then it will require encoding. Typical input sources
that generate output include database queries, the reading of fi les from the fi le system, and
calls to Web services.
Determine what encoding the output expec.t s— Different output types require different
encoding methods. For example, HTML requires HTML encoding, URLs require
URL encoding, and so on.
Encode outpu. t— When assigning output, use the encoding you have determined to make
the output safe.
Ensure cookies are marked a Hs t tpOnly. — As part of your layered defense, ensure that
any cookies that you do not need to access on the Web client are marked with the HttpOnly
attribute.
Do not disable request validation on a sit-ew ide basis. — Request validation should be
disabled on a per -page basis. This ensures that any page where you forget that input is
accepted will be protected until you add encoding to the page output and turn request
validation off.
Use Microso’fst Anti -XSS library and SRE . — The Microsoft Anti- XSS library provides
more robust and fl exible encoding methods than the standard .NET framework. In
addition, the SRE will automatically encode output for controls it knows about. However,
this is not an excuse to avoid explicitly encoding output yourself.
