Asp.net 网站防攻击安全设置
针对已解密的_ViewStat参数漏洞整改建议:在<system.web>下添加
<machineKey validation="3DES"/>
禁用脚本调试
<compilation debug="true">
protected override void OnInit(EventArgs e)
{
base.OnInit(e);
if (System.Web.HttpContext.Current.Session != null)
{
ViewStateUserKey = Session.SessionID;
}
}
防止伪造用户身份
public partial class AdminLogin : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if(!Page.IsPostBack)
Session.Clear();
}
}
防SQL注入
public static bool FilterChar(string oldstr)
{
bool flag = true;
string[] filterstr = {"and ","exec ","insert ","select ","delete ","update ","count(","from ","drop ","asc(","char(","or ","chr(","mid("," master",
"truncate ","declare ","sitename","net user","xp_cmdshell "," /add","exec master.dbo.xp_cmdshell","net localgroup administrators",
"%",";","/'","/"","-","@",",","//","!","(",")","[","]","{","}","|"};
for (int i = 0; i < filterstr.Length; i++)
{
if (oldstr.Contains(filterstr[i]))
{
flag = false;
break;
}
}
return flag;
}