本文详细介绍了如何在ASP.NET MVC3中使用请求验证来防止XSS和XSRF攻击,并展示了如何通过粒度化请求验证来灵活控制对不同属性的输入验证。通过实例演示了如何配置和应用AllowHtml属性来允许特定属性接收HTML内容,同时避免全局禁用验证带来的潜在风险。
Introduction:
A fact that you must always remember"never ever trust user inputs". An application that trusts user inputs may be easily vulnerable to XSS, XSRF, SQL Injection, etc attacks.XSS andXSRFare very dangerous attacks. So to mitigatethese attacksASP.NETintroduced request validationin ASP.NET1.1.During request validation,ASP.NETwill throw HttpRequestValidationException:'A potentially dangerous XXX value was detected from the client',ifhe found, < followed by an exclamation(like <!) or < followed by the letters a through z(like <s) or & followed by a pound sign(like {) as a part of query string, posted form and cookie collection.In ASP.NET 4.0,request validation becomes extensible. This means that you can extend request validation. Also in ASP.NET 4.0, by defaultrequest validation is enabledbefore the BeginRequest phase of an HTTP request. ASP.NET MVC 3 moves one step further bymaking request validation granular.This allows you to disable request validation for some properties of a model while maintaining request validation for all other cases. In this article I will showyou the use of request validation in ASP.NET MVC 3. Then I will briefly explainthe internal working of granular request validation.
Description:
First of all create a new ASP.NET MVC 3 application. Then create asimple model class called MyModel,
public class MyModel
{
public string Prop1 { get; set; }
public string Prop2 { get; set; }
}
Then justupdatethe index action method as follows,
public ActionResult Index(MyModel p)
{
return View();
}
Now just run this application. You will find that everythingworks just fine. Now just append this query string?Prop1=<s to the url of this application, you will get theHttpRequestValidationException exception.
Now justdecorate the Index action methodwith [ValidateInputAttribute(false)],
[ValidateInput(false)]
public ActionResult Index(MyModel p)
{
return View();
}
Runthis application again with same query string. You will find that your application run without any unhandled exception.
Up to now, there is nothing new in ASP.NET MVC 3 becauseValidateInputAttribute was present in the previous versions of ASP.NET MVC. Any problem withthis approach? Yes there is a problem withthis approach.The problem is thatnowusers can send htmlfor bothProp1 andProp2 properties and a lot of developers are not aware of it. This means thatnow everyone cansend htmlwith both parameters(e.g,?Prop1=<s&Prop2=<s).SoValidateInput attributedoes not gives you the guarantee that your application is safe to XSS or XSRF. This is the reason why ASP.NET MVC team introduced granular request validation in ASP.NET MVC 3. Let'ssee this feature.
Remove [ValidateInputAttribute(false)] on Index action and update MyModel class as follows,
public class MyModel
{
[AllowHtml]
public string Prop1 { get; set; }
public string Prop2 { get; set; }
}
Note that AllowHtml attributeis only decoratedon Prop1 property. Runthis application again with?Prop1=<s query string. You will find that your application run just fine. Runthis application again with?Prop1=<s&Prop2=<s query string, you
will get HttpRequestValidationException exception.Thisshows thatthe granular request validation in ASP.NET MVC 3only allows users to send htmlfor properties decorated with AllowHtml attribute.
Sometimes you may need to access Request.QueryString or Request.Form directly. You may change your code as follows,
[ValidateInput(false)]
public ActionResult Index()
{
var prop1 = Request.QueryString["Prop1"];
return View();
}
Runthis application again, you will get the HttpRequestValidationException exception again even youhave [ValidateInput(false)]on yourIndex action. The reason is that Request flags are stillnot set to unvalidate. I will explain this later. For making this
work youneed touse Unvalidated extension method,
public ActionResult Index()
{
var q = Request.Unvalidated().QueryString;
var prop1 = q["Prop1"];
return View();
}
Unvalidated extension method is defined in System.Web.Helpers namespace. So you need to addusing System.Web.Helpers; in this class file. Runthis applicationagain,your application run just fine
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
