使用C#处理来自ASP.NET Web服务的验证错误消息 [英] Handle validation error message from ASP.NET web services using C#
问题描述
我有一些Web服务(.asmx),它们是很久以前开发的,IBM工具正在抓取我们的Web服务以查找任何安全漏洞。
< b>我的服务是如何创建的?
- >没有为所有网络方法实施验证逻辑。
- > Web方法期望良好的价值,因此不存在安全检查实现。
IBM工具的处理方式
- >当工具向方法参数注入一些随机值时,它会抛出500个状态代码。
- >我的工作是在这里显示一些通用信息(例如发生错误)而不是投掷500.
方法
- >我必须创建一个验证类,它将包含所有验证逻辑,并将限制恶意数据输入到代码中。
- >我必须去每个方法进行参数验证,如果发生任何验证失败,需要发送验证错误消息。
任何人都知道我怎么能验证方法,以便不需要去每个方法,或者这是我想要遵循的方法?
注意:参数数据验证模式可能会有所不同取决于要求,如果我们有2个字符串参数但是,我们无法使用一个逻辑验证它们,它们可能有不同的规则来接受来自UI端的数据。
任何想法如何实现?
我尝试过:
我创建了一个可以验证所有参数的库,但我们必须在每个Web方法中调用验证库方法。我们有什么方法可以在全球范围内实现这一点。
I have some web services(.asmx) which were developed long back now a IBM tool is crawling our web services to look for any security breaches.
How my services created?
-> There is no validation logic implemented for all the web methods.
-> Web methods are expecting good values so no security check implementation present.
How IBM tool is processing
-> When the tool is injecting some random value to the method parameter it's throwing 500 status code.
-> My work is here to show some generic message(e.g. Error occurred) rather throwing 500.
Approach
-> I have to create a validation class which will contain all the validation logic and will restrict malicious data being entered into the code.
-> I have to go to every method to do the parameter validation and need to send a validation error message if any validation failed occurred.
Any one has any idea how can I validate the methods so that need not go to every method or this is the approach I suppose to follow?
Note: parameter data validation pattern may varies depend upon the requirement, like if we have 2 string parameter but, we can't validate them using one logic they might have different rules to accept data from UI side.
Any idea any suggestion how to achieve?
What I have tried:
I have created a library which can validate all the parameters but we have to call the validation library methods in each web method. Is there any way we can achieve this in globally.
推荐答案
5xx错误表示服务器端出现重大故障 - 这不是一件好事。
除了工具指示的内容之外,如果页面被抓取,5xx错误也会影响您的搜索排名。
如果您有一个工具提供上述5xx错误的URL列表,您可以参考代码中需要查看的位置。然后,只需在IDE中加载代码并在代码中的特定位置设置断点即可查看实际发生的情况。一旦你理解为什么然后你可以添加代码以更加防弹并提供更有意义的响应。
这是一个Http状态代码列表及其含义: HTTP状态代码 - restapitutorial [ ^ ]
5xx error indicates a major failure on the server side - not a good thing.
On top of what the tool is indicating, a 5xx error will also affect your Search Ranking if the pages are been crawled.
If you have a list of URLs that the tool is providing the above mentioned 5xx errors, you have a reference to where in the code you need to look. IT is then just a matter of loading up the code in your IDE and setting breakpoints at those specific places in your code to see what is actually happening. Once you understand why then you can add code to be more bullet proof and provide more meaningful responses.
Here is a list of Http status codes and their meanings: HTTP Status Codes - restapitutorial[^]
这是一个非常标准的漏洞扫描。您的应用程序不仅需要隐藏http错误代码500,还需要隐藏来自对手的404,403(换句话说,始终显示200 OK)。爬虫尝试导航到不存在的页面时发生404错误(http://yourservice.com/ninja.asmx)。 403是爬虫试图列出文件夹的内容(例如:http://yourservice.com/images)如果你修复了500错误,下一次扫描可能会返回403或404.一次修复所有这些避免与安全团队来回。除了隐藏错误之外,您可能还需要考虑如何记录这些错误以供将来进行管理审查。如果你没有这个控制,可能是另一个红旗。
好的,对于http错误:
1.确保应用程序将所有错误重定向到一般错误页面,我们不希望我们的爱管闲事的对手知道什么是坏的
示例:
That a very standard Vulnerability Scan. Your application need not only hide the http error code 500, but also 404, 403 from the adversary (in other words, always display 200 OK). 404 error happen when the crawler try to navigate to a page that does not exists (http://yourservice.com/ninja.asmx). 403 is went the crawler try to list the content of a folder (ex: http://yourservice.com/images) if you fix the 500 error, the next scan might come back with 403 or 404. Fix all of them at once to avoid back and forth with the security team. By the way beside hiding the error, you might also need to think how to log those errors for administrative review in the future. Could be another red flag if you don't have this control in place.
Ok, for the http errors:
1. make sure the application is redirecting all error to a generic error page, we don't want our nosy adversary to know what was broken
Example:
<system.web>
<customErrors mode="On" defaultRedirect="~/Error.html" />
</system.web>
2.在IIS中配置自定义错误页面,这将告诉IIS显示自定义错误页面。例如,如果有人输入了网址http://yourservice.com/ninja.php,那么在应用程序范围之外,IIS必须决定如何处理它。如果IIS返回404,那么攻击者就会知道IIS不支持PHP。等等...
您可以通过IIS配置它或将其复制并粘贴到web.config中
2. Configure custom error pages in IIS, this will tell the IIS to display custom error page. Example, if someone enter url http://yourservice.com/ninja.php, that out of the application jurisdiction, IIS has to decide what to do with it. if the IIS return 404, then the adversary will know the IIS does not support PHP. etc...
You can configure it through the IIS or copy and paste this into the web.config
<system.webServer>
<httpErrors errorMode="Custom">
<remove statusCode="500" subStatusCode="-1" />
<remove statusCode="404" subStatusCode="-1" />
<remove statusCode="403" subStatusCode="-1" />
<remove statusCode="401" subStatusCode="-1" />
<error statusCode="401" subStatusCode="-1" prefixLanguageFilePath="" path="/Error.html" responseMode="ExecuteURL" />
<error statusCode="403" subStatusCode="-1" prefixLanguageFilePath="" path="/Error.html" responseMode="ExecuteURL" />
<error statusCode="404" subStatusCode="-1" prefixLanguageFilePath="" path="/Error.html" responseMode="ExecuteURL" />
<error statusCode="500" subStatusCode="-1" prefixLanguageFilePath="" path="/Error.html" responseMode="ExecuteURL" />
</httpErrors>
</system.webServer>
3. tu关闭调试模式(保持堆栈跟踪等等......)如果不是IBM工具将触发另一个标志。
3. turn off debug mode (keep the stack traces, etc... to yourself) if not the IBM tool will trigger another flag.
<system.web>
<compilation debug="false" />
</system.web>
4.在让其他团队重新扫描/重新运行IBM工具之前进行测试,测试和测试。
请阅读......
HTTP错误&l吨; httpErrors> :官方Microsoft IIS站点 [ ^ ]
<&的customErrors GT;元素 [ ^ ]
ASP.NET Web应用程序中的HTTP错误404 [ ^ ]
如何在IIS 7.5中设置自定义错误页面使用ASP.NET [ ^ ]
4. Test, test, test before letting the other team re-scan/re-run the IBM tool.
Please read...
HTTP Errors <httpErrors> : The Official Microsoft IIS Site[^]
<customErrors> Element[^]
HTTP Error 404 in ASP.NET web application[^]
How To Set Up Custom Error Pages In IIS 7.5 With ASP.NET[^]
这篇关于使用C#处理来自ASP.NET Web服务的验证错误消息的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
