如何根据帖子数据阻止请求? [英] How to block requests based on post data?
问题描述
在IIS中,我可以基于url或查询字符串设置请求过滤,这使我可以阻止一些恶意的GET请求,但这不适用于发布数据.
In IIS I can set request filtering based on url or query string and this allows me to block some malicious GET requests, however this does not work against post data.
示例:
如果我在web.config中设置了此
If I set this in my web.config
<security>
<requestFiltering>
<filteringRules>
<filteringRule name="Stop spam" scanUrl="false" scanQueryString="true">
<denyStrings>
<clear />
<add string="spam" />
</denyStrings>
<scanHeaders>
<clear />
</scanHeaders>
<appliesTo>
<clear />
</appliesTo>
</filteringRule>
</filteringRules>
</requestFiltering>
</security>
在查询字符串中包含单词"spam"的请求将被阻止.但是,我还需要阻止包含该单词的POST请求(例如,来自表单).我是否可以设置一个拒绝规则,该规则将根据POST数据过滤和拒绝请求,如果可以,我该怎么做?
Requests that have word "spam" in the query string will be blocked. However I need to also block POST requests that contain this word (for example from a form). Can I set up a deny rule that will filter and deny requests based on POST data and if so, how do I do that?
推荐答案
看来这无法在IIS中完成,但是我确实设法在站点本身中提出了一种解决方法.将此添加到 Global.asax 确实可以完成这项工作:
It appears that this cannot be done in IIS, however I did manage to come up with a workaround in the site itself. Adding this to Global.asax does seem to do the job:
protected void Application_BeginRequest(object sender, EventArgs e)
{
var sr = new System.IO.StreamReader(Request.InputStream);
string content = sr.ReadToEnd();
var rule = @"spam";
if
(
Regex.IsMatch(content, rule, RegexOptions.IgnoreCase) ||
Regex.IsMatch(Request.Url.Query, rule, RegexOptions.IgnoreCase)
)
{
// TODO: Do some logging here
throw new Exception("Get off my lawn!");
}
}
一点点抬头.除非您知道自己在做什么,否则不要使用它.这将测试所有请求(并使用正则表达式),因此这将减慢网站速度.它也无法解决所有恶意请求.
Just a little heads up. Don't use this unless you know what you are doing. This will test all requests (and using regex at that), so it's going to slow the site down. It won't solve all malicious requests either.
这篇关于如何根据帖子数据阻止请求?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
