在ASP.NET中优雅地处理URI黑客攻击 [英] Handle URI hacking gracefully in ASP.NET

问题描述

我已经编写了一个可以正常处理大多数异常的应用程序，页面的设计完好无损，并且显示了一个很好的错误消息。我的应用程序在 Page_Error 事件中捕获它们，并且向 HttpContext.Curent.Context.Items 中添加异常，然后执行 Server.Transfer 到 Error.aspx 页面。我发现这是ASP.NET中唯一可行的解​​决方案，因为似乎没有其他方法可以集中和通用的方式。

我还处理 Application_Error ，然后我会对发生的异常进行一些检查，以确定是否可以优雅地处理它。我找到的异常我可以优雅地处理这样的事情，这是在一个人黑客URI之后抛出的，包含.NET框架认为危险的字符，或者在文件系统级别基本上是非法的。

这样的URI可以像例如：

• http://exmample.com/illegal


• http://example.com/illegal/


• http://example.com/illegal /

（notice在最后一个URI结束之前的斜线之前的空格）。

我希望这些URI响应404未找到和友好的消息因为没有发生任何错误报告来发送以避免DDOS攻击向量等等，但是我没有找到一种优雅的方法来捕获这些类型的错误，我现在所做的是检查 exception.TargetSite .Name 属性，如果它等于 CheckInvalidPathChars ， ValidatePath 或 CheckSuspiciousPhysicalPa th ，我认为它是一个路径验证异常，并用404回复。

虽然这似乎是一个黑客，首先，方法名称列表可能没有以任何方式完成，其次，这些方法名称可能会被替换或重命名，这将导致我的代码中断。

$ b $有没有人有一个想法，我如何处理这个较少的硬编码和更加面向未来的方式？

PS：我正在使用 System.Web.Routing 在我的应用程序中有干净和敏感的URI，如果这对任何给定的解决方案是重要的。

解决方案

可能是System.Web.Routing支持某种URL过滤，但是很容易实现自己的。

查看 System.Web.IHttpModule 界面，并阅读有关实施自定义HTTP模块的信息。 Http模块进入Asp.Net管道，并在您的页面运行之前运行。您可以使用它来执行请求记录，修改请求并在您的情况下过滤请求。 Asp.Net路由模块也实现为自定义HTTP模块。

您可以做的是实现一个查看所请求的URL的Http模块，并检查它是否已验证。如果网址无效，您可以执行所需的任何操作，例如重定向到您的404 - 未找到的页面，或者您可以停止请求。

I've written an application that handles most exceptions gracefully, with the page's design intact and a pretty error message. My application catches them all in the Page_Error event and there adds the exception to HttpContext.Curent.Context.Items and then does a Server.Transfer to an Error.aspx page. I find this to be the only viable solution in ASP.NET as there seems to be no other way to do it in a centralized and generic manner.

I also handle the Application_Error and there I do some inspection on the exception that occurred to find out if I can handle it gracefully or not. Exceptions I've found I can handle gracefully are such that are thrown after someone hacking the URI to contain characters the .NET framework considers dangerous or basically just illegal at the file system level.

Such URIs can look like e.g.:

• http://exmample.com/"illegal"
• http://example.com/illegal"/
• http://example.com/illegal /

(notice the space before the slash at the end of the last URI).

I'd like these URIs to respond with a "404 Not Found" and a friendly message as well as not causing any error report to be sent to avoid DDOS attack vectors and such. I have, however, not found an elegant way to catch these types of errors. What I do now is inspect the exception.TargetSite.Name property, and if it's equal to CheckInvalidPathChars, ValidatePath or CheckSuspiciousPhysicalPath, I consider it a "path validation exception" and respond with a 404.

This seems like a hack, though. First, the list of method names is probably not complete in any way and second, there's the possibility that these method names gets replaced or renamed down the line which will cause my code to break.

Does anyone have an idea how I can handle this less hard-coded and much more future-proof way?

PS: I'm using System.Web.Routing in my application to have clean and sensible URIs, if that is of any importance to any given solution.

解决方案

It may be that System.Web.Routing supports some sort of url filtering, but it is quite easy to implement your own.

Look at the System.Web.IHttpModule interface and read about implementing custom HTTP Modules. Http modules enter that Asp.Net pipeline and run before your page is run. You can use it to perform logging of requests, to modify requests and in your case to filter requests. The Asp.Net routing module is also implemented as a custom HTTP Module.

What you can do is to implement a Http Module that looks at the requested url and check if it is valid. If the url is invalid you can do whatever you need, for example redirect it to your 404 - not found page or you can just stop the request.

这篇关于在ASP.NET中优雅地处理URI黑客攻击的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！