C# 防XSS攻擊 示例


 思路: 對程序代碼進行過濾非法的關鍵字

新建控制台程序,編寫代碼測試過濾效果

    class Program
    {


        static void Main(string[] args)
        {
            //GetStrRegex();
            Console.WriteLine("請輸入字符串:");
            string str = Console.ReadLine();
            for (int i = 0; i < 100; i++)
            {
                Test(str);
            }
         
        }
        static void Test(string str)
        {

            Console.WriteLine("請輸入正則表達式:");
            string StrRegex = Console.ReadLine();
          
            str = Regex.Replace(str, StrRegex, "", RegexOptions.IgnoreCase);
         

            Console.WriteLine($"處理后的字符串為:{str}");

        }
}

輸入字符串測試及正則表達式,觀察測試效果

字符串:<script>(script)</script><style>alert("中國偉大復興")</style><h1>111</h1><h2>222</h2>drop delete <div style=""> select update exec trunc database table  index @@@hao好的// 中國。湖北。武漢&&  湖北-- 中國加油!

正則表達式:

a:    <[^>]*|&nbsp;
b:    <[^>]+?style=[\w]+?:expression\(|\b(alert|confirm|prompt)\b|^\+/v(8|9)|<[^>]*?=[^>]*?&#[^>]*?>|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)

 

 

 經過多次測試,選擇你所認為合適的正則表達式

下面是我目前選擇的正則表達式,你可以根據需要進行修改

   static string GetStrRegex()
        {
            List<string> strList = new List<string>();
            List<string> htmlList = new List<string>() { "<h1>","<h2>","<h3>","<h4>","<h5>","<h6>","<style>","<script>","javascript","onload","onerror","eval","alert","prompt"};
            List<string> sqlList = new List<string>() { "select","update","delete","drop","trunc","exec","table","database","or","and"};
            List<string> chList = new List<string>() { "//","--", "@", "&" ,"||"};
            strList.AddRange(htmlList);
            strList.AddRange(sqlList);
            strList.AddRange(chList);
            string strRegex = string.Join("|", strList.ToArray());
            Console.WriteLine($"你的正則表達式是{strRegex}");
            return strRegex;
        }

測試效果

   其實最簡單的做法就是url編碼、html編碼一下就可以了


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM