The method of attack defense of. Net core XSS

Time:2019-11-6

The full name of XSS attack is cross site script attack, which is not confused with the abbreviation of cascading style sheets (CSS), so cross site script attack is abbreviated as XSS, XSS is a computer security vulnerability in web applications, which allows malicious web users to embed code into the pages provided for other users.

For example, we insert script code when the form is submitted

If it’s not handled, it’s the effect. I’m just demonstrating a simple pop-up window here

Let’s share my solution.

This library is needed: HTML sanitizer

https://github.com/mganss/HtmlSanitizer

Create a new filter class.

public class XSS
  {
    private HtmlSanitizer sanitizer;
    public XSS()
    {
      sanitizer = new HtmlSanitizer();
      //Sanitizer. Allowedtags. Add ("div"); // white list of tags
      Sanitizer. Allowedattributes. Add ("class"); // white list of tag attributes, no class tag attribute by default      
      //Sanitizer. Allowedcssproperties. Add ("font family"); // CSS property whitelist
    }

    /// <summary>
    ///XSS filtering
    /// </summary>
    ///< param name = "HTML" > HTML code < / param >
    ///< returns > filter results < / returns >
    public string Filter(string html)
    {
      string str = sanitizer.Sanitize(html);
      return str;
    }
  }

Create a new filter

public class FieldFilterAttribute : Attribute,IActionFilter
  {
    private XSS xss;
    public FieldFilterAttribute()
    {
      xss = new XSS();
    }

    // after the Action method is returned,
    public void OnActionExecuted(ActionExecutedContext context)
    {

    }

    // before calling the Action method
    public void OnActionExecuting(ActionExecutingContext context)
    {
      //Get action parameter set
      var ps = context.ActionDescriptor.Parameters;
      //Ergodic parameter set
      foreach (var p in ps)
      {
        if (context.ActionArguments[p.Name] != null)
        {
          //When the parameter is equal to the string
          if (p.ParameterType.Equals(typeof(string)))
          {
            context.ActionArguments[p.Name] = xss.Filter(context.ActionArguments[p.Name].ToString());
          }
          Else if (p.parametertype. Isclass) // when the parameter is equal to the class
          {
            ModelFieldFilter(p.Name, p.ParameterType, context.ActionArguments[p.Name]);
          }
        }          

      }
    }

    /// <summary>
    ///Traversing string properties of modified classes
    /// </summary>
    ///< param name = "key" > class name < / param >
    ///< param name = "t" > data type < / param >
    ///< param name = "obj" > object < / param >
    /// <returns></returns>
    private object ModelFieldFilter(string key, Type t, object obj)
    {
      //Get the property collection of a class
      var ats = t.GetCustomAttributes(typeof(FieldFilterAttribute), false);


      if (obj != null)
      {
        //Get the property collection of a class
        var pps = t.GetProperties();

        foreach (var pp in pps)
        {
          if(pp.GetValue(obj) != null)
          {
            //When property equals string
            if (pp.PropertyType.Equals(typeof(string)))
            {
              string value = pp.GetValue(obj).ToString();
              pp.SetValue(obj, xss.Filter(value));
            }
            Else if (pp.propertytype. Isclass) // recursion when the property is equal to the class
            {
              pp.SetValue(obj, ModelFieldFilter(pp.Name, pp.PropertyType, pp.GetValue(obj)));
            }
          }
          
        }
      }

      return obj;
    }
  }
//Attribute filter
  [FieldFilter]
  public class NoteBookController : ManageController
  {
    //Note operation interface
    private INoteBookAppService _noteBookApp;
    public NoteBookController(INoteBookAppService noteBookApp)
    {
      this._noteBookApp = noteBookApp;
    }
    public IActionResult Tab()
    {
      return View();
    }

  }

Then add the filter controller characteristics to the controller to be filtered. In this way, all parameters of string type will be filtered. If you do not need to filter the whole controller, you only need to add features to the corresponding action.

The above is the whole content of this article. I hope it will help you in your study, and I hope you can support developepaer more.