{"id":784,"date":"2011-12-17T21:57:48","date_gmt":"2011-12-17T13:57:48","guid":{"rendered":"http:\/\/notes.zerobox.org\/?p=784"},"modified":"2011-12-17T21:57:48","modified_gmt":"2011-12-17T13:57:48","slug":"%e7%a7%91%e6%99%ae-asp-net-validaterequest-filter-rule","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/784.html","title":{"rendered":"\u79d1\u666e asp.net ValidateRequest filter rule"},"content":{"rendered":"

\u63d0\u53d6\u4e86.net4.0 \u68c0\u9a8c\u6e90\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n

<\/p>\n

\/\/\/ \u8fd9\u91cc\u4f2a\u5165\u53e3<\/p>\n

\/\/\/ <\/summary><\/p>\n

\/\/\/ <param name=”s”><\/param><\/p>\n

\/\/\/ <returns><\/returns><\/p>\n

private static bool\u00a0IsDangerousString(string s)<\/p>\n

{<\/p>\n

\/\/\u5148\u53bb\u9664 \\0<\/p>\n

s = RemoveNullCharacters(s);<\/p>\n

int macount = 0;<\/p>\n

return IsDangerousString(s, out macount);<\/p>\n

}<\/p>\n

<\/p>\n

\/\/\/ <summary><\/p>\n

\/\/\/ \u53bb\u9664\u5b57\u7b26\u622a\u65ad<\/p>\n

\/\/\/ <\/summary><\/p>\n

\/\/\/ <param name=”s”><\/param><\/p>\n

\/\/\/ <returns><\/returns><\/p>\n

private static string\u00a0RemoveNullCharacters(string s)<\/p>\n

{<\/p>\n

if (s == null)<\/p>\n

{<\/p>\n

return null;<\/p>\n

}<\/p>\n

if (s.IndexOf(‘\\0’) > -1)<\/p>\n

{<\/p>\n

return s.Replace(“\\0″, string.Empty);<\/p>\n

}<\/p>\n

return s;<\/p>\n

}<\/p>\n

<\/p>\n

static char[]startingChars = new char[] {\u00a0‘<‘, ‘&’\u00a0};<\/p>\n

<\/p>\n

private static bool\u00a0IsAtoZ(char c)<\/p>\n

{<\/p>\n

return (((c >=’a’) && (c <=’z’)) || ((c >=’A’) && (c <=\u00a0‘Z’)));<\/p>\n

}<\/p>\n

<\/p>\n

\/\/\/ <summary><\/p>\n

\/\/\/ 1.\u6ca1\u6709 < \u548c & \u4e00\u5b9a\u53ef\u4ee5<\/p>\n

\/\/\/ 2. < \u540e\u9762\u662f\u5b57\u6bcd \u6216 ! \/ ? \u90fd\u4e0d\u53ef\u4ee5<\/p>\n

\/\/\/ 3. & \u540e\u9762 # \u4e0d\u53ef\u4ee5<\/p>\n

\/\/\/ <\/summary><\/p>\n

\/\/\/ <param name=”s”><\/param><\/p>\n

\/\/\/ <param name=”matchIndex”><\/param><\/p>\n

\/\/\/ <returns><\/returns><\/p>\n

internal static bool\u00a0IsDangerousString(string s, out int matchIndex)<\/p>\n

{<\/p>\n

matchIndex = 0;<\/p>\n

int startIndex = 0;<\/p>\n

while (true)<\/p>\n

{<\/p>\n

int num2 = s.IndexOfAny(startingChars, startIndex);<\/p>\n

if (num2 < 0)<\/p>\n

{<\/p>\n

return false;<\/p>\n

}<\/p>\n

if (num2 == (s.Length – 1))<\/p>\n

{<\/p>\n

return false;<\/p>\n

}<\/p>\n

matchIndex = num2;<\/p>\n

char ch = s[num2];<\/p>\n

if (ch !=’&’)<\/p>\n

{<\/p>\n

if ((ch ==\u00a0‘<‘) && ((IsAtoZ(s[num2 + 1]) || (s[num2 + 1] ==\u00a0‘!’)) || ((s[num2 + 1] ==\u00a0‘\/’) || (s[num2 + 1] ==\u00a0‘?’))))<\/p>\n

{<\/p>\n

return true;<\/p>\n

}<\/p>\n

else if (s[num2 + 1] ==\u00a0‘#’)<\/p>\n

{<\/p>\n

return true;<\/p>\n

}<\/p>\n

startIndex = num2 + 1;<\/p>\n

}<\/p>\n

<\/p>\n

\u603b\u7ed3<\/strong><\/p>\n

1. \u4e0d\u51fa\u73b0 < \u548c & \u4e00\u5b9a\u662f\u5b89\u5168\u7684<\/p>\n

2.\u00a0\u53ea\u51fa\u73b0 < \u6216 & \u5355\u5b57\u7b26 \u662f\u5b89\u5168\u7684<\/p>\n

3. < \u540e\u51fa\u73b0a-Z , \/ , ! ,? \u00a0\u662f\u4e0d\u5b89\u5168\u7684<\/p>\n

4. & \u540e\u51fa\u73b0# \u662f\u4e0d\u5b89\u5168\u7684<\/p>\n

5. \u4e0a\u8ff0\u672a\u5339\u914d\u7684\u5168\u90e8\u662f\u5b89\u5168\u7684<\/p>\n

<\/p>\n

\u7ed3\u5408\u8fc7\u6ee4\u89c4\u5219\u548cie\u7279\u6027\uff0c\u5c31\u80fd\u627e\u51fa\u4e00\u4e9bbypass\u7684\u65b9\u6cd5\uff0c\u5982 ie6 \u4e0b<\/p>\n

<\/p>\n

<~\/XSS\/*-*\/STYLE=xss:e\/**\/xpression(alert(‘XSS’))><\/p>\n

<\/p>\n

\u53c2\u8003<\/p>\n

http:\/\/www.procheckup.com\/vulnerability_manager\/documents\/document_1258758664\/bypassing-dot-NET-ValidateRequest.pdf<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

\u63d0\u53d6\u4e86.net4.0 \u68c0\u9a8c\u6e90\u4ee3\u7801\u5982\u4e0b\uff1a …<\/p>\n