网站安全通用防护代码在ASP.NETMVC中的应用实例（接上一篇）

处理Get、Post等网站请求及Cookie数据监测等，防护网站。

拦截攻击者注入恶意代码，防御诸如跨站脚本攻击（XSS）、SQL注入攻击等恶意攻击行为。

1、在Global.asax.cs文件中添加如下代码：

 #region 网站安全防护代码 /// <summary> /// 在此处进行安全检测和防范 /// Application_BeginRequest /// </summary> /// <param name="sender"></param> /// <param name="e"></param> protected void Application_AcquireRequestState(object sender, EventArgs e) { HttpContext context = HttpContext.Current; string putData = string.Empty; if (Request.Cookies != null) { if (SafeUtils.CookieData(out putData)) { ResponseWarnMessage(context, "Cookie数据有恶意字符！", putData); } } if (Request.UrlReferrer != null) { if (SafeUtils.Referer(out putData)) { ResponseWarnMessage(context, "Referrer数据有恶意字符！", putData); } } if (Request.RequestType.ToUpper() == "POST") { if (SafeUtils.PostData(out putData)) { ResponseWarnMessage(context, "Post数据有恶意字符！", putData); } } if (Request.RequestType.ToUpper() == "GET") { if (SafeUtils.GetData(out putData)) { ResponseWarnMessage(context, "Get数据有恶意字符！", putData); } } } /// <summary> /// 非安全行为 输出警告信息 /// </summary> /// <param name="errorMessage"></param> /// <param name="putData"></param> private void ResponseWarnMessage(HttpContext context, string errorMessage, string putData) { //记录一下恶意攻击行为 string ipAddress = IpHelper.GetIP(); //把攻击日志记录到日志文本文件中 LogHelper.WriteLog("恶意访问行为 " + "来自IP：" + ipAddress + "的访问存在恶意行为：" + errorMessage + " 字符内容：" + putData, 1); //BaseUserInfo userInfo = context.Session[DotNet.Business.Utilities.SessionName] as BaseUserInfo; //非安全行为同时记录到数据库和文本文件中 //LogHelper.WriteLog(userInfo, "恶意访问行为", "来自IP：" + ipAddress + "的访问存在恶意行为：" + errorMessage + "字符内容：" + putData, " private void ResponseErrorMessage(string errorMessage, string putData)", typeof(MvcApplication), null); //跳转相应提醒页面 RouteData routeData = new RouteData(); routeData.Values.Add("controller", "Error"); routeData.Values.Add("action", "General"); routeData.Values.Add("title", "非法访问与请求提醒"); routeData.Values.Add("error", "你提交的" + errorMessage + "字符内容：" + putData); IController errorController = new ErrorController(); errorController.Execute(new RequestContext(new HttpContextWrapper(Context), routeData)); context.Response.End(); } #endregion

2、在网站Web.config文件中添加如下配置：

（1）、在system.web节点下的httpRuntime节点添加：requestValidationMode=“2.0”

（2）、在system.web节点下的pages节点添加：validateRequest=“false“

目的：用于比如从客户端中检测到有潜在危险的 Request.QueryString 值等情况的报错，让后台可以正常获取到危险字符。

<system.web> <httpRuntime requestValidationMode="2.0" /> <pages validateRequest="false" >

3、新增控制器：ErrorController 。并在其内添加视图页：General

 public ActionResult General(string title, string error, int icon = 5, string returnUrl = "/Home/Index") { ViewBag.Title = title; ViewBag.Msg = error?? "系统出错或您无权访问！"; ViewBag.Icon = icon; ViewBag.ReturnUrl = returnUrl; return View(); }

4、General视图页代码如下（引用到了LayUI框架）：

@{ Layout = null; } @{ var title = ViewBag.Title; var msg = ViewBag.Msg; var icon = ViewBag.Icon; var returnUrl = ViewBag.ReturnUrl; } <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=ie10,chrome=1"> <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0"> <link rel="Shortcut Icon" href=/favicon.ico> <title>@(title)</title> <link href="~/Content/layui/src/css/layui.css" rel="stylesheet"/> </head> <body> <div> </div> </body> <script type="text/javascript" src="~/Content/layui/src/layui.js"></script> <script type="text/javascript"> //JavaScript代码区域  layui.use(['form', 'element', 'jquery', 'layer'], function() { var element = layui.element; var form = layui.form, layer = layui.layer, $ = layui.jquery; }); </script> <script type="text/javascript"> layui.use(['layer'], function () { var layer = layui.layer; layer.alert('@msg', { icon: '@icon', // 1:勾 2：× 3：问号 4：锁 5：提醒 6：笑脸 7：叹号  closeBtn: 0,//不显示关闭按钮  }, function () { window.location.href = '@returnUrl'; }); }); </script> </html>