crx349 发表于 2020-5-6 23:28:41

Asp防跨站防护代码(XSS防护)

工作需要,用到了ASP,需要一个防护,百度找了下,测试没问题,分享下
保存为:safe.asp 放网站根目录
<%   
On Error Resume Next
if request.querystring<>"" then call stophacker(request.querystring,"'|\b(alert|confirm|prompt)\b|<[^>]*?>|^\+/v(8|9)|\bonmouse(over|move)=\b|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
if Request.ServerVariables("HTTP_REFERER")<>"" then call test(Request.ServerVariables("HTTP_REFERER"),"'|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
if request.Cookies<>"" then call stophacker(request.Cookies,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")   
call stophacker(request.Form,"^\+/v(8|9)|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")

function test(values,re)
        dim regex
        set regex=new regexp
        regex.ignorecase = true
        regex.global = true
        regex.pattern = re
        if regex.test(values) then
                Response.Write("<div style='position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;'><br>您的提交带有不合法参数,谢谢合作!<br><br></div>")
                Response.end
        end if
        set regex = nothing
end function   


function stophacker(values,re)
        dim l_get, l_get2,n_get,regex,IP
        for each n_get in values
                for each l_get in values
                        l_get2 = values(l_get)
                        set regex = new regexp
                        regex.ignorecase = true
                        regex.global = true
                        regex.pattern = re
                        if regex.test(l_get2) then
                                Response.Write("<div style='position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;'><br>您的提交带有不合法参数,谢谢合作!<br><br></div>")
                                Response.end
                        end if
                        set regex = nothing
                next
        next
end function   
%>

用法:
<!--#include virtual="/safe.asp"-->
以上代码放conn.asp之类的公用文件里面
页: [1]
查看完整版本: Asp防跨站防护代码(XSS防护)