ASP.NETÒ³Ãæ´«Êý¾ÝµÄ¸÷ÖÖ·½·¨ºÍ·ÖÎö
WebÒ³ÃæÊÇÎÞ״̬µÄ£¬ ·þÎñÆ÷¶Ôÿһ´ÎÇëÇó¶¼ÈÏΪÀ´×Ô²»Í¬Óû§£¬Òò´Ë£¬±äÁ¿µÄ״̬ÔÚÁ¬Ðø¶ÔͬһҳÃæµÄ¶à´ÎÇëÇóÖ®¼ä»òÔÚÒ³ÃæÌøתʱ²»»á±»±£Áô¡£ÔÚÓÃASP.NET Éè¼Æ¿ª·¢Ò»¸öWebϵͳʱ£¬ Óöµ½Ò»¸öÖØÒªµÄÎÊÌâÊÇÈçºÎ±£Ö¤Êý¾ÝÔÚÒ³Ãæ¼ä½øÐÐÕýÈ·¡¢°²È«ºÍ¸ßЧµØ´«ËÍ£¬Asp.net ÌṩÁË״̬¹ÜÀíµÈ¶àÖÖ¼¼ÊõÀ´½â¾ö±£´æºÍ´«µÝÊý¾ÝÎÊÌ⣬ÒÔÏÂÀ´Ì½ÌÖ.NET ϵĽâ¾ö´ËÎÊÌâµÄ¸÷ÖÖ·½·¨ºÍ¸÷×ÔµÄÊÊÓó¡ºÏ¡£
1.1 ʹÓÃQuerystring ·½·¨
QueryString Ò²½Ð²éѯ×Ö·û´®£¬ ÕâÖÖ·½·¨½«Òª´«µÝµÄÊý¾Ý¸½¼ÓÔÚÍøÒ³µØÖ·(URL)ºóÃæ½øÐд«µÝ¡£ÈçÒ³ÃæA.aspx Ìøתµ½Ò³ÃæB.aspx£¬¿ÉÒÔÓÃRequest.Redirect("B.aspx?²ÎÊýÃû³Æ=²ÎÊýÖµ")·½·¨£¬Ò²¿ÉÒÔÓó¬Á´½Ó£º£¬Ò³ÃæÌøתºó£¬ÔÚÄ¿±êÒ³ÃæÖпÉÓÃRuquest["²ÎÊýÃû³Æ"]À´½ÓÊÕ²ÎÊý¡£Ê¹ÓÃQuerySting ·½·¨µÄÓŵãÊÇʵÏÖ¼òµ¥£¬ ²»Ê¹Ó÷þÎñÆ÷×ÊÔ´£»È±µãÊÇ´«µÝµÄÖµ»áÏÔʾÔÚä¯ÀÀÆ÷µÄµØÖ·À¸ÉÏ£¬Óб»´Û¸ÄµÄ·çÏÕ£¬²»ÄÜ´«µÝ¶ÔÏó£¬Ö»ÓÐÔÚͨ¹ýURL ÇëÇóҳʱ²éѯ×Ö·û´®²ÅÊÇ¿ÉÐеġ£
1.2 ÀûÓÃÒþ²ØÓò
Òþ²ØÓò²»»áÏÔʾÔÚÓû§µÄä¯ÀÀÆ÷ÖУ¬ Ò»°ãÊÇÔÚÒ³ÃæÖмÓÈëÒ»¸öÒþ²Ø¿Ø¼þ£¬ Óë·þÎñÆ÷½øÐн»»¥Ê±°ÑÖµ¸³¸øÒþ²Ø¿Ø¼þ²¢Ìá½»¸øÏÂÒ»Ò³Ãæ¡£Òþ²ØÓò¿ÉÒÔÊÇÈκδ洢ÔÚÍøÒ³ÖеÄÓëÍøÒ³ÓйصÄÐÅÏ¢µÄ´æ´¢¿â¡£Ê¹ÓÃÒþ²ØÓò´æÈëÊýֵʱÓãºhidden ¿Ø¼þ.value=ÊýÖµ£¬È¡³ö½ÓÊÕÊýֵʱÓ㺱äÁ¿=hidden ¿Ø¼þ.value¡£Ê¹ÓÃÒþ²ØÓòµÄÓŵãÊÇʵÏÖ¼òµ¥£¬ Òþ²ØÓòÊDZê×¼µÄHTML ¿Ø¼þ£¬²»ÐèÒª¸´Ôӵıà³ÌÂß¼¡£Òþ²ØÓòÔÚÒ³ÉÏ´æ´¢ºÍ¶ÁÈ¡£¬²»ÐèÒªÈκηþÎñÆ÷×ÊÔ´£¬¼¸ºõËùÓÐä¯ÀÀÆ÷ºÍ¿Í»§¶ËÉ豸¶¼Ö§³Ö¾ßÓÐÒþ²ØÓòµÄ´°Ì塣ȱµãÊÇ´æ´¢½á¹¹ÉÙ£¬½ö½öÖ§³Ö¼òµ¥µÄÊý¾Ý½á¹¹£¬´æ´¢Á¿ÉÙ£¬ÒòΪËü±»´æ´¢ÔÚÒ³Ãæ±¾Éí£¬ËùÒÔÎÞ·¨´æ´¢½Ï´óµÄÖµ£¬¶øÇÒ´óµÄÊý¾ÝÁ¿»áÊܵ½·À»ðǽºÍ´úÀíµÄ×èÖ¹¡£
1.3 ViewState
ViewState ÊÇÓÉASP.NET Ò³Ãæ¿ò¼Ü¹ÜÀíµÄÒ»¸öÒþ²ØµÄ´°Ìå×ֶΡ£µ±ASP.NET Ö´ÐÐij¸öÒ³Ãæʱ£¬¸ÃÒ³ÃæÉϵÄViewState ÖµºÍËùÓпؼþ½«±»ÊÕ¼¯²¢¸ñʽ»¯³ÉÒ»¸ö±àÂë×Ö·û´®£¬ È»ºó±»·ÖÅä¸øÒþ²Ø´°Ìå×ֶεÄÖµÊôÐÔ¡£Ê¹ÓÃViewState ´«µÝÊý¾Ýʱ¿ÉÓãºViewState [" ±äÁ¿Ãû"]=ÊýÖµ£¬ÔÚÈ¡³öÊý¾ÝʱÓ㺱äÁ¿=ViewState["±äÁ¿Ãû"]¡£Ê¹ÓÃViewState µÄÓŵãÊÇ£ºÔÚ¶ÔͬһҳµÄ¶à¸öÇëÇó¼ä×Ô¶¯±£ÁôÖµ£¬²»Ó÷þÎñÆ÷¶Ë×ÊÔ´£¬ÊµÏÖ¼òµ¥£¬ÊÓͼ״̬ÖеÄÖµ¾¹ý¹þÏ£¼ÆËãºÍѹËõ£¬²¢ÇÒÕë¶ÔUnicode&
Ïà¹ØÎĵµ£º
ÔÚWebÓ¦ÓóÌÐòÉÏÏÂÎÄÖУ¬ASP.NETÒ³Ãæ»áÔÚµÚÒ»´Î±»ÇëÇóʱ£¬°´Ðè±»¶¯Ì¬±àÒë¡£¶¯Ì¬±àÒë²¢²»ÊÇASP.NETÒ³Ãæ(.aspxÎļþ)ÌØÓеģ¬
»¹·¢ÉúÔÚ.NET
Web·þÎñ(.asmxÎļþ)¡¢WebÓû§¿Ø¼þ(.ascxÎļþ)¡¢HTTP´¦Àí³ÌÐò(.ashxÎļþ)£¬ÒÔ¼°ÆäËû¼¸ÖÖASP.NETÓ¦ÓóÌÐòÎļþ(Èç
global.asaxÎļþ)ÉíÉÏ¡£ÔËÐÐʱ¹ÜµÀÄ£Ð͸ºÔð´¦ÀíÊäÈëµÄ(incoming)HTTPÊ ......
×î½üµÄÏîÄ¿ÀïÓõ½AjaxControlToolkit 3.5,ÏîÄ¿Íê³ÉÒÔºóÔÚ±¾µØ²âÊÔûÎÊÌ⣬·Åµ½·þÎñÆ÷ÉÏÈ¥ÔÚIE6¾Í³öÏÖAjax ¿Í»§¶Ë¿ò¼ÜδÄܼÓÔصÄÎÊÌ⣬ÔÚFF£¬IE7£¬Opera£¬SafariµÈä¯ÀÀÆ÷¶¼Ã»ÎÊÌ⣬ÕæÊǸ㲻¶®MSÔõô¸ãµÃ£¬ÏÖÔÚ ¾ÍÏëÅ×ÆúIE6£¬ÕҵĺÃÐÁ¿à°¡£¬ÍøÉÏ˵µÄ½â¾ö·½°¸¶¼ÊÔ¹ýÁË£¬¶¼Ã»Óã¬×îºóÕÒµ½µÄ´ð°¸ÊÇ£ºÓ¦ÓóÌÐòµÄ±àÂëÎÊ Ì⣬ֻҪÔÚ ......
¹ÛÆä´óÂÔ£º
1.
Asp.netÊÇÒÀ´æÓÚ IISµÄÒ»¸ö·þÎñ£¬Ëµµ½ Asp.netµÄ°²È«Ïà¹ØµÄ»°Ì⵱ȻҪÓÐÒ»¸öÕûÌåÉϵÄ˼·£º IIS½ÓÊÕ —¡· IISÑéÖ¤ —¡· IISÊÚȨ ---¡· ASP.netÑéÖ¤ ---¡· Asp.netÊÚȨ ---¡·×ÊÔ´·µ»Ø¸øÓû§
IIS´ÓÍøÂçÉϽÓÊÕµ½Ò»¸ö HTTP WEBÇëÇó¿ÉÒÔʹÓà SSL¼¼ÊõÀ´±£Ö¤·þÎñÆ÷µÄÉí·Ý£¬´ËÍâ SSLÒ²¿ÉÒÔÌṩһ¸ö°²È ......
1.Ö÷ÒªÃüÃû¿Õ¼ä:
1.<% @ Import Namespace="System.Data" %> ´¦ÀíÊý¾ÝʱÓõ½
2. <% @ Import Namespace="System.Data.ADO" % > ʹÓÃADO.net ʱÓõ½
3. <% @ Import Namespace="System.Data.SQL" %> SQL Server Êý¾Ý¿âרÓÃ
4. <% @ ......
Trustwave's SpiderLabs Security Advisory TWSL2010-001:
Multiplatform View State Tampering Vulnerabilities
Published: 2010-02-08 Version: 1.1
SpiderLabs has documented view state tampering
vulnerabilities in three products from separate vendors.
View states are used by some web application frame ......
