Web恶意内容入侵分析及应对措施之四
发表于:2007-05-25来源:作者:点击数:
标签:
第四步:过滤动态输出内容中的特殊字符 在实际应用中,判断哪些字符或者字符组合可能导致攻击是不明确的。因此,直接选择 安全 的字符集要比排除不信任的字符集更方便。例如,如果用户需要在一个表单项中填写他的年龄, 开发 者就可以直接地限定这个表单项的
第四步:过滤动态输出内容中的特殊字符
在实际应用中,判断哪些字符或者字符组合可能导致攻击是不明确的。因此,直接选择
安全的字符集要比排除不信任的字符集更方便。例如,如果用户需要在一个表单项中填写他的年龄,
开发者就可以直接地限定这个表单项的取值为数字0到9的组合,而不需要再接受其他字符。这样处理后,将大大地降低未知攻击的可能性。
过滤处理可以作为数据输入的一部分、数据输出的一部分或者两者兼而有之。当作为数据输出的一部分时,建议在数据呈现给用户前对之进行过滤处理。如果处理正确,就可以确保所有的动态内容被过滤成为纯净的东西。
下面分别列出用C++、JavaScript以及Perl语言编写的过滤代码,你可以根据实际情况选择其中一种:
C++
BYTE IsBadChar[] = {
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0xFF,0xFF,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0xFF,0xFF,0x00,0xFF,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00
};
DWORD FilterBuffer(BYTE * pString,DWORD cChLen){
BYTE * pBad = pString;
BYTE * pGood = pString;
DWORD i=0;
if (!pString) return 0;
for (i=0;pBad[i];i++){
if (!IsBadChar[pBad[i]]) *pGood++ = pBad[i];
};
return pGood-pString;
}
JavaScript
function RemoveBad(InStr){
InStr = InStr.replace(/\
InStr = InStr.replace(/\>/g,"");
InStr = InStr.replace(/\"/g,"");
InStr = InStr.replace(/\'/g,"");
InStr = InStr.replace(/\%/g,"");
InStr = InStr.replace(/\;/g,"");
InStr = InStr.replace(/\(/g,"");
InStr = InStr.replace(/\)/g,"");
InStr = InStr.replace(/\&/g,"");
InStr = InStr.replace(/\+/g,"");
return InStr;
}
Perl
#! The first function takes the negative approach.
#! Use a list of bad characters to filter the data
sub FilterNeg {
local( $fd ) = @_;
$fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;
return( $fd ) ;
}
#! The second function takes the positive approach.
#! Use a list of good characters to filter the data
sub FilterPos {
local( $fd ) = @_;
$fd =~ tr/A-Za-z0-9\ //dc;
return( $fd ) ;
}
$Data = "This is a test string<script>";
$Data = &FilterNeg( $Data );
print "$Data\n";
$Data = "This is a test string<script>";
$Data = &FilterPos( $Data );
print "$Data\n";
第五步:检查Cookies值
攻击者还可能将恶意内容写入cookie中,因此,Web开发者应该仔细地检查接受的cookie值,并使用上面提及的过滤技术以验证它们是否包含了恶意内容。
原文转自:http://www.ltesting.net
|