Web惡意內容入侵分析及應對措施之四

第四步：過濾動態輸出內容中的特殊字符

　　在實際應用中，判斷哪些字符或者字符組合可能導致攻擊是不明確的。因此，直接選擇安全的字符集要比排除不信任的字符集更方便。例如，如果用戶需要在一個表單項中填寫他的年齡，開發者就可以直接地限定這個表單項的取值為數字0到9的組合，而不需要再接受其他字符。這樣處理后，將大大地降低未知攻擊的可能性。

　　過濾處理可以作為數據輸入的一部分、數據輸出的一部分或者兩者兼而有之。當作為數據輸出的一部分時，建議在數據呈現給用戶前對之進行過濾處理。如果處理正確，就可以確保所有的動態內容被過濾成為純凈的東西。

　　下面分別列出用C++、JavaScript以及Perl語言編寫的過濾代碼，你可以根據實際情況選擇其中一種：

C++
 

BYTE IsBadChar[] = {

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0xFF,0xFF,0x00,0x00,0xFF,0xFF,0xFF,0xFF,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0xFF,0xFF,0x00,0xFF,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,

0x00,0x00,0x00

};

 

DWORD FilterBuffer(BYTE  * pString,DWORD cChLen){

BYTE * pBad  = pString;

BYTE * pGood = pString;

DWORD i=0;

if (!pString) return 0;

for (i=0;pBad[i];i++){

if (!IsBadChar[pBad[i]]) *pGood++ = pBad[i];

};

return pGood-pString;

}

JavaScript
 

function RemoveBad(InStr){

    InStr = InStr.replace(/\
    InStr = InStr.replace(/\>/g,"");

    InStr = InStr.replace(/\"/g,"");

    InStr = InStr.replace(/\'/g,"");

    InStr = InStr.replace(/\%/g,"");

    InStr = InStr.replace(/\;/g,"");

    InStr = InStr.replace(/\(/g,"");

    InStr = InStr.replace(/\)/g,"");

    InStr = InStr.replace(/\&/g,"");

    InStr = InStr.replace(/\+/g,"");

    return InStr;

}

Perl 
 

#! The first function takes the negative approach. 

#! Use a list of bad characters to filter the data

sub FilterNeg {

    local( $fd ) = @_;

    $fd =~ s/[\<\>\"\'\%\;\)\(\&\+]//g;

    return( $fd ) ;

}

 

#! The second function takes the positive approach. 

#! Use a list of good characters to filter the data

sub FilterPos {

    local( $fd ) = @_;

    $fd =~ tr/A-Za-z0-9\ //dc;

    return( $fd ) ;

}

 

$Data = "This is a test string＜script＞";

$Data = &FilterNeg( $Data );

print "$Data\n";

 

$Data = "This is a test string＜script＞";

$Data = &FilterPos( $Data );

print "$Data\n";

第五步：檢查Cookies值

　　攻擊者還可能將惡意內容寫入cookie中，因此，Web開發者應該仔細地檢查接受的cookie值，并使用上面提及的過濾技術以驗證它們是否包含了惡意內容。

原文轉自：http://www.kjueaiud.com