C# asp.net应用程序中导出功能中的CSV注入
提交表单时,我在其中一个字段中插入易受攻击的字符,如C# asp.net应用程序中导出功能中的CSV注入,c#,asp.net,csv,csv-injection,C#,Asp.net,Csv,Csv Injection,提交表单时,我在其中一个字段中插入易受攻击的字符,如=cmd |'/C calc'!A0。因此,在安全方面,它在导出功能中被称为CSV注入 我已经为上述错误编写了这样的代码。但它不起作用 [WebMethod] public static string SaveRecord(RRSOCSaving RRSOCSaving, string Indication) { string strReturnId = ""; string strAppURL = ConfigurationM
=cmd |'/C calc'!A0
。因此,在安全方面,它在导出功能中被称为CSV注入
我已经为上述错误编写了这样的代码。但它不起作用
[WebMethod]
public static string SaveRecord(RRSOCSaving RRSOCSaving, string Indication)
{
string strReturnId = "";
string strAppURL = ConfigurationManager.AppSettings["AppUrl"].ToString();
string strmail_Content = "";
CommonDB commonObj = new CommonDB();
try
{
// Cross site scripting issue code tag..!!
if (commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_CODE)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.CITY)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME_LANDL_1)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME_LANDL_2)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_ASST_MANAGER_NAME)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_ASST_MANAGER_MOBNO)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_MANAGER_NAME)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.MANAGER_MOBNO)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.EMP_NEAREST_STORE)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.EMP_NEAREST_STORE_MOBNO)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.SUPERVISOR_MOBNO)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.SECURITY_SUP_NAME_STORE)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.SECURITY_SUP_MOBNO_STORE)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_NAME)
|| commonObj.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_MOBNO))
{
strReturnId = "Something went wrong due to malicious script attack..!!!";
}
else
{
if (RRSOCSaving.ROLE_ASSIGNED == "SLP State Head")
{
bool blnState1 = Array.Exists(RRSOCSaving.ASSIGNED_STATE.ToString().ToUpper().Split(','), element => element == (RRSOCSaving.STATE).ToString().ToUpper());
if (blnState1)
{
strmail_Content = Get_Email_Content(RRSOCSaving.STORE_CODE, RRSOCSaving.UserName, Indication, RRSOCSaving.STATE, RRSOCSaving.SITE_STORE_FORMAT, RRSOCSaving.STORE_SITENAME);
// SendEmail(RRSOCSaving.UserName, RRSOCSaving.STORE_CODE, RRSOCSaving.SLP_EMAILID, ConfigurationManager.AppSettings["NHQEmail"].ToString(), strmail_Content, Indication);
strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving, Indication);
}
else
{
strReturnId = "User can add data for " + RRSOCSaving.ASSIGNED_STATE + " only";
}
}
else if (RRSOCSaving.ROLE_ASSIGNED == "NHQ Admin")
{
strmail_Content = Get_Email_Content(RRSOCSaving.STORE_CODE, RRSOCSaving.UserName, Indication, RRSOCSaving.STATE, RRSOCSaving.SITE_STORE_FORMAT, RRSOCSaving.STORE_SITENAME);
// SendEmail(RRSOCSaving.UserName, RRSOCSaving.STORE_CODE, RRSOCSaving.SLP_EMAILID, ConfigurationManager.AppSettings["NHQEmail"].ToString(), strmail_Content, Indication);
strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving, Indication);
//strReturnId = "Record Saved Succesfully";
}
}
// strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving);
}
catch (Exception)
{
throw;
}
return strReturnId;
}
public bool HackerTextExistOrNot(string Text)
{
bool flgValid = false;
Regex htmltags = new Regex(@"<.*?>");
Match chkMatch = htmltags.Match(Text);
if (chkMatch.Success)
{
flgValid = true;
}
return flgValid;
}
[WebMethod]
公共静态字符串保存记录(RRSOCSaving RRSOCSaving,字符串指示)
{
字符串strReturnId=“”;
string StrapUrl=ConfigurationManager.AppSettings[“AppUrl”].ToString();
字符串strmail_Content=“”;
CommonDB commonObj=新的CommonDB();
尝试
{
//跨站点脚本问题代码标签。。!!
if(commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_代码)
||commonObj.HackerTextExistOrNot(RRSOCSaving.CITY)
||commonObj.HackerTextExistOrNot(RRSOCSaving.STORE\u SITENAME)
||commonObj.HackerTextExistOrNot(RRSOCSaving.STORE\u SITENAME\u land\u 1)
||commonObj.HackerTextExistOrNot(RRSOCSaving.STORE\u SITENAME\u land\u 2)
||commonObj.HackerTextExistOrNot(RRSOCSaving.STORE\u ASST\u MANAGER\u NAME)
||commonObj.HackerTextExistOrNot(RRSOCSaving.STORE\u ASST\u MANAGER\u MOBNO)
||commonObj.HackerTextExistOrNot(RRSOCSaving.STORE\u MANAGER\u NAME)
||commonObj.HackerTextExistOrNot(RRSOCSaving.MANAGER\u MOBNO)
||commonObj.HackerTextExistOrNot(RRSOCSaving.EMP_最近的商店)
||commonObj.HackerTextExistOrNot(RRSOCSaving.EMP\u NEAREST\u STORE\u MOBNO)
||commonObj.HackertExistorNot(RRSOCSaving.SUPERVISOR\u MOBNO)
||commonObj.HackerTextExistOrNot(RRSOCSaving.SECURITY\u SUP\u NAME\u STORE)
||commonObj.HackerTextExistOrNot(RRSOCSaving.SECURITY\u SUP\u MOBNO\u商店)
||commonObj.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_NAME)
||commonObj.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_MOBNO))
{
strReturnId=“由于恶意脚本攻击,出现了一些问题..!!!”;
}
其他的
{
if(RRSOCSaving.ROLE_ASSIGNED==“SLP状态头”)
{
bool blnState1=Array.Exists(RRSOCSaving.ASSIGNED_STATE.ToString().ToUpper().Split(“,”),element=>element=(RRSOCSaving.STATE.ToString().ToUpper());
如果(blnState1)
{
strmail\u Content=获取电子邮件内容(RRSOCSaving.STORE\u代码、RRSOCSaving.UserName、指示、RRSOCSaving.STATE、RRSOCSaving.SITE\u STORE\u格式、RRSOCSaving.STORE\u SITENAME);
//SendEmail(RRSOCSaving.UserName、RRSOCSaving.STORE_CODE、RRSOCSaving.SLP_EMAILID、ConfigurationManager.AppSettings[“NHQEmail”].ToString()、strmail_内容、指示);
strReturnId=CommonDB。将\u插入\u RRSOC\u信息(RRSOCSaving,指示);
}
其他的
{
strReturnId=“用户可以为”+RRSOCSaving.ASSIGNED_STATE+“only”添加数据;
}
}
else if(RRSOCSaving.ROLE_ASSIGNED==“NHQ Admin”)
{
strmail\u Content=获取电子邮件内容(RRSOCSaving.STORE\u代码、RRSOCSaving.UserName、指示、RRSOCSaving.STATE、RRSOCSaving.SITE\u STORE\u格式、RRSOCSaving.STORE\u SITENAME);
//SendEmail(RRSOCSaving.UserName、RRSOCSaving.STORE_CODE、RRSOCSaving.SLP_EMAILID、ConfigurationManager.AppSettings[“NHQEmail”].ToString()、strmail_内容、指示);
strReturnId=CommonDB。将\u插入\u RRSOC\u信息(RRSOCSaving,指示);
//strReturnId=“成功保存记录”;
}
}
//strReturnId=CommonDB。将\u插入\u RRSOC\u信息(RRSOCSaving);
}
捕获(例外)
{
投掷;
}
返回strReturnId;
}
公共bool HackerTextExistOrNot(字符串文本)
{
bool flgValid=false;
Regex htmltags=新的Regex(@“);
Match chkMatch=htmltags.Match(文本);
if(chkMatch.Success)
{
flgValid=真;
}
返回flgValid;
}
请建议如何停止此错误。您的
HackerTextExistOrNot
方法正在检查html标记是否存在
但是,您应该检查文本是否以公式触发字符之一开头
要保护自己免受注入攻击,请确保给定文本中没有以以下任何字符开头:
Equals to ("=")
Plus ("+")
Minus ("-")
At ("@")
所以你可以这样检查:
var attackChars = new char[]{'=','+','-','@'};
if(attackChars.Contains(text[0])
{
}
我猜你做了白名单检查,我在做blaclist检查是的,它的工作伙伴,我现在正在投票。但一旦我的测试人员从他们那里得到批准,我就会接受。。