How can I change or remove HttpRequest input arguments in a HttpModule
Is it possible to change or re开发者_C百科move http request form inputs in an httpmodule?
My goal is to create a security IHttpmodule that will check the request for reasonable values, such as limits on acceptable input and query parameter length, or use the AntiXSS Sanitizer to remove threats, log potential hack attempts, etc. before a request is passed on to a processor.
Because this is a cross cutting concern I'd prefer to find a solution that applies to all requests and affects all ways request values could be accessed, Reqest.Form, Action(model), Action(FormCollection), HttpContext.Current.Request.Form, etc.
I'm using MVC and have considered creating custom model binders to clean the data before creating the model instance. But that would be application specific, require remembering to register every model binder and only apply to Action(model).
I suggest you do not sanitize input at this stage as it may lead to interesting issues. I learned this the hard way.
What would you sanitize? Code injection (script/html)? Sql Injection? Something else? The sanitization is linked to what you're doing. So, if you're setting up code that records what was in the HTTPRequest for each request into a database, it makes sense to work against injection, but removing malicious code, or modifying it won't store the data as it was provided, and you're going to get inconsistent data.
Your code should look at the context of what's being done with these inputs, rather than re-assigning raw input data.
If it's going into a database, make sure it's not going to allow for injection attacks. If it's embedding the data onto a page, make sure it's escaped such that you can't include scripts or change the HTML with it. If it's an emailer, make sure you can't insert a new line charecter in the email field and have SMTP send to multiple addresses.
It's all about the context, because there is no catch all for all the exploits. So, keep your raw inputs raw, but filter them based on what you're going to do in that part of your code.
How did I learn this the hard way? Back when I was learning PHP and web security, I made a script that investigated all HTTP headers, cookies, request variables, ip, page address, and otherwise. It then filtered them through various pre-defined filters based on what I wanted, and passed them into the required function/object. For instance, age was a number so I would make sure to assign it to my object after filltering through the sanitize-age function. This was fine for some cases, but when you have multiple contexts in which that data can get used, escaping against SQL just doesn't cut it, and escaping HTML entities stores the data in a way that wasn't originally presented if I'm placing it into a database. Now, if that column needs to be filtered against XSS, then go ahead and update that specific part of the database with that, but not the raw data.
This is simply my opinion, I do not have resources that indicate this is a best-practice.
精彩评论