<%
On Error Resume Next
if request.querystring<>"" and then call stophacker_xss(request.querystring,"'|\b(alert|confirm|prompt)\b|<[^>]*?>|^\+/v(8|9)|\bonmouse(over|move)=\b|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
if Request.ServerVariables("HTTP_REFERER")<>"" and then call test_xss(Request.ServerVariables("HTTP_REFERER"),"'|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
if request.Cookies<>"" and then call stophacker_xss(request.Cookies,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
call stophacker_xss(request.Form,"^\+/v(8|9)|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)")
function test_xss(values,re)
dim regex
set regex=new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = re
if regex.test(values) then
Response.Write(" 您的提交带有不合法参数,请联系管理员,谢谢合作!")
Response.end
end if
set regex = nothing
end function
function stophacker_xss(values,re)
dim l_get, l_get2,n_get,regex,IP
for each n_get in values
for each l_get in values
l_get2 = values(l_get)
set regex = new regexp
regex.ignorecase = true
regex.global = true
regex.pattern = re
if regex.test(l_get2) then
Response.Write(" 您的提交带有不合法参数,请联系管理员,谢谢合作!")
Response.end
end if
set regex = nothing
next
next
end function
%>asp 防止xss攻击
一直以来只注重SQL注入攻击的防御,一直认为XSS跨站没有SQL注入那么严重,如何防御XSS跨站脚本攻击,最重要的就是要过滤掉用户输入的风险字符,和SQL注入类似,只是一个针对的是数据库,一个针对的是HTML脚本