asp.net 应用程序的导出功能中的 CSV 注入

CSV-injection in export functionality in asp.net application

在提交表单时,我在其中一个字段中插入了易受攻击的字符,例如 =cmd|'/C calc'!A0。因此,在安全术语中,它在导出功能中被称为 CSV 注入

我已经为上面的错误编写了这样的代码。但它不起作用

[WebMethod]
public static string SaveRecord(RRSOCSaving RRSOCSaving, string Indication)
{
    string strReturnId = "";
    string strAppURL = ConfigurationManager.AppSettings["AppUrl"].ToString();            
    string strmail_Content = "";

    CommonDB commonObj = new CommonDB();

    try
    {
        // Cross site scripting issue code tag..!!   

        if (commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_CODE)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.CITY)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME_LANDL_1)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_SITENAME_LANDL_2)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_ASST_MANAGER_NAME)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_ASST_MANAGER_MOBNO)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.STORE_MANAGER_NAME)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.MANAGER_MOBNO)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.EMP_NEAREST_STORE)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.EMP_NEAREST_STORE_MOBNO)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.SUPERVISOR_MOBNO)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.SECURITY_SUP_NAME_STORE)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.SECURITY_SUP_MOBNO_STORE)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_NAME)
              || commonObj.HackerTextExistOrNot(RRSOCSaving.ALPM_ALPO_MOBNO))
        {
            strReturnId = "Something went wrong due to malicious script attack..!!!";
        }
        else
        {
            if (RRSOCSaving.ROLE_ASSIGNED == "SLP State Head")
            {
                bool blnState1 = Array.Exists(RRSOCSaving.ASSIGNED_STATE.ToString().ToUpper().Split(','), element => element == (RRSOCSaving.STATE).ToString().ToUpper());                        

                if (blnState1)
                {
                    strmail_Content = Get_Email_Content(RRSOCSaving.STORE_CODE, RRSOCSaving.UserName, Indication, RRSOCSaving.STATE, RRSOCSaving.SITE_STORE_FORMAT, RRSOCSaving.STORE_SITENAME);
                    //  SendEmail(RRSOCSaving.UserName, RRSOCSaving.STORE_CODE, RRSOCSaving.SLP_EMAILID, ConfigurationManager.AppSettings["NHQEmail"].ToString(), strmail_Content, Indication);
                    strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving, Indication);
                }
                else
                {
                    strReturnId = "User can add data for " + RRSOCSaving.ASSIGNED_STATE + " only";
                }
            }
            else if (RRSOCSaving.ROLE_ASSIGNED == "NHQ Admin")
            {
                strmail_Content = Get_Email_Content(RRSOCSaving.STORE_CODE, RRSOCSaving.UserName, Indication, RRSOCSaving.STATE, RRSOCSaving.SITE_STORE_FORMAT, RRSOCSaving.STORE_SITENAME);
                //  SendEmail(RRSOCSaving.UserName, RRSOCSaving.STORE_CODE, RRSOCSaving.SLP_EMAILID, ConfigurationManager.AppSettings["NHQEmail"].ToString(), strmail_Content, Indication);
                strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving, Indication);
                //strReturnId = "Record Saved Succesfully";
            }
        }

        // strReturnId = CommonDB.INSERT_INTO_RRSOC_INFO(RRSOCSaving);
    }
    catch (Exception)
    {
        throw;
    }

    return strReturnId;
}

public bool HackerTextExistOrNot(string Text)
{
    bool flgValid = false;
    Regex htmltags = new Regex(@"<.*?>");
    Match chkMatch = htmltags.Match(Text);
    if (chkMatch.Success)
    {
        flgValid = true;
    }
    return flgValid;
}

请建议如何停止此错误。

您的 HackerTextExistOrNot 方法正在检查 html 标签是否存在。

但是,您应该检查文本是否以公式触发字符之一开头。

为了保护您自己免受注入攻击,请确保给定文本的 none 以以下任何字符开头:

   Equals to ("=")

   Plus ("+")

   Minus ("-")

   At ("@")

所以你可以这样检查:

var attackChars = new char[]{'=','+','-','@'};

if(attackChars.Contains(text[0])
{

}