问题描述
在C#中,copyTo()和readToEnd()以及LoadXML()方法也容易受到DDoS攻击,因为它需要一直读到通常由字符指定的行尾。如果该字符不存在,则功能将继续读取和复制数据,直到消耗掉所有资源并引发错误。
按照WhiteHat扫描此语句收到了。如何防止这些方法的拒绝服务攻击。还有其他方法吗?或者有什么可以照顾的点。
以下方法是:
private static bool IsResponseError(字符串响应,输出int errorCode,输出字符串errorMessage)
{
errorCode = 0;
errorMessage = null;
var retVal = false;
if(String.IsNullOrWhiteSpace(response))返回false;
var xmlDocument = new XmlDocument ();
尝试
{
xmlDocument.LoadXml(response); //这很脆弱。
}
catch
{
//如果你在这里,字符串对于Authenticate来说,不是XML;如果成功,返回的令牌是一个字符串,而不是xml
返回false;
}
if( xmlDocument.DocumentElement!= null)
{
// XmlNode errorElement = xmlDocument.DocumentElement.SelectSingleNode(// ERRORCODE);
var errorElement = GetErrorNode(xmlDocument);
if(errorElement!= null)
{
try
{
retVal = true;
errorCode = int.Parse(errorElement.InnerText);
if(错误) .ContainsKey(errorCode))
errorMessage =错误[errorCode];
else
{
errorCode = 99999 ;
errorMessage =未知错误消息:+ errorElement.InnerText;
}
}
catch
{
errorCode = 99999;
errorMessage =未知错误消息:+ errorElement.InnerText;
}
}
}
返回retVal;
}
我尝试过:
For LoadXml( ),我得到了防止漏洞的解决方案..
BUt Fro CopyTo()& readToEnd()方法....我需要解决方案。
In C# the copyTo() and the readToEnd() and the LoadXML() methods are also vulnerable to a DDoS attack because of its need to read all the way to the end of the line which is usually designated by a character. If that character does not exist the funtion will proceed to keep reading and copying data until all the resources are consumed and an error is thrown.
as per WhiteHat scan this statement is received. How can prevent From denial-of-service attack for these methods. Is there any alternate method? Or what are the points which can take care.
This below method is:
private static bool IsResponseError(string response, out int errorCode, out string errorMessage)
{
errorCode = 0;
errorMessage = null;
var retVal = false;
if (String.IsNullOrWhiteSpace(response)) return false;
var xmlDocument = new XmlDocument();
try
{
xmlDocument.LoadXml(response); //This Is Vulnerable.
}
catch
{
// if you are here, the string is not XML which is the case for Authenticate; if successful, the token returned is a string, not xml
return false;
}
if (xmlDocument.DocumentElement != null)
{
//XmlNode errorElement = xmlDocument.DocumentElement.SelectSingleNode("//ERRORCODE");
var errorElement = GetErrorNode(xmlDocument);
if (errorElement != null)
{
try
{
retVal = true;
errorCode = int.Parse(errorElement.InnerText);
if (Errors.ContainsKey(errorCode))
errorMessage = Errors[errorCode];
else
{
errorCode = 99999;
errorMessage = "Unknown error message: " + errorElement.InnerText;
}
}
catch
{
errorCode = 99999;
errorMessage = "Unknown error message: " + errorElement.InnerText;
}
}
}
return retVal;
}
What I have tried:
For LoadXml(), i got the solution to prevent from vulnerability..
BUt Fro CopyTo() & readToEnd() method.... I need the solution.
推荐答案
public static XmlDocument LoadUntrustedXml(string input)
{
var settings = new XmlReaderSettings
{
DtdProcessing = DtdProcessing.Prohibit,
MaxCharactersFromEntities = 1024,
XmlResolver = null,
};
using (var stringReader = new StringReader(input))
using (var xmlReader = XmlReader.Create(stringReader, settings))
{
var result = new XmlDocument();
result.Load(xmlReader);
return result;
}
}
这篇关于在C#中,copyto()和readtoend()以及loadxml()方法也容易受到ddos攻击。如何防止易受伤害。的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!