安全框架：输入验证 | 缓解措施Security Frame: Input Validation | Mitigations

• 使用不受信任样式表针对所有转换禁用 XSLT 脚本Disable XSLT scripting for all transforms using untrusted style sheets
• 确保可能包含用户可控内容的每个页面能够选择不使用自动 MIME 探查Ensure that each page that could contain user controllable content opts out of automatic MIME sniffing
• 强化或禁用 XML 实体解析Harden or Disable XML Entity Resolution
• 使用 http.sys 的应用程序执行 URL 规范化验证Applications utilizing http.sys perform URL canonicalization verification
• 确保接受用户的文件时实施适当的控制Ensure appropriate controls are in place when accepting files from users
• 确保在 Web 应用程序中使用类型安全的参数进行数据访问Ensure that type-safe parameters are used in Web Application for data access
• 使用单独的模型绑定类或绑定筛选列表来防止 MVC 大规模分配漏洞Use separate model binding classes or binding filter lists to prevent MVC mass assignment vulnerability
• 在呈现之前为不受信任的 Web 输出编码Encode untrusted web output prior to rendering
• 针对所有字符串类型的 Model 属性执行输入验证和筛选Perform input validation and filtering on all string type Model properties
• 应该针对接受所有字符的表单域（例如 RTF 编辑器）应用净化Sanitization should be applied on form fields that accept all characters, e.g, rich text editor
• 不要将 DOM 元素分配到没有内置编码的接收器Do not assign DOM elements to sinks that do not have inbuilt encoding
• 验证应用程序中的所有重定向是否闭合且安全Validate all redirects within the application are closed or done safely
• 针对 Controller 方法接受的所有字符串类型参数实施输入验证Implement input validation on all string type parameters accepted by Controller methods
• 针对正则表达式处理设置超时上限，防止由于正则表达式错误而出现 DoSSet upper limit timeout for regular expression processing to prevent DoS due to bad regular expressions
• 避免在 Razor 视图中使用 Html.RawAvoid using Html.Raw in Razor views

• 不要在存储过程中使用动态查询Do not use dynamic queries in stored procedures

• 确保针对 Web API 方法执行模型验证Ensure that model validation is done on Web API methods
• 针对 Web API 方法接受的所有字符串类型参数实施输入验证Implement input validation on all string type parameters accepted by Web API methods
• 确保在 Web API 中使用类型安全的参数进行数据访问Ensure that type-safe parameters are used in Web API for data access

• 对 Azure Cosmos DB 使用参数化 SQL 查询Use parameterized SQL queries for Azure Cosmos DB

• 通过架构绑定执行 WCF 输入验证WCF Input validation through Schema binding
• WCF - 通过参数检查器执行输入验证WCF- Input validation through Parameter Inspectors

对于可能包含用户可控内容的每个页面，必须使用 HTTP 标头 X-Content-Type-Options:nosniff。For each page that could contain user controllable content, you must use the HTTP Header X-Content-Type-Options:nosniff. 为了符合此要求，可以仅针对可能包含用户可控内容的页面逐页设置所需的标头，或者针对应用程序中的所有页面全局设置该标头。To comply with this requirement, you can either set the required header page by page for only those pages that might contain user-controllable content, or you can set it globally for all pages in the application.

从 Web 服务器传送的每种类型的文件都有一个关联的 MIME 类型（也称为 content-type），该类型描述内容的性质（即，图像、文本、应用程序，等等）Each type of file delivered from a web server has an associated MIME type (also called a content-type) that describes the nature of the content (that is, image, text, application, etc.)

X-Content-Type-Options 标头是一个 HTTP 标头，可让开发人员指定不应该对其内容使用 MIME 探查。The X-Content-Type-Options header is an HTTP header that allows developers to specify that their content should not be MIME-sniffed. 此标头旨在缓解 MIME 探查攻击。This header is designed to mitigate MIME-Sniffing attacks. Internet Explorer 8 (IE8) 中已添加对此标头的支持Support for this header was added in Internet Explorer 8 (IE8)

只有 Internet Explorer 8 (IE8) 的用户才能受益于 X-Content-Type-Options。Only users of Internet Explorer 8 (IE8) will benefit from X-Content-Type-Options. 以前的 Internet Explorer 版本目前不支持 X-Content-Type-Options 标头Previous versions of Internet Explorer do not currently respect the X-Content-Type-Options header

Internet Explorer 8（和更高版本）是能够实现 MIME 探查选择退出功能的唯一主流浏览器。Internet Explorer 8 (and later) are the only major browsers to implement a MIME-sniffing opt-out feature. 如果其他主流浏览器（Firefox、Safari、Chrome）可实现类似功能，此项建议会更新，以包括这些浏览器的语法If and when other major browsers (Firefox, Safari, Chrome) implement similar features, this recommendation will be updated to include syntax for those browsers as well

在 XML 中，有一项功能尽管未得到广泛使用，但可让 XML 分析器使用文档本身内部定义的或者外部源中定义的值来扩展宏实体。Although it is not widely used, there is a feature of XML that allows the XML parser to expand macro entities with values defined either within the document itself or from external sources. 例如，文档中可能定义了值为“Microsoft”的实体“companyname”，因此，每当文档中出现文本“&companyname;”时，该文本就自动被文本“Microsoft”替换。For example, the document might define an entity "companyname" with the value "Microsoft," so that every time the text "&companyname;" appears in the document, it is automatically replaced with the text Microsoft. 或者，文档中可能定义了实体“MSFTStock”，用于引用外部 Web 服务来提取当前的 Microsoft 股价。Or, the document might define an entity "MSFTStock" that references an external web service to fetch the current value of Microsoft stock.

因此，每当文档中出现“&MSFTStock;”时，该值就会自动被当前股价替换。Then any time "&MSFTStock;" appears in the document, it is automatically replaced with the current stock price. 但是，如果此功能使用不当，则可能会造成拒绝服务 (DoS) 攻击。However, this functionality can be abused to create denial of service (DoS) conditions. 攻击者可以嵌套多个实体来制造指数扩张式 XML 炸弹，该炸弹会耗尽系统中所有可用的内存。An attacker can nest multiple entities to create an exponential expansion XML bomb that consumes all available memory on the system.

或者，攻击者可以创建一个外部引用，流式传输无限数量的数据，或者只是将线程挂起。Alternatively, he can create an external reference that streams back an infinite amount of data or that simply hangs the thread. 因此，如果应用程序不使用内部和/或外部 XML 实体解析，则必须完全禁用该功能；或者，如果绝对有必要使用此功能，需手动限制应用程序执行实体解析时可以消耗的内存和时间。As a result, all teams must disable internal and/or external XML entity resolution entirely if their application does not use it, or manually limit the amount of memory and time that the application can consume for entity resolution if this functionality is absolutely necessary. 如果应用程序不需要实体解析，请禁用该功能。If entity resolution is not required by your application, then disable it.

使用 http.sys 的任何应用程序应遵循以下指导原则：Any application that uses http.sys should follow these guidelines:

• 将 URL 的长度限制为不超过 16,384 个字符（ASCII 或 Unicode）。Limit the URL length to no more than 16,384 characters (ASCII or Unicode). 这是基于默认 Internet Information Services (IIS) 6 设置的绝对最大 URL 长度。This is the absolute maximum URL length based on the default Internet Information Services (IIS) 6 setting. 在网站中，应该尽可能使用短于此长度的 URL。Websites should strive for a length shorter than this if possible
• 使用标准的 .NET Framework 文件 I/O 类（例如 FileStream），因为这些类可以利用 .NET FX 中的规范化规则Use the standard .NET Framework file I/O classes (such as FileStream) as these will take advantage of the canonicalization rules in the .NET FX
• 显式构建已知文件名的允许列表Explicitly build an allow-list of known filenames
• 显式拒绝你不会针对其提供 UrlScan reject 的已知文件类型：exe、bat、cmd、com、htw、ida、idq、htr、idc、shtm[l]、stm、printer、ini、pol、dat 文件Explicitly reject known filetypes you will not serve UrlScan rejects: exe, bat, cmd, com, htw, ida, idq, htr, idc, shtm[l], stm, printer, ini, pol, dat files
• 捕获以下异常：Catch the following exceptions:
  • System.ArgumentException（针对设备名称）System.ArgumentException (for device names)
  • System.NotSupportedException（针对数据流）System.NotSupportedException (for data streams)
  • System.IO.FileNotFoundException（针对无效的转义文件名）System.IO.FileNotFoundException (for invalid escaped filenames)
  • System.IO.DirectoryNotFoundException（针对无效的转义目录）System.IO.DirectoryNotFoundException (for invalid escaped dirs)
• 不要调用 Win32 文件 I/O API。Do not call out to Win32 file I/O APIs. 在 URL 无效时，应向用户正常返回 400 错误并记录实际错误。On an invalid URL gracefully return a 400 error to the user, and log the real error.

上传的文件会给应用程序带来重大的风险。Uploaded files represent a significant risk to applications.

许多攻击的第一步就是在要攻击的系统中放入一些代码。The first step in many attacks is to get some code to the system to be attacked. 然后，攻击者只需找到一种执行该代码的方法。Then the attack only needs to find a way to get the code executed. 使用文件上传可以帮助攻击者实现这第一个步骤。Using a file upload helps the attacker accomplish the first step. 不受限制的文件上传的后果多种多样，包括完全接管系统、使文件系统或数据库过载、将攻击转移到后端系统，以及简单的篡改。The consequences of unrestricted file upload can vary, including complete system takeover, an overloaded file system or database, forwarding attacks to back-end systems, and simple defacement.

这种后果取决于应用程序对上传的文件的处理，尤其是该文件的存储位置。It depends on what the application does with the uploaded file and especially where it is stored. 服务器端缺少对文件上传的验证。Server side validation of file uploads is missing. 应该针对文件上传功能实施以下安全控制：Following security controls should be implemented for File Upload functionality:

• 文件扩展名检查（应该只接受有效的一组受允许文件类型）File Extension check (only a valid set of allowed file type should be accepted)
• 文件大小上限Maximum file size limit
• 不应将文件上传到 webroot；位置应是非系统驱动器上的某个目录File should not be uploaded to webroot; the location should be a directory on non-system drive
• 应该遵守命名约定，使上传文件的名称具有某种随机性，防止文件覆盖Naming convention should be followed, such that the uploaded file name have some randomness, so as to prevent file overwrites
• 将文件写入磁盘之前，应扫描它是否包含病毒Files should be scanned for anti-virus before writing to the disk
• 确保验证文件名和其他任何元数据（例如文件路径）是否包含恶意字符Ensure that the file name and any other metadata (e.g., file path) are validated for malicious characters
• 应检查文件格式签名，防止用户上传伪装的文件（例如，通过将扩展名更改为 txt 来上传 exe 文件）File format signature should be checked, to prevent a user from uploading a masqueraded file (e.g., uploading an exe file by changing extension to txt)

如果使用 Parameters 集合，SQL 会将输入视为文本值而不是可执行代码。If you use the Parameters collection, SQL treats the input is as a literal value rather then as executable code. 使用 Parameters 集合可针对输入数据实施类型和长度约束。The Parameters collection can be used to enforce type and length constraints on input data. 如果值超出范围，将触发异常。Values outside of the range trigger an exception. 如果不使用类型安全的 SQL 参数，攻击者可能会执行嵌入在未筛选输入中的注入式攻击。If type-safe SQL parameters are not used, attackers might be able to execute injection attacks that are embedded in the unfiltered input.

构造 SQL 查询时请使用类型安全的参数，避免未筛选的输入发生 SQL 注入式攻击。Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input. 可在存储过程和动态 SQL 语句中使用类型安全的参数。You can use type safe parameters with stored procedures and with dynamic SQL statements. 数据库将参数视为文本值而不是可执行代码。Parameters are treated as literal values by the database and not as executable code. 此外，应检查参数的类型和长度。Parameters are also checked for type and length.

• 在什么情况下应该查找过度提交漏洞？ - 在绑定用户输入中的模型类的任何位置，都可能存在过度提交漏洞。When should I look for over-posting vulnerabilities? - Over-posting vulnerabilities can occur any place you bind model classes from user input. MVC 等框架可在自定义 .NET 类中表示用户数据，包括普通旧 CLR 对象 (POCO)。Frameworks like MVC can represent user data in custom .NET classes, including Plain Old CLR Objects (POCOs). MVC 会在这些模型类中自动填充请求中的数据，提供一种便利的表示形式来处理用户输入。MVC automatically populates these model classes with data from the request, providing a convenient representation for dealing with user input. 如果这些类包含不应由用户设置的属性，应用程序将很容易遭到过度提交攻击，使用户能够控制应用程序永远不希望他们控制的数据。When these classes include properties that should not be set by the user, the application can be vulnerable to over-posting attacks, which allow user control of data that the application never intended. 与 MVC 模型绑定一样，数据库访问技术（例如，包括 Entity Framework 在内的对象/关系映射器）通常也支持使用 POCO 对象来表示数据库数据。Like MVC model binding, database access technologies such as object/relational mappers like Entity Framework often also support using POCO objects to represent database data. 使用这些数据模型类同样能够方便地处理数据库数据，就如同使用 MVC 处理用户输入一样。These data model classes provide the same convenience in dealing with database data as MVC does in dealing with user input. 由于 MVC 和数据库支持类似的模型（例如 POCO 对象），因此，似乎可以轻松地重复使用相同的类来实现这两种目的。Because both MVC and the database support similar models, like POCO objects, it seems easy to reuse the same classes for both purposes. 这种做法无法保留关注点分离，这是向模型绑定公共非预期属性，造成过度提交攻击的一个常见区域。This practice fails to preserve separation of concerns, and it is one common area where unintended properties are exposed to model binding, enabling over-posting attacks.
• 为何不应使用未筛选的数据库模型类作为 MVC 操作的参数？ - 因为 MVC 模型绑定会绑定该类中的任何内容。Why shouldn't I use my unfiltered database model classes as parameters to my MVC actions? - Because MVC model binding will bind anything in that class. 即使数据未显示在视图中，恶意用户也可以发送包含此数据的 HTTP 请求，而 MVC 会自然而然地绑定此请求，因为操作指出，数据库类就是它应该接受用户输入的数据形状。Even if the data does not appear in your view, a malicious user can send an HTTP request with this data included, and MVC will gladly bind it because your action says that database class is the shape of data it should accept for user input.
• 为何应关心用于模型绑定的形状？ - 结合过度扩散的模型使用 ASP.NET MVC 模型绑定会使应用程序曝露在过度提交攻击之下。Why should I care about the shape used for model binding? - Using ASP.NET MVC model binding with overly broad models exposes an application to over-posting attacks. 攻击者可能会利用过度提交来更改应用程序数据，使之超出开发人员的预期，例如，覆盖某个商品的价格，或者帐户的安全特权。Over-posting could enable attackers to change application data beyond what the developer intended, such as overriding the price for an item or the security privileges for an account. 应用程序应使用操作特定的绑定模型（或特定的受允许属性筛选列表）来提供显式约定，规定允许通过模型绑定提供哪些不受信任的输入。Applications should use action-specific binding models (or specific allowed property filter lists) to provide an explicit contract for what untrusted input to allow via model binding.
• 是否存在只复制代码的单独绑定模型？ - 没有，这是一个关注点分离的问题。Is having separate binding models just duplicating code? - No, it is a matter of separation of concerns. 如果在操作方法中重复使用数据库模型，则表示 HTTP 请求中的用户可以设置该类中的任何属性（或子属性）。If you reuse database models in action methods, you are saying any property (or sub-property) in that class can be set by the user in an HTTP request. 如果不希望 MVC 这样做，则需要使用筛选列表或单独的类形状来告知 MVC，可以通过用户输入提供哪些数据。If that is not what you want MVC to do, you need a filter list or a separate class shape to show MVC what data can come from user input instead.
• 如果针对用户输入使用单独的绑定模型，是否需要复制所有数据批注特性？ - 没有必要。If I have separate binding models for user input, do I have to duplicate all my data annotation attributes? - Not necessarily. 可在数据库模型类中使用 MetadataTypeAttribute 来链接到模型绑定类中的元数据。You can use MetadataTypeAttribute on the database model class to link to the metadata on a model binding class. 只需注意，MetadataTypeAttribute 所引用的类型必须是引用类型（可能包含更少或更多的属性）的子集。Just note that the type referenced by the MetadataTypeAttribute must be a subset of the referencing type (it can have fewer properties, but not more).
• 在用户输入模型与数据库模型之间来回移动数据是个繁琐的过程。是否可以只使用反射来复制所有属性？ - 可以。Moving data back and forth between user input models and database models is tedious. Can I just copy over all properties using reflection? - Yes. 在绑定模型中显示的属性无非就是你确定对于用户输入安全的属性。The only properties that appear in the binding models are the ones you have determined to be safe for user input. 没有安全方面的理由会阻止使用反射来复制这两个模型之间共有的所有属性。There is no security reason that prevents using reflection to copy over all properties that exist in common between these two models.
• [Bind(Exclude ="…")] 怎么样？是否可以使用它来取代单独的绑定模型？ - 不建议采用这种做法。What about [Bind(Exclude ="…")]. Can I use that instead of having separate binding models? - This approach is not recommended. 使用 [Bind(Exclude ="…")] 意useful for Edit operations? -味着默认情况下任何新属性都是可绑定的。Using [Bind(Exclude ="…")] means that any new property is bindable by default. 添加新属性后，记得执行一个额外的步骤来保持安全性，而不要采用默认的设计安全性。When a new property is added, there is an extra step to remember to keep things secure, rather than having the design be secure by default. 根据具体的开发人员，每次添加一个属性都要检查此列表是有风险的。Depending on the developer checking this list every time a property is added is risky.
• [Bind(Include ="…")] 是否可用于“编辑”操作？- 不可以。Is [Bind(Include ="…")] useful for Edit operations? - No. [Bind(Include ="…")] 只适用于 INSERT 式操作（添加新数据）。[Bind(Include ="…")] is only suitable for INSERT-style operations (adding new data). 对于 UPDATE 式操作（修改现有数据），请使用另一种方式，例如，使用单独的绑定模型，或者将允许属性的显式列表传递给 UpdateModel 或 TryUpdateModel。For UPDATE-style operations (revising existing data), use another approach, like having separate binding models or passing an explicit list of allowed properties to UpdateModel or TryUpdateModel. 在“编辑”操作上添加 [Bind(Include ="…")] 属性意味着 MVC 将创建一个对象实例，并仅设置列出的属性，使所有其他属性保持默认值。Adding a [Bind(Include ="…")] attribute on an Edit operation means that MVC will create an object instance and set only the listed properties, leaving all others at their default values. 如果数据是持久保存的，将完全替换现有实体，将所有已省略属性的值重置为默认值。When the data is persisted, it will entirely replace the existing entity, resetting the values for any omitted properties to their defaults. 例如，如果在“编辑”操作的 [Bind(Include ="…")] 属性中省略了 IsAdmin，则通过此操作编辑其名称的任何用户都将重置为 IsAdmin = false（任何已编辑的用户都将丢失管理员状态）。For example, if IsAdmin was omitted from a [Bind(Include ="…")] attribute on an Edit operation, any user whose name was edited via this action would be reset to IsAdmin = false (any edited user would lose administrator status). 如果想要防止对某些属性进行更新，请使用上述其他方式之一。If you want to prevent updates to certain properties, use one of the other approaches above. 请注意，某些版本的 MVC 工具会在“编辑”操作上生成带有 [Bind(Include ="…")] 的控制器类，并暗示从该列表中删除属性可防止过度发布攻击。Note that some versions of MVC tooling generate controller classes with [Bind(Include ="…")] on Edit actions and imply that removing a property from that list will prevent over-posting attacks. 但是，如上所述，这种方式无法按预期工作，而是将已省略属性中的任何数据重置为默认值。However, as described above, that approach does not work as intended and instead will reset any data in the omitted properties to their default values.
• 对于“创建”操作，是否有任何使用 [Bind(Include ="…")] 而不是单独的绑定模型的注意事项？- 有。For Create operations, are there any caveats using [Bind(Include ="…")] rather than separate binding models? - Yes. 首先，这种方式不适用于 Edit 方案，它需要保留采用两种不同的方式来缓解所有过度提交漏洞。First this approach does not work for Edit scenarios, requiring maintaining two separate approaches for mitigating all over-posting vulnerabilities. 其次，单独的绑定模型强制分离用于用户输入的形状和用于持久性的形状之间的关注点，而 [Bind(Include ="…")] 做不到这一点。Second, separate binding models enforce separation of concerns between the shape used for user input and the shape used for persistence, something [Bind(Include ="…")] does not do. 第三，请注意 [Bind(Include ="…")] 只能处理顶级属性；不能仅允许属性中的部分子属性（例如“Details.Name”）。Third, note that [Bind(Include ="…")] can only handle top-level properties; you cannot allow only portions of sub-properties (such as "Details.Name") in the attribute. 最后，也许最重要的是，使用 [Bind(Include ="…")] 添加了一个额外步骤，只要该类用于模型绑定，就必须记住这一步骤。Finally, and perhaps most importantly, using [Bind(Include ="…")] adds an extra step that must be remembered any time the class is used for model binding. 如果新的操作方法直接绑定到数据类而忘记包含 [Bind(Include ="…")] 属性，则它可能容易受到过度发布攻击，因此 [Bind(Include ="…")] 方法默认情况下不太安全。If a new action method binds to the data class directly and forgets to include a [Bind(Include ="…")] attribute, it can be vulnerable to over-posting attacks, so the [Bind(Include ="…")] approach is somewhat less secure by default. 如果使用 [Bind(Include ="…")]，请务必记住每次数据类作为操作方法参数出现时都指定它。If you use [Bind(Include ="…")], take care always to remember to specify it every time your data classes appear as action method parameters.
• 对于“创建”操作，将 [Bind(Include ="…")] 属性放在模型类本身上怎么样？使用这种方式是否就不需要记得在每个操作方法中放置该特性？ - 在某些情况下，这种方式是可行的。For Create operations, what about putting the [Bind(Include ="…")] attribute on the model class itself? Does not this approach avoid the need to remember putting the attribute on every action method? - This approach works in some cases. 在模型类型本身上（而不是在使用此类的操作参数上）使用 [Bind(Include ="…")]，确实不需要记住在每个操作方法上包含 [Bind(Include ="…")] 属性。Using [Bind(Include ="…")] on the model type itself (rather than on action parameters using this class), does avoid the need to remember to include the [Bind(Include ="…")] attribute on every action method. 在类中直接使用该特性可以针对模型绑定目的，有效创建此类的独立外围应用。Using the attribute directly on the class effectively creates a separate surface area of this class for model binding purposes. 但是，这种方式只允许为每个模型类创建一个模型绑定形状。However, this approach only allows for one model binding shape per model class. 如果某个操作方法需要允许字段的模型绑定（例如，用于更新用户角色的仅限管理员的操作），而其他操作需要防止字段的模型绑定，则此方式不起作用。If one action method needs to allow model binding of a field (for example, an administrator-only action that updates user roles) and other actions need to prevent model binding of this field, this approach will not work. 每个类只能有一个模型绑定形状；如果不同的操作需要不同的模型绑定形状，就需要使用单独的模型绑定类或操作方法上的单独 [Bind(Include ="…")] 属性来表示这些单独的形状。Each class can only have one model binding shape; if different actions need different model binding shapes, they need to represent these separate shapes using either separate model binding classes or separate [Bind(Include ="…")] attributes on the action methods.
• 什么是绑定模型？它们与视图模型一样吗？ - 这是两个相关的概念。What are binding models? Are they the same thing as view models? - These are two related concepts. 术语“绑定模型”表示操作中使用的模型类是参数列表（从 MVC 模型绑定传递给操作方法的形状）。The term binding model refers to a model class used in an action's parameter list (the shape passed from MVC model binding to the action method). 术语“视图模型”表示从操作方法传递给视图的模型类。The term view model refers to a model class passed from an action method to a view. 我们经常使用视图特定的模型将数据从操作方法传递给视图。Using a view-specific model is a common approach for passing data from an action method to a view. 通常，此形状也适用于模型绑定，术语“视图模型”可用于表示在这两个位置使用的同一模型。Often, this shape is also suitable for model binding, and the term view model can be used to refer the same model used in both places. 为追求精确，本过程将专门讨论绑定模型并侧重于传递给操作的形状，这是有关大规模分配的一个要点。To be precise, this procedure talks specifically about binding models, focusing on the shape passed to the action, which is what matters for mass assignment purposes.

在应用程序中使用所有输入参数之前必须验证这些参数，确保应用程序能够防御恶意用户输入的攻击。All the input parameters must be validated before they are used in the application to ensure that the application is safeguarded against malicious user inputs. 结合允许列表验证策略，在服务器端使用正则表达式验证来验证输入值。Validate the input values using regular expression validations on server side with a whitelist validation strategy. 传递给方法的未经净化的用户输入/参数可能会导致代码注入安全漏洞。Unsanitized user inputs / parameters passed to the methods can cause code injection vulnerabilities.

对于 Web 应用程序而言，入口点可能还包含窗体字段、QueryStrings、Cookie、HTTP 标头和 Web 服务参数。For web applications, entry points can also include form fields, QueryStrings, cookies, HTTP headers, and web service parameters.

必须针对模型绑定执行以下输入验证检查：The following input validation checks must be performed upon model binding:

• 应该使用 RegularExpression 批注来批注模型属性，以便接受允许的字符，遵守最大允许长度The model properties should be annotated with RegularExpression annotation, for accepting allowed characters and maximum permissible length
• 控制器方法应执行 ModelState 有效性检查The controller methods should perform ModelState validity

找到想要使用的所有静态标记。Identify all static markup tags that you want to use. 常见的做法是限制对安全的 HTML 元素设置格式，例如 <b>（粗体）和 <i>（斜体）。A common practice is to restrict formatting to safe HTML elements, such as <b> (bold) and <i> (italic).

写入数据之前，对其进行 HTML 编码。Before writing the data, HTML-encode it. 这样就能使任何恶意脚本变得安全，因为它会作为文本而不是可执行代码进行处理。This makes any malicious script safe by causing it to be handled as text, not as executable code.

1. 通过在 @ 页面指令中添加 ValidateRequest="false" 特性来禁用 ASP.NET 请求验证Disable ASP.NET request validation by the adding the ValidateRequest="false" attribute to the @ Page directive
2. 使用 HtmlEncode 方法为字符串输入编码Encode the string input with the HtmlEncode method
3. 使用 StringBuilder 并调用其 Replace 方法，有选择性地删除想要允许的 HTML 元素中的编码Use a StringBuilder and call its Replace method to selectively remove the encoding on the HTML elements that you want to permit

页入引用可通过设置 ValidateRequest="false" 来禁用 ASP.NET 请求验证。The page-in the references disables ASP.NET request validation by setting ValidateRequest="false". 它会对输入进行 HTML 编码，并有选择性地允许 <b> 和 <i>。或者，也可以使用 .NET 库进行 HTML 净化。It HTML-encodes the input and selectively allows the <b> and <i> Alternatively, a .NET library for HTML sanitization may also be used.

HtmlSanitizer 是一个 .NET 库，用于清理可能会导致 XSS 攻击的构造中的 HTML 片段和文档。HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. 它使用 AngleSharp 来分析、处理和呈现 HTML 与 CSS。It uses AngleSharp to parse, manipulate, and render HTML and CSS. 可在服务器端以 NuGet 包的形式安装 HtmlSanitizer，通过相关的 HTML 或 CSS 净化方法（如果适用）传递用户输入。HtmlSanitizer can be installed as a NuGet package, and the user input can be passed through relevant HTML or CSS sanitization methods, as applicable, on the server side. 请注意，只有在万不得已的情况下，才应考虑将净化用作安全控制措施。Please note that Sanitization as a security control should be considered only as a last option.

输入验证和输出编码被认为是更好的安全控制措施。Input validation and Output Encoding are considered better security controls.

要求重定向到用户提供的位置的应用程序设计必须将可能的重定向目标限制为站点或域的预定义“安全”列表。Application design requiring redirection to a user-supplied location must constrain the possible redirection targets to a predefined "safe" list of sites or domains. 应用程序中的所有重定向必须闭合且安全。All redirects in the application must be closed/safe.

为此，请按以下步骤操作：To do this:

• 识别所有重定向Identify all redirects
• 针对每个重定向实施适当的缓解措施。Implement an appropriate mitigation for each redirect. 适当的缓解措施包括重定向允许列表或用户确认。Appropriate mitigations include redirect whitelist or user confirmation. 如果包含开放重定向漏洞的某个网站或服务使用 Facebook/OAuth/OpenID 标识提供者，攻击者可以窃取用户的登录令牌该模拟该用户。If a web site or service with an open redirect vulnerability uses Facebook/OAuth/OpenID identity providers, an attacker can steal a user's logon token and impersonate that user. 使用 RFC 6749“The OAuth 2.0 Authorization Framework”（OAuth 2.0 授权框架）第 10.15 部分“Open Redirects”（开放重定向）中所述的 OAuth 时会固有地存在此风险。同样，鱼叉网络钓鱼攻击可以使用开放重定向窃取用户的凭据This is an inherent risk when using OAuth, which is documented in RFC 6749 "The OAuth 2.0 Authorization Framework", Section 10.15 "Open Redirects" Similarly, users' credentials can be compromised by spear phishing attacks using open redirects

SQL 注入攻击利用输入验证中的漏洞在数据库中运行任意命令。A SQL injection attack exploits vulnerabilities in input validation to run arbitrary commands in the database. 如果应用程序使用输入来构造用于访问数据库的动态 SQL 语句，则可能会发生这种攻击。It can occur when your application uses input to construct dynamic SQL statements to access the database. 如果代码使用的存储过程是包含原始用户输入的传递字符串，则也可能会发生这种攻击。It can also occur if your code uses stored procedures that are passed strings that contain raw user input. 攻击者可以使用 SQL 注入式攻击在数据库中执行任意命令。Using the SQL injection attack, the attacker can execute arbitrary commands in the database. 所有 SQL 语句（包括存储过程中的 SQL 语句）必须参数化。All SQL statements (including the SQL statements in stored procedures) must be parameterized. 参数化 SQL 语句会正常接受包含对 SQL 具有特殊含义的字符（如单引号），因为这些字符已强类型化。Parameterized SQL statements will accept characters that have special meaning to SQL (like single quote) without problems because they are strongly typed.

如果使用 Parameters 集合，SQL 会将输入视为文本值而不是可执行代码。If you use the Parameters collection, SQL treats the input is as a literal value rather then as executable code. 使用 Parameters 集合可针对输入数据实施类型和长度约束。The Parameters collection can be used to enforce type and length constraints on input data. 如果值超出范围，将触发异常。Values outside of the range trigger an exception. 如果不使用类型安全的 SQL 参数，攻击者可能会执行嵌入在未筛选输入中的注入式攻击。If type-safe SQL parameters are not used, attackers might be able to execute injection attacks that are embedded in the unfiltered input.

构造 SQL 查询时请使用类型安全的参数，避免未筛选的输入发生 SQL 注入式攻击。Use type safe parameters when constructing SQL queries to avoid possible SQL injection attacks that can occur with unfiltered input. 可在存储过程和动态 SQL 语句中使用类型安全的参数。You can use type safe parameters with stored procedures and with dynamic SQL statements. 数据库将参数视为文本值而不是可执行代码。Parameters are treated as literal values by the database and not as executable code. 此外，应检查参数的类型和长度。Parameters are also checked for type and length.

缺少验证会导致不同类型的注入式攻击。Lack of validation leads to different type injection attacks.

消息验证相当于 WCF 应用程序的一道防线。Message validation represents one line of defense in the protection of your WCF application. 借助这种方式，可以使用架构来验证消息，防止 WCF 服务操作受到恶意客户端的攻击。With this approach, you validate messages using schemas to protect WCF service operations from attack by a malicious client. 验证客户端收到的所有消息，防止客户端受到恶意服务的攻击。Validate all messages received by the client to protect the client from attack by a malicious service. 当操作使用消息约定或数据约定时，可以使用消息验证来验证消息，而使用参数验证则做不到这一点。Message validation makes it possible to validate messages when operations consume message contracts or data contracts, which cannot be done using parameter validation. 使用消息验证可在架构中创建验证逻辑，从而提供更高的灵活性，缩短开发时间。Message validation allows you to create validation logic inside schemas, thereby providing more flexibility and reducing development time. 架构可在组织内的不同应用程序之间重复使用，为数据表示建立标准。Schemas can be reused across different applications inside the organization, creating standards for data representation. 此外，当操作使用涉及到表示业务逻辑的约定的更复杂数据类型时，可以使用消息验证来保护这些操作。Additionally, message validation allows you to protect operations when they consume more complex data types involving contracts representing business logic.

若要执行消息验证，首先需要构建一个架构来表示服务的操作，以及这些操作使用的数据类型。To perform message validation, you first build a schema that represents the operations of your service and the data types consumed by those operations. 然后创建一个 .NET 类，用于实现自定义客户端消息检查器和自定义调度程序消息检查器，以验证与服务之间相互发送/接收的消息。You then create a .NET class that implements a custom client message inspector and custom dispatcher message inspector to validate the messages sent/received to/from the service. 接下来，实现自定义的终结点行为，在客户端和服务中启用消息验证。Next, you implement a custom endpoint behavior to enable message validation on both the client and the service. 最后，在类中实现一个自定义配置元素，以便在服务或客户端的配置文件中公开扩展的自定义终结点行为Finally, you implement a custom configuration element on the class that allows you to expose the extended custom endpoint behavior in the configuration file of the service or the client"

输入和数据验证相当于 WCF 应用程序的一道重要防线。Input and data validation represents one important line of defense in the protection of your WCF application. 应该验证 WCF 服务操作中公开的所有参数，防止服务受到恶意客户端的攻击。You should validate all parameters exposed in WCF service operations to protect the service from attack by a malicious client. 反之，也应该验证客户端收到的所有返回值，防止客户端受到恶意服务的攻击Conversely, you should also validate all return values received by the client to protect the client from attack by a malicious service

WCF 提供不同的扩展点用于通过创建自定义扩展来自定义 WCF 运行时行为。WCF provides different extensibility points that allow you to customize the WCF runtime behavior by creating custom extensions. 消息检查器和参数检查器是两个扩展机制，用于针对在客户端与服务之间传递的数据实施更大力度的控制。Message Inspectors and Parameter Inspectors are two extensibility mechanisms used to gain greater control over the data passing between a client and a service. 应该为输入验证使用参数检查器；仅当需要检查流入和流出服务的整个消息时，才使用消息检查器。You should use parameter inspectors for input validation and use message inspectors only when you need to inspect the entire message flowing in and out of a service.

若要执行输入验证，需要生成一个 .NET 类并实现自定义参数检查器，用于验证服务中操作上的参数。To perform input validation, you will build a .NET class and implement a custom parameter inspector in order to validate parameters on operations in your service. 然后，需要实现自定义的终结点行为，在客户端和服务中启用验证。You will then implement a custom endpoint behavior to enable validation on both the client and the service. 最后，需要在类中实现一个自定义配置元素，以便在服务或客户端的配置文件中公开扩展的自定义终结点行为Finally, you will implement a custom configuration element on the class that allows you to expose the extended custom endpoint behavior in the configuration file of the service or the client