防止asp.net表单中的跨站点请求伪造攻击
防止asp.net表单中的跨站点请求伪造攻击
提问于 2015-04-29 09:28:17
我使用VisualStudio2013创建了一个ASP.Net Web应用程序,并且使用了.NET Framework4.5。为了确保我的站点不受跨站点请求伪造(CSRF)的影响,我发现很多文章都在讨论这个特性是如何在MVC应用程序上实现的,但是很少有人谈论Web表单。在这个StackOverflow问题上,一条评论说
“这是一个老问题,但最新的Visual 2012 web窗体ASP.NET模板包含了母版页中的反CSRF代码。如果没有模板,下面是它生成的代码:.”
我的主页不包含该答案中提到的代码。它真的包括在新的应用程序中吗?如果没有,添加它的最佳方法是什么?
回答 4
Stack Overflow用户
回答已采纳
发布于 2015-04-30 07:53:13
ViewStateUserKey &双提交Cookie
从Visual 2012开始,Microsoft将内置的CSRF保护添加到新的web窗体应用程序项目中。若要利用此代码,请向解决方案中添加一个新的ASP应用程序,并查看页面后面的.NET代码。此解决方案将对从Site.Master页面继承的所有内容页应用CSRF保护。
要使这一解决方案发挥作用,必须满足以下要求:
所有进行数据修改的web表单都必须使用Site.Master页面。所有进行数据修改的请求都必须使用ViewState。网站必须没有所有跨站点脚本(XSS)漏洞。有关详细信息,请参阅如何使用修复跨站点脚本( .Net )。
public partial class SiteMaster : MasterPage
{
private const string AntiXsrfTokenKey = "__AntiXsrfToken";
private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
private string _antiXsrfTokenValue;
protected void Page_Init(object sender, EventArgs e)
{
//First, check for the existence of the Anti-XSS cookie
var requestCookie = Request.Cookies[AntiXsrfTokenKey];
Guid requestCookieGuidValue;
//If the CSRF cookie is found, parse the token from the cookie.
//Then, set the global page variable and view state user
//key. The global variable will be used to validate that it matches
//in the view state form field in the Page.PreLoad method.
if (requestCookie != null
&& Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
{
//Set the global token variable so the cookie value can be
//validated against the value in the view state form field in
//the Page.PreLoad method.
_antiXsrfTokenValue = requestCookie.Value;
//Set the view state user key, which will be validated by the
//framework during each request
Page.ViewStateUserKey = _antiXsrfTokenValue;
}
//If the CSRF cookie is not found, then this is a new session.
else
{
//Generate a new Anti-XSRF token
_antiXsrfTokenValue = Guid.NewGuid().ToString("N");
//Set the view state user key, which will be validated by the
//framework during each request
Page.ViewStateUserKey = _antiXsrfTokenValue;
//Create the non-persistent CSRF cookie
var responseCookie = new HttpCookie(AntiXsrfTokenKey)
{
//Set the HttpOnly property to prevent the cookie from
//being accessed by client side script
HttpOnly = true,
//Add the Anti-XSRF token to the cookie value
Value = _antiXsrfTokenValue
};
//If we are using SSL, the cookie should be set to secure to
//prevent it from being sent over HTTP connections
if (FormsAuthentication.RequireSSL &&
Request.IsSecureConnection)
{
responseCookie.Secure = true;
}
//Add the CSRF cookie to the response
Response.Cookies.Set(responseCookie);
}
Page.PreLoad += master_Page_PreLoad;
}
protected void master_Page_PreLoad(object sender, EventArgs e)
{
//During the initial page load, add the Anti-XSRF token and user
//name to the ViewState
if (!IsPostBack)
{
//Set Anti-XSRF token
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
//If a user name is assigned, set the user name
ViewState[AntiXsrfUserNameKey] =
Context.User.Identity.Name ?? String.Empty;
}
//During all subsequent post backs to the page, the token value from
//the cookie should be validated against the token in the view state
//form field. Additionally user name should be compared to the
//authenticated users name
else
{
//Validate the Anti-XSRF token
if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
|| (string)ViewState[AntiXsrfUserNameKey] !=
(Context.User.Identity.Name ?? String.Empty))
{
throw new InvalidOperationException("Validation of " +
"Anti-XSRF token failed.");
}
}
}
}Stack Overflow用户
发布于 2016-03-22 11:05:31
你可以试试以下的方法。在Web表单中添加:
<%= System.Web.Helpers.AntiForgery.GetHtml() %>这将添加一个隐藏字段和一个cookie。因此,如果您填写了一些表单数据并将其回发到服务器,则需要进行简单的检查:
protected void Page_Load(object sender, EventArgs e)
{
if (IsPostBack)
AntiForgery.Validate(); // throws an exception if anti XSFR check fails.
}如果反XSFR检查失败,AntiForgery.Validate();将引发异常。
Stack Overflow用户
发布于 2015-04-29 10:19:54
当您在VS 2013年创建一个新的“”项目时,site.master.cs将自动将XSRF/CSRF代码包含在类的Page_Init部分中。如果您仍然没有得到生成的代码,您可以手动Copy + Paste代码。如果您使用的是C#,请使用以下内容:-
private const string AntiXsrfTokenKey = "__AntiXsrfToken";
private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
private string _antiXsrfTokenValue;
protected void Page_Init(object sender, EventArgs e)
{
// The code below helps to protect against XSRF attacks
var requestCookie = Request.Cookies[AntiXsrfTokenKey];
Guid requestCookieGuidValue;
if (requestCookie != null && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
{
// Use the Anti-XSRF token from the cookie
_antiXsrfTokenValue = requestCookie.Value;
Page.ViewStateUserKey = _antiXsrfTokenValue;
}
else
{
// Generate a new Anti-XSRF token and save to the cookie
_antiXsrfTokenValue = Guid.NewGuid().ToString("N");
Page.ViewStateUserKey = _antiXsrfTokenValue;
var responseCookie = new HttpCookie(AntiXsrfTokenKey)
{
HttpOnly = true,
Value = _antiXsrfTokenValue
};
if (FormsAuthentication.RequireSSL && Request.IsSecureConnection)
{
responseCookie.Secure = true;
}
Response.Cookies.Set(responseCookie);
}
Page.PreLoad += master_Page_PreLoad;
}
protected void master_Page_PreLoad(object sender, EventArgs e)
{
if (!IsPostBack)
{
// Set Anti-XSRF token
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
ViewState[AntiXsrfUserNameKey] = Context.User.Identity.Name ?? String.Empty;
}
else
{
// Validate the Anti-XSRF token
if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
|| (string)ViewState[AntiXsrfUserNameKey] != (Context.User.Identity.Name ?? String.Empty))
{
throw new InvalidOperationException("Validation of Anti-XSRF token failed.");
}
}
}页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/29939566
复制相关文章
相似问题
腾讯云开发者
