Ajax安全性和代码隐藏功能
[英]Ajax Security and code-behind functions
问题描述
EDIT: I know you should never trust client side... My question is what can I use to validate since at the current moment I'm expecting three parameters two of which rely on the client side form (registration email, and email message) 
编辑:我知道你永远不应该信任客户端...我的问题是,我可以用什么来进行验证,因为目前我期望三个参数中的两个依赖于客户端表单(注册电子邮件和电子邮件)
I'm probably going about this the wrong way but it seems like Ajax isn't very secure (well duh..It's client side..) How would you go about creating a function so it cannot be called Via the console by intruders? 我可能会采用错误的方式,但似乎Ajax并不十分安全(嗯,这是客户端。)您将如何创建一个函数,使其不能被入侵者通过控制台调用?
So let's say I have a function called SendMail that accepts the to,message and from parameters in which it sends an ajax request to the code behind to send the email. 假设我有一个名为SendMail的函数,该函数接受to,message和from参数,在该参数中,它向后面的代码发送ajax请求以发送电子邮件。
what can I add that would prevent you from opening the console, recreating my function (except with literal variables ) and executing it via the console? 我可以添加些什么来阻止您打开控制台,重新创建函数(使用文字变量除外)并通过控制台执行它?
Code Behind: 背后的代码:
<WebMethod()> _
<ScriptMethod(ResponseFormat:=ResponseFormat.Json)>
Public Shared Sub sendMail(subject As String, userEmail As String(), message As String)
Dim fromEmail As String = "supah@domain.com"
Dim fromAbrv As String = "hidden Tiger"
Try
Dim mail As New MailMessage()
Dim smtp As New SmtpClient("server.domain")
mail.From = New MailAddress(fromEmail, fromAbrv)
For i As Integer = 0 To userEmail.Length - 1
mail.[To].Add(userEmail(i))
Next
mail.Subject = subject
mail.Body = message
mail.IsBodyHtml = True
smtp.Send(mail)
Catch exc As Exception
Throw exc
End Try
End Sub
2 个解决方案
解决方案1
2 2014-04-02 18:53:38
You cannot trust your clientside code to prevent the client from anything at all. 您无法信任客户端代码以完全阻止客户端执行任何操作。 Never ever trust the client. 永远不要相信客户。 Treat every single request as tampered with and malicious. 将每一个请求视为被篡改和恶意的。
Even if you managed to "protect" that function, an attacker could just fake the whole request. 即使您设法“保护”该功能,攻击者也可以伪造整个请求。
Validate your parameters serverside. 在服务器端验证参数。
解决方案2
1 已采纳 2014-04-02 19:16:39
Structure your registration process in a way that prevents this up front. 以一种避免这种情况的方式来构造您的注册过程。
First, when the registration form is submitted to the server, check for an existing user with that email address. 首先,将注册表单提交到服务器后,检查具有该电子邮件地址的现有用户。 If one exists, return an error message. 如果存在,则返回错误消息。
If the user doesn't exist, create a new record for the user and flag it as not activated. 如果该用户不存在,请为该用户创建一个新记录,并将其标记为未激活。 Next, send the user a registration email with a url that when clicked, activates the account. 接下来,向用户发送带有url的注册电子邮件,单击该URL即可激活该帐户。 Do not include any of the information from the original form in this email! 请勿在此电子邮件中包含原始表格中的任何信息!
with it setup that way, the most any malicious user can do is send a single activation email to someone. 通过这种方式进行设置,恶意用户最能做的就是向某人发送一封激活电子邮件。
As far as the reset password form, it shouldn't be possible to use it to send emails to users other than the existing user because you should check the email address in the database, then use the one from the database rather than from the form. 至于重设密码表单,应该不能使用它向现有用户以外的其他用户发送电子邮件,因为您应该检查数据库中的电子邮件地址,然后从数据库而不是表单中使用该电子邮件地址。 。 Additionally, you should never send the password in an email, instead send a link in an email that sends the user to a page where they can enter a new password. 此外,您绝不要在电子邮件中发送密码,而应在电子邮件中发送链接,以将用户发送到他们可以输入新密码的页面。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.