Intranet站点容易受到CSRF攻击吗?
[英]Are intranet sites vulnerable to CSRF?
问题描述
I have developed and deployed an MVC5 .NET app which runs within an intranet and uses LDAP to authenticate users. 
我已经开发并部署了一个MVC5 .NET应用程序,该应用程序在Intranet中运行,并使用LDAP来验证用户身份。 Since MVC 5 gives you the @Html.Antiforgery() by default I used them in every from. 由于MVC 5在默认情况下为您提供了@ Html.Antiforgery(),因此我在每一项中都使用了它们。 However in production where the app is running in multiple nodes I'm having problems with the tokens when sessions expire etc. 但是在应用程序在多个节点中运行的生产环境中,会话期满等时,令牌存在问题。
So i was wondering if I should even be using them in the first place or if I could just remove them since the site runs on an intranet. 所以我想知道我是否应该一开始就使用它们,或者由于该站点在Intranet上运行,是否可以删除它们。
1 个解决方案
解决方案1
2 已采纳 2015-06-10 17:23:42
Yes, they are. 对,他们是。 For example, a malicious user could send one of your employees and email containing a clear GIF with a URL that points at one of your intranet pages, or an employee could visit a web page that contains javascript that posts to one of your intranet pages. 例如,恶意用户可以发送您的一名员工和一封电子邮件,其中包含带有指向您的Intranet页面之一的URL的清晰GIF,或者某个员工可以访问包含javascript的网页,该Javascript发布到您的Intranet页面之一。
The mitigation for the clear GIF attack is to design your intranet site so that GET requests never update state or perform sensitive operations. 清除GIF攻击的缓解措施是设计您的Intranet站点,以便GET请求永远不会更新状态或执行敏感操作。
The mitigation for the script/post attack is to include a CSRF token in all of your forms. 缓解脚本/后攻击的方法是,在所有表单中都包含CSRF令牌。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.