堆栈内存溢出
  简体   繁体   English

使用c#从网站获取CSRF令牌ID

[英]Obtaining the CSRF Token ID from web site using c#

 原文  2016-02-18 11:34:49       c#

问题描述

I have a situation where i will have to download the file from the website. 我遇到必须从网站下载文件的情况。 It is a secured site (https) and also It requires the client certificate authentication. 它是一个受保护的站点(https),并且还需要客户端证书身份验证。

I have a client certificate and managed to get in. After logged in, when i tried to download the file, i am not able to download the file. 我有一个客户端证书并设法进入。登录后,当我尝试下载文件时,无法下载该文件。 In turn, the file contains the html with csrftoken. 反过来,该文件包含带有csrftoken的html。 How to get this token id? 如何获得此令牌ID? In order to download the file i need this token. 为了下载文件,我需要此令牌。 Could someone share what kind of authentication this, and how can i get the csrf token id using c#. 有人可以分享哪种身份验证,以及如何使用c#获得csrf令牌ID。

Thanks 谢谢

1 个解决方案

解决方案1
 0  2016-02-18 12:59:05

It is not authentication. 它不是身份验证。 Its security to prevent cross site request forgery . 它的安全性可以防止跨站点请求伪造

The technique is: 该技术是:

  • Any state changing operation requires a secure random token (eg CSRF token) to prevent against CSRF attacks. 任何状态更改操作都需要安全的随机令牌(例如CSRF令牌)来防止CSRF攻击。
  • Unique per user & per user session 每个用户和每个用户会话唯一
  • Tied to a single user session 绑定到单个用户会话
  • Large random value 大随机值
  • Generated by a cryptographically secure random number generator 由密码安全的随机数生成器生成
  • The CSRF token is added as a hidden field for forms or within the URL if the state changing operation occurs via a GET 如果通过GET进行状态更改操作,则CSRF令牌将添加为表单的隐藏字段或URL中的隐藏字段
  • The server rejects the requested action if the CSRF token fails validation 如果CSRF令牌验证失败,服务器将拒绝请求的操作

In your case the workflow should be near to this: 在您的情况下,工作流程应接近于此:

  1. Client make a request (tipicaly a HTTP GET ) to see info in their screen. 客户端发出请求(通常是HTTP GET )以在其屏幕上查看信息。
  2. The response HTML has a hidden field in the generated Form with the CSRF token. 响应HTML在生成的带有CSRF令牌的Form具有hidden field
  3. Client makes a POST when click on a button with the following data: File identification he wants to download and the CSRF token. 单击带有以下数据的按钮时,客户端将进行POST :要下载的文件标识和CSRF令牌。
  4. Server checks that this token is valid for this POST . 服务器检查此令牌对此POST有效。
  5. Server sends the file bites to the response stream. 服务器将文件叮咬发送到响应流。

So, if you want to download a file programmatically with C# I think that you should do a GET first as if you were a webBrowser; 因此,如果您想使用C#以编程方式下载文件,我认为您应该像执行webBrowser一样先执行GET retrieve the CSRF token parsing the responsed HTML and send a POST whith the file and the CSRF token. 检索解析了响应的HTML的CSRF令牌,然后发送POST和文件以及CSRF令牌。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用C#中的Web服务从Sharepoint获取特定的文档ID - Obtaining a specific document ID from sharepoint using web services in c# 如何使用Web管理C#在IIS 7中获取站点ID和站点状态 - How to Get Site ID and site status in IIS 7 using Web Administration C# 如何使用 c# 从 web 站点捕获 Json - How to capture Json from web site using c# 使用用户凭证获取Web API的令牌 - Obtaining a token for a Web API using user credentials 如何使用csrf令牌asp c#? - how to use csrf token asp c#? 使用C#登录网站 - Login to web site using c# 使用C#从Facebook获取照片和相册 - Obtaining Photos and Albums from Facebook using C# 使用C#从样式表中获取背景图像 - Obtaining Background-image from stylesheet using C# 使用教程使用 C# 和 DirectX 从操纵杆获取输入 - Obtaining input from Joystick with C# and DirectX using Tutorial C#:即使在使用 httpclient 发送 CSRF 令牌后也得到 403 - C#: Getting 403 even after sending CSRF token using httpclient
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM