如何只能从我的网站而不是XSS调用myWebservice.asmx(从myJavascript.js调用)?
[英]How can myWebservice.asmx (being called from myJavascript.js), only be callable from my website and not XSS?
问题描述
Is there any best practices techniques that would greatly improve the security of the asp.net application, when Javascript is directly submitting data from the html/form to the asp.net/c# webservice like this: 
当Javascript直接将html / form中的数据提交到asp.net/c# webservice时,是否有任何最佳实践技术可以大大提高asp.net应用程序的安全性,如下所示:
HTML: HTML:
<input type="text" id="txtData" />
<input type="button" onclick="SendData()" />
JAVASCRIPT: JAVASCRIPT:
function SendData()
{
var userData = document.getElementById('txtData').value;
MyWebservice.DoSomething(userData, SendData_Result);
}
function SendData_Result(result)
{
//handle output displayed to user from 'result'
}
Webservice/ASMX: Web服务/ ASMX:
[WebService(Namespace = "http://tempuri.org/")]
[WebServiceBinding(ConformsTo = WsiProfiles.BasicProfile1_1)]
[ScriptService]
public class MyWebservice : System.Web.Services.WebService
{
public MyWebservice() { }
[WebMethod]
public string DoSomething(string userInputGoesHere)
{
//how to make sure the user input is valid?
}
}
For example, if www.SomeBadGuysSite.com sends XSS via either referencing and manipulating the javascript on my site, OR they directly reference the webservice itself... - how can I try to enforce that the input came from my website and not from the bad guy's website or PC? 例如,如果www.SomeBadGuysSite.com通过引用和操作我网站上的javascript发送XSS,或者他们直接引用了Web服务本身...-我该如何尝试强制输入内容来自我的网站而不是来自坏人的网站或PC?
- and I'm not concerned about what data is in the textbox, only to attempt to make sure the only time the webservice can be called is from my html/forms page. -并且我不关心文本框中的数据是什么,只是试图确保可以调用Webservice的唯一时间是在我的html / forms页面中。
Note: I am using Forms Authentication and only authenticated users can access any pages or webservices. 注意:我使用的是表单身份验证,只有经过身份验证的用户才能访问任何页面或Web服务。 However, if a bad guy is authenticated on my website, but runs his own malicious code from his website or PC, wouldnt my site think he is already authenticated anyway and allow him to submit data to the webservice? 但是,如果一个坏人在我的网站上通过了身份验证,但是从他的网站或PC上运行了自己的恶意代码,我的网站是否会认为他已经通过了身份验证并允许他向Web服务提交数据?
I'm wondering if encrypted cookies could play any part in fixing this security problem? 我想知道加密的cookie是否可以在解决此安全问题方面发挥任何作用? (and for reasons not worth getting into, using Sessions/SessionState is not an option for me) (由于不值得讨论的原因,使用Sessions / SessionState对我来说不是一种选择)
1 个解决方案
解决方案1
0 2011-01-03 05:12:39
From Building Secure Web Services : 通过构建安全的Web服务 :
Web services that provide sensitive or restricted information should authenticate and authorize their callers.
The Authentication section should give you some ideas. 身份验证部分应给您一些想法。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.