AntiForgeryToken如何工作?
[英]How does AntiForgeryToken work?
问题描述
I am applying Security to my .net 3.5 mvc2 web application. 
我正在将安全性应用到.net 3.5 mvc2 Web应用程序。 My website doesn't contain any user authentication and consists of many ajax calls in .js files 我的网站不包含任何用户身份验证,并且由.js文件中的许多ajax调用组成
In my .aspx file I wrote 在我的.aspx文件中,我写了
<%= Html.AntiForgeryToken() %>
In my .js file function I wrote 在我的.js文件函数中,我写了
$(document).ready(function() {
var token = $('input[name=__RequestVerificationToken]').val();
$.ajax({
url: "/Home/getCurrentLanguage/" + Math.random(),
cache: false,
type: "POST",
async: false,
data: {"__RequestVerificationToken":token},
success: function(data) {
if (data == "mr") {
alert("its Marathi");
} else {
alert("its English huh !!!");
}
return false;
},
error: function(data) {
alert("some Error" + data);
}
});
});
In my Controller I wrote 在我的控制器中,我写道
[AcceptVerbs(HttpVerbs.Post), ValidateAntiForgeryToken]
public JsonResult getCurrentLanguage(string id)
{
return new JsonResult
{
Data = "mr"
};
}
This works fine for me, but I have 2 Questions 这对我来说很好,但是我有2个问题
Q1. Q1。 Is it the correct approach ? 这是正确的方法吗? If I see the page source, I found this code 如果我看到页面源代码,则发现此代码
<input name="__RequestVerificationToken" type="hidden" value="WFd+q5Mz0K4RHP7zrz+gsloXpr8ju8taxPJmrLO7kbPVYST9zzJZenNHBZqgamPE1KESEj5R0PbNA2c64o83Ao8w8z5JzwCo3zJKOKEQQHg8qSzClLdbkSIkAbfCF5R6BnT8gA==" />
but when I created the external html file and copy this value of __RequestVerificationToken and pass in ajax call, I am getting this error 但是当我创建外部html文件并复制__RequestVerificationToken的值并传递ajax调用时,出现此错误
A required anti-forgery token was not supplied or was invalid. 没有提供必需的防伪令牌或该令牌无效。 then 然后
Q2. Q2。 How does runtime know that this page is supplying the copied __RequestVerificationToken? 运行时如何知道此页面正在提供复制的__RequestVerificationToken?
1 个解决方案
解决方案1
2 已采纳 2012-07-31 16:11:18
This "AntiForgeryToken" is in place to prevent Cross-Site Request Forgery attacks. 该“ AntiForgeryToken”可以防止跨站请求伪造攻击。 This system can be undermined by an attacker if your application suffers from a Cross-Site Scripting vulnerability. 如果您的应用程序遇到跨站点脚本漏洞,则攻击者可能会破坏该系统。
This token prevents CSRF attacks because due to the same-origin policy the attacker can send requests but he cannot read the token off of the page to make the request succeed (unless he has an xss vulnerability). 此令牌可防止CSRF攻击,因为由于同源策略 ,攻击者可以发送请求,但他无法从页面读取令牌以使请求成功(除非他具有xss漏洞)。
As for Q2, this value must be unique per user and therefore updated each time the page loads. 对于第二季度,此值对于每个用户必须是唯一的,因此每次页面加载时都会更新。 If its just a static value, then its useless at stopping CSRF because the attacker will know this same static value. 如果它只是一个静态值,那么它在停止CSRF时就没有用了,因为攻击者会知道这个相同的静态值。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.