Securing a Web Method

Question

Say I've got a method in c# MVC to send email with ajax, like:

public class mailController : Controller {

        SmtpClient mailserver = new SmtpClient("smtp.foo.com");

        public string send(string from, string to, string subject = "", string body = "", string cc = "", string bcc = "") {
            MailMessage message = new MailMessage(from, to, subject, body);
            if (cc.Length > 0) {
                message.CC.Add(cc);
            }
            if (bcc.Length > 0) {
                message.Bcc.Add(bcc);
            }
            mailserver.Send(message);
            return "MessageSent";
        }
    }

Is there anything I can do to make this more secure? I mean, as it stands anyone can type the relevant info into their address bar. http://www.foo.com/mail/send?from=etc If I want to use this for form submission, I can't password protect it, or I'd have to use that in the javascript, which is easy to find. I considered setting a cookie and using that as authentication, but that only goes so far. Is there a standard procedure for protecting ajax methods?

Answer 1

您需要在服务器上验证参数是否符合您的要求。

Answer 2

You need to implement a secure session token, to prevent unauthorized users (those without valid sessions) from being able to send an email. This is basically no different than any other cross site request forgery (CSRF) attack vector. If you need any additional information just Google 'CSRF protection ASP.NET`' or similar to get some more concrete examples of how to do this.

Answer 3

Your requirements sound mutually exclusive.

If you do want to leave it public, but you don't want it abused, then maybe you could provide some sort of throttle where you only allow x number of requests from a specific IP address.

You can also use mailto: in an HTMLform to prompt the client to send the email.

Answer 4

首先，您可以随时存储访问您的控制器的IP，如果相同的IP尝试以您定义的特定频率发送邮件，您可以阻止它阻止它...第二，您可以在邮件中生成随机数将发送给控制器的页面 - >这将允许您验证邮件是从您的站点发送的，而不是从第三方发送的