stackoom
  简体   繁体   中英

Are intranet sites vulnerable to CSRF?

 原文  2015-06-10 14:44:30       asp.net/ asp.net-mvc/ razor/ asp.net-mvc-5

Question

I have developed and deployed an MVC5 .NET app which runs within an intranet and uses LDAP to authenticate users. Since MVC 5 gives you the @Html.Antiforgery() by default I used them in every from. However in production where the app is running in multiple nodes I'm having problems with the tokens when sessions expire etc.

So i was wondering if I should even be using them in the first place or if I could just remove them since the site runs on an intranet.

1 answers

solution1
 2 ACCPTED  2015-06-10 17:23:42

Yes, they are. For example, a malicious user could send one of your employees and email containing a clear GIF with a URL that points at one of your intranet pages, or an employee could visit a web page that contains javascript that posts to one of your intranet pages.

The mitigation for the clear GIF attack is to design your intranet site so that GET requests never update state or perform sensitive operations.

The mitigation for the script/post attack is to include a CSRF token in all of your forms.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How can an API application be vulnerable to CSRF? How to force intranet sites browser into IE8 Quirks Mode? wkhtmltopdf not working on intranet sites using C# MVC3 Reg expression to include intranet sites that dont end in .com / .net / etc Shouldn't “X-UA-Compatible IE=edge” header override “Display intranet sites in Compatibility View” in IE10? is this code vulnerable to SQL Injections? Is it vulnerable to ASP Padding oracle Preparedquery vulnerable to Sql injection WebClient Credentials SharePoint Intranet Get intranet authenticated user
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM