防止Request.Form滥用 [英] Preventing Request.Form abuse
问题描述
请参阅此新闻组中的上一个主题Request.Form滥用行为...
我正在寻找一个简单有效的方法可以防止人们在我的网站上劫持
< formtags并使用它们发送垃圾邮件。我会想象
他们正在使用HttpWebRequest方法。
基本上,它需要一个WebForm上的属性来指示是否
它仅* *为PostBack(默认为true,但可配置),这将是
有任何客户端POST请求,而不是来自页面本身的URL
将被忽略。
或者,全局可以在web.config中设置的标志。
我认为这对每个人都有很大好处,因为这种攻击
显然变得越来越多更常见。
有没有人有任何好的方法来实现这个?
我很有信心,作为一个群体,我们可以拿出一些非常可靠的东西,它们可以帮助我们所有人 - 正如胡安所说的那样,我们都是这样的小河。
让我们开始思考,伙伴......
谁知道 - 我们甚至可以让微软在未来的版本中使用它
ASP .NET ... ;-)
Mark
" Mark Rae" < ma ** @ markNOSPAMrae.com写信息
新闻:OU ************** @ TK2MSFTNGP04.phx.gbl ...
< blockquote class =post_quotes>
请参阅此新闻组中的上一个主题Request.Form滥用...
我正在寻找一种简单有效的方法来防止人们在我的网站上劫持
< formtags并使用它们发送垃圾邮件。我会想象
他们正在使用HttpWebRequest方法。
基本上,它需要一个WebForm上的属性来指示
是否*仅*为PostBack(默认为true,但可配置),
哪个客户端POST请求不是来自
$ b的URL $ b页面本身将被忽略。
或者,一个全局页面。可以在web.config中设置的标志。
我认为这对每个人都有很大好处,因为这种攻击
显然变得越来越多更常见。
有没有人有任何好的方法来实现这个?
我很有信心,作为一个群体,我们可以拿出一些非常可靠的东西,它们可以帮助我们所有人 - 正如胡安所说的那样,我们都是这样的小河。
让我们开始思考,伙伴......
谁知道 - 我们甚至可以让微软在未来的版本中使用它
ASP .NET ... ;-)
Mark
我会从一个建议开始,看看哪里有漏洞春天来了!
只提交回发的表单列表很容易创建并且可以驻留在web.config中(或任何可缓存的地方) ) - 原油,但我们
以后可以想到另一种方式。在
ihttpmodule中拦截的开始请求可以验证任何请求的ispostback属性。如果它不是一个回发表单,并且在需要回发的表单列表中,那么转发请求并返回一个随机虚构URL的重定向。即使触摸所要求的实际表格也不会是b $ b。
-
-
问候
John Timney(MVP)
访问我的网站:
http://www.johntimney.com
http://www.johntimney.com/blog
" John Timney(MVP)" < x _ **** @ timney.eclipse.co.ukwrote in message
news:9c ********************** ********@eclipse.net。英国...
John,
只提交回发的表单列表很容易
创建并可以驻留在web.config(或任何可缓存的地方) - 粗略,但是
我们可以想到以后的另一种方式。在
ihttpmodule中拦截的开始请求可以验证任何请求的ispostback属性。如果它不是一个回发表单,并且在需要回发的表单列表中,那么转储请求并返回一个随机虚构URL的重定向。
它甚至无法触及所请求的实际表格。
我喜欢它!
如果我们使用真实而非虚构的URL进行重定向,请执行
你认为这会是好事还是坏事?我想这将是一件糟糕的事情,因为(我想)它会在目标网址上看到
的帖子来自我们的IP地址,而不是垃圾邮件发送者'的IP
地址...
我想我会在英国找到相当令人满意的
$ b $垃圾邮件发送者突然发现自己试图在这里发帖:
http:// www .met.police.uk / computercrime /
:-)
我想我会将它们重定向到其中一个在线
视频地点的大型视频文件可能会以
响应的大小崩溃他们的程序。也就是说,将它们发送给其他服务器是不公平的,并且b $ b使用它们的带宽,因此建议使用虚构的URL。
检测尝试时使用回发它实际上很容易
也会在过滤器中阻止他们的IP实时,因此他们未来的任何请求
总是被丢弃或总是导致一个大型视频作为
响应发送。这将是一个单一的系统。
我已经完成了我们过去在网络1.1上所做的大部分工作,但不是用于
这个原因所以代码应该很容易放在一起.......我还是等待人们在建议中找到漏洞 - Juans很可能
候选人沉没我的想法...... lol
-
-
问候
John Timney(MVP)
访问我的网站:
http://www.johntimney.com
http://www.johntimney.com/blog
" Mark Rae" < ma ** @ markNOSPAMrae.com写信息
news:ed ************** @ TK2MSFTNGP03.phx.gbl ...
< blockquote class =post_quotes>
" John Timney(MVP)" < x _ **** @ timney.eclipse.co.ukwrote in message
news:9c ********************** ********@eclipse.net。英国...
John,
>只提交回发的表格列表很容易
创建并可以驻留在web.config(或任何可缓存的地方) - 粗略,
但我们可以想到以后的另一种方式。在
ihttpmodule中截获的开始请求可以验证任何请求的ispostback属性。如果它不是一个回发表单,并且在需要回发的表单列表中,那么转储请求并返回一个随机虚构的URL重定向。它甚至不会触及要求的实际形式。
我喜欢它!
如果我们使用真实而非虚构的URL进行重定向,请执行
你认为这会是好事还是坏事?我想这将是一件糟糕的事情,因为(我想)它会在目标网址上看到
的帖子来自我们的IP地址,而不是垃圾邮件发送者'的IP
地址...
我想我会在英国找到相当令人满意的
$ b $垃圾邮件发送者突然发现自己试图在这里发帖:
http:// www .met.police.uk / computercrime /
:-)
Hi,
See the previous thread Request.Form abuse in this newsgroup...
I''m looking for a simple and efficient way to prevent people hijacking the
<formtags on my websites and using them to send spam. I would imagine
they''re using the HttpWebRequest method for this.
Essentially, it would require a property on a WebForm that indicates whether
it is *only* for PostBack (true by default, but configurable), which would
have any client POST request which is not from the URL of the page itself
would be ignored.
Alternatively, a "global" flag which could be set in web.config.
I think this would be of great benefit to everyone, as this sort of attack
is clearly becoming more and more common.
Does anyone have any suggestions for a good way to implement this?
I''m sure, as a group, we could come up with something really solid which
would help us all - as Juan said, we''re all up the creek with this.
Let''s get our thinking caps on, guys...
Who knows - we might even let Microsoft use it in a future version of
ASP.NET... ;-)
Mark
"Mark Rae" <ma**@markNOSPAMrae.comwrote in message
news:OU**************@TK2MSFTNGP04.phx.gbl...Hi,
See the previous thread Request.Form abuse in this newsgroup...
I''m looking for a simple and efficient way to prevent people hijacking the
<formtags on my websites and using them to send spam. I would imagine
they''re using the HttpWebRequest method for this.
Essentially, it would require a property on a WebForm that indicates
whether it is *only* for PostBack (true by default, but configurable),
which would have any client POST request which is not from the URL of the
page itself would be ignored.
Alternatively, a "global" flag which could be set in web.config.
I think this would be of great benefit to everyone, as this sort of attack
is clearly becoming more and more common.
Does anyone have any suggestions for a good way to implement this?
I''m sure, as a group, we could come up with something really solid which
would help us all - as Juan said, we''re all up the creek with this.
Let''s get our thinking caps on, guys...
Who knows - we might even let Microsoft use it in a future version of
ASP.NET... ;-)
Mark
I''ll start with a suggestion and see where the holes spring from!
A list of forms that are only subject to postback on submission is easy to
create and could reside in web.config (or anywhere cachable) - crude, but we
can think of another way later. A begin request intercepted in an
ihttpmodule could verify the ispostback property of any request. If its not
a postback form, and is in the list of forms that require postback then dump
the request and return a redirect to some random fictitious URL. It wont
even touch the actual form being requested.
--
--
Regards
John Timney (MVP)
VISIT MY WEBSITE:
http://www.johntimney.com
http://www.johntimney.com/blog
"John Timney (MVP)" <x_****@timney.eclipse.co.ukwrote in message
news:9c******************************@eclipse.net. uk...
John,
A list of forms that are only subject to postback on submission is easy to
create and could reside in web.config (or anywhere cachable) - crude, but
we can think of another way later. A begin request intercepted in an
ihttpmodule could verify the ispostback property of any request. If its
not a postback form, and is in the list of forms that require postback
then dump the request and return a redirect to some random fictitious URL.
It wont even touch the actual form being requested.I like it!
If we were to use a real rather than a fictitious URL for the redirect, do
you think that would be a good thing or a bad thing? I guess it would be a
bad thing because (I suppose) it would look to the target URL that the
posting was coming from our IP address rather than the spammer''s IP
address...
Being based in the UK, I think I would find it rather satisfying if the
spammers suddenly found themselves trying to post here:
http://www.met.police.uk/computercrime/
:-)
I think I would redirect them to a large video file on one of the online
video places which may well crash their program with the size of the
response. That said, its not fair to send them to someone else server and
use their bandwidth, hence the suggestion of the fictitious URL.
On detecting an attempt to use a postback it would actually be quite easy to
also block their IP real time in the filter, so any future request from them
was always dropped or always resulted in a large video being sent as the
response. It would be a one hit system.
I''ve done most of what we''re dicsussing in the past on net 1.1, but not for
this reason so the code should be very easy to put together.......I''m still
waiting for people to find holes in the suggestion though - Juans a likely
candidate for sinking my idea......lol
--
--
Regards
John Timney (MVP)
VISIT MY WEBSITE:
http://www.johntimney.com
http://www.johntimney.com/blog
"Mark Rae" <ma**@markNOSPAMrae.comwrote in message
news:ed**************@TK2MSFTNGP03.phx.gbl..."John Timney (MVP)" <x_****@timney.eclipse.co.ukwrote in message
news:9c******************************@eclipse.net. uk...
John,
>A list of forms that are only subject to postback on submission is easy
to create and could reside in web.config (or anywhere cachable) - crude,
but we can think of another way later. A begin request intercepted in an
ihttpmodule could verify the ispostback property of any request. If its
not a postback form, and is in the list of forms that require postback
then dump the request and return a redirect to some random fictitious
URL. It wont even touch the actual form being requested.
I like it!
If we were to use a real rather than a fictitious URL for the redirect, do
you think that would be a good thing or a bad thing? I guess it would be a
bad thing because (I suppose) it would look to the target URL that the
posting was coming from our IP address rather than the spammer''s IP
address...
Being based in the UK, I think I would find it rather satisfying if the
spammers suddenly found themselves trying to post here:
http://www.met.police.uk/computercrime/
:-)
这篇关于防止Request.Form滥用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
