在ASP.Net MVC中删除记录的安全方法 [英] Secure way to Delete a record in ASP.Net MVC

问题描述

我想从ASP.Net MVC 5网站上删除产品.我想知道添加[AntiForgeryToken]和[Authorize]是否足以确保Delete操作的安全性?

I want to delete a product from my ASP.Net MVC 5 website. I want to know if adding [AntiForgeryToken] and [Authorize] is enough to secure the Delete operation?

查看

 <p>Delete: @Model.Name</p>
 @using (Html.BeginForm("Delete", "ProductController", FormMethod.Post, new { ProductId = Model.ProductId }))
 {
    @Html.AntiForgeryToken()
    <button type="submit">Delete</button>
 }

控制器

[HttpPost]
[Authorize]
[ValidateAntiForgeryToken]
public ActionResult Delete(long ProductId)
{
    /* Do I need to check if the logged in User has permission to delete the product?
    var product = ProductRepository.Get(Id);
    if (product.Creator == User.Identity.GetUserId<long>())
    {
        ProductRepository.Delete(ProductId);
    }
    */

    // or, can I avoid the trip to DB and just delete the record?        
    ProductRepository.Delete(ProductId); 
}

场景:一名黑客在我的网站上注册并创建了一个有效帐户.现在，黑客查看了自己的产品，并且显然他拥有一个AntiForgeryToken.他现在可以只在浏览器中更改ProductId并发布删除他人产品的请求吗?

Scenario: A hacker registers on my website and create a valid account. Now the hacker views his own product and obviously he has an AntiForgeryToken. Can he now just change the ProductId in the browser and Post a request to delete someone else's Product?

推荐答案

简短答案.这还不够.

Short answer. That is not enough.

反伪造令牌只是说发出原始页面请求的人就是进行更新的人.

Antiforgery tokens just say that the person making the original page request is the person making the update.

基本授权属性仅验证用户已登录.

The base authorize attribute just verifies that the user is logged in.

您正在寻找的是数据安全性.有一个示例在微软自己的网站上.

What you are looking for is data security. There's an example of this on microsoft's own site.

您在上一段中提到的内容，黑客可以注册一个帐户来创建自己的产品列表，并根据您在url中显示的内容猜测其他合法记录也可以编辑

What you've stated in your last paragraph, a hacker can sign up for an account create their own list of products and given what you show them in the url could guess legitimate other records to edit

说您有一个网址

https://example.com/product/edit/13

阻止用户/黑客猜测

https://example.com/product/edit/12 或者 https://example.com/product/edit/14

如果在数据级别没有表明用户可以访问或不能访问/更新的记录的安全性，则会遇到恶意用户可以查看或编辑各种信息的情况.

Without security at the data level that says what records a user can or can't access/update, you run into a situation where a malicious user could see or edit all kinds of information.

这是

This is the exact scenario that FISERV found to expose other client information

来自文章

Hermansen已注册，以便在每次新交易时都能收到电子邮件警报 发布到他的帐户，他注意到该站点为他的警报分配了一个 具体的事件编号".直觉这些事件编号 可能会顺序分配，而其他记录可能是 如果直接请求，则可用，Hermansen请求相同的页面 再次但首先在他的浏览器中编辑了网站的代码，以便他 事件编号递减一位.

Hermansen had signed up to get email alerts any time a new transaction posted to his account, and he noticed the site assigned his alert a specific "event number." Working on a hunch that these event numbers might be assigned sequentially and that other records might be available if requested directly, Hermansen requested the same page again but first edited the site’s code in his browser so that his event number was decremented by one digit.

这篇关于在ASP.Net MVC中删除记录的安全方法的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！