preventing跨站请求伪造攻击对于Windows客户端应用程序 [英] Preventing Cross-Site Request Forgery Attacks With a Windows Client Application

问题描述

我开发由网​​络API2 。

我的客户端应用程序是由C＃开发的.NET 4.0的Windows应用程序。
客户端应用程序发送一些JSON数据到Web API应用程序，该应用程序将数据存储在数据库中。

My client application is a windows application that developed by C# , .net 4.0. The client application sends some Json data to the web api application and the application stores data in database.

现在的问题是发送带有另一种方法的要求，除了我的应用程序和转储数据发送到server.I有身份验证的服务器上，但它是不够的，我需要处理这个问题的一些标记。

Now the issue is sending the request with another method except my application and sending dump data to the server.I have authentication on the server but it isn't enough,I need some tokens for handling this issue.

一些搜索后我发现<一个href=\"http://www.asp.net/web-api/overview/security/$p$pventing-cross-site-request-forgery-%28csrf%29-attacks\"相对=nofollow>这篇文章阅读它，但客户端是一个Web应用程序。
难道我在窗户客户端应用程序使用此方法？怎么样？

After some searches i find this article and read it, but the client is a web application. Could i use this method in my windows client app?how?

推荐答案

底线：你不应该需要

根据定义， CSRF攻击只能影响客户端应用程序跨域共享饼干。例如如果您访问 www.bank.com 您的浏览器，然后打开另一个选项卡 www.evil.com ，如果 www.bank.com 不能防止CSRF那么 www.evil.com 也许能够发布一个表单提交到 www.bank.com ，而你正在登录，然后通过伪造请求到格式的汇款该转让价款页动作 URL。

By definition, CSRF attacks can only affect client applications that share cookies across domains. e.g. if you visit www.bank.com with your browser and then open another tab to www.evil.com, if www.bank.com does not protect against CSRF then www.evil.com may be able to POST a form submission to www.bank.com while you are logged in and then transfer money by forging the request to the form's action URL on the transfer money page.

如果您的客户端是一个Windows应用程序，HTTP客户端不应该有存放比你的Web API之外的任何其他服务的cookies。

If your client is a Windows application, the HTTP client should not have cookies stored for any other service other than your web API.

请注意，以上仅适用于当饼干被用作会话管理机制（即不支持Kerberos，NTLM，基本验证，等等）。

Note that the above only applies to when cookies are used as the session management mechanism (i.e. not Kerberos, NTLM, Basic Auth, etc).

。我有服务器上进行验证，但它是不够的。

.I have authentication on the server but it isn't enough

这应该足以作为一个攻击者不能伪造一个HTTP请求到您的API，将随着受害人的饼干作为饼干分开发送，由于那里是Web客户端的不同实例。就像被记录到谷歌在Chrome，但在Firefox访问谷歌 - 你​​不会分享登录会话相同

This should be enough as an attacker cannot forge a HTTP request to your API that will be sent along with the victim's cookies as the cookies are separated due to there being different instances of web clients. Much like being logged into Google on Chrome, but then accessing Google on Firefox - you will not share the same logged in session.

当然，保护您的API使用HTTPS使信息在运输途中加密。请注意，这并不能避免你的源$ C ​​$ C，这是一件不容易prevent的反编译。在一天结束时，你不能信任不在你的控制之下的客户。你可以把它很难，但不是不可能prevent有人锻炼身体，或改变什么被发送到你的API。

Of course, protect your API with HTTPS so the information is encrypted whilst in transit. Note that this does not protect against decompilation of your source code, which is something that is not easy to prevent. At the end of the day you cannot trust clients that are not under your control. You can make it difficult, but not impossible to prevent someone working out or changing what is being sent to your API.

这篇关于preventing跨站请求伪造攻击对于Windows客户端应用程序的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！