有什么用防伪标记盐？ [英] what is the use of anti-forgery token salt?

问题描述

在ASP.NET MVC 1.0，有处理跨站请求伪造安全问题的新特点：

In ASP.NET MVC 1.0, there is a new feature for handling cross site request forgery security problem:

 <%= Html.AntiForgeryToken() %>
[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
    // ... etc
}

我发现在HTML表单生成的标记不断变化的每一种新的形式呈现的时间。

I found the token generated in html form keep changing every time a new form is rendered.

我想知道是如何产生这些令牌？并使用一些软件来扫描该网站的时候，它会报告另一个安全问题：会话固定。为什么？由于令牌不断改变，怎么能这个问题来了？

I want to know how these token is generated? And when use some software to scan this site, it will report another security problem: Session fixed. Why? Since the token keep changed, how can this problem come ?

和还有另外一个功能，那就是盐为 antiForgeryToken ，但我真的知道这是什么用途，甚至通过我们没有使用盐生成的令牌，意志令牌时刻都在变化，那么，为什么有这样的功能？

And there is another function, that is "salt" for the antiForgeryToken, but I really know what this used for, even through we don't use "salt" to generate the token, the token will changes all the time, so why have such function?

推荐答案

在这里AntiForgeryToken信息的地段：<一href=\"http://blog.$c$cville.net/2008/09/01/$p$pvent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/\">http://blog.$c$cville.net/2008/09/01/$p$pvent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

Lots of info on the AntiForgeryToken here: http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

这是prevent一个跨站请求伪造（CSRF）。这是pretty标准的行为，点击保存请提交一个表单，并在服务器上执行一些操作，即节省了用户的详细信息。你怎么知道用户提交表单是，他们声称是用户？在大多数情况下，你会使用一些饼干或基于Windows的身份验证。

This is to prevent a Cross-Site Request Forgery (CSRF). It's pretty standard behavior to click 'Save' sumbit a form and perform some action on the server, i.e. save a user's details. How do you know the user submitting the form is the user they claim to be? In most cases you'd use some cookie or windows based auth.

如果攻击者引诱你到提交同样的形式在一个小的隐藏的IFRAME一个网站？你的cookies得到提交完整，服务器不看到一个合法的请求的请求任何不同。 （例如Gmail发现：<一href=\"http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/\">http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/)

What if an attacker lures you to a site which submits exactly the same form in a little hidden IFRAME? Your cookies get submitted intact and the server doesn't see the request as any different to a legit request. (As gmail has discovered: http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/)

该防伪标记prevents这种方式的攻击通过创建令牌每次生成页面额外的cookie。令牌是无论在形式和饼干，如果窗体和饼干不匹配，我们有一个跨站请求伪造攻击（如，攻击者不能够读取利用上述攻击的防伪标记）。

The anti-forgery token prevents this form of attack by creating a additional cookie token everytime a page is generated. The token is both in the form and the cookie, if the form and cookie don't match we have a CSRF attack (as the attacker wouldn't be able to read the anti-forgery token using the attack described above).

和哪些呢盐做的，从上面的文章：

And what does the salt do, from the article above:

盐是任意的字符串。不同的盐值意味着不同的防伪标记将会产生。这意味着，即使攻击者设法获得有效令牌持有不知何故，他们无法在需要不同的盐值的应用程序的其他部分重用。

Salt is just an arbitrary string. A different salt value means a different anti-forgery token will be generated. This means that even if an attacker manages to get hold of a valid token somehow, they can’t reuse it in other parts of the application where a different salt value is required.

更新：如何是令牌生成的？下载<一个href=\"http://www.microsoft.com/downloads/details.aspx?FamilyID=53289097-73ce-43bf-b6a6-35e00103cb4b&displaylang=en#filelist\">source,并有一看AntiForgeryDataSerializer，AntiForgeryData类。

Update: How is the token generated? Download the source, and have a look at the AntiForgeryDataSerializer, AntiForgeryData classes.

这篇关于有什么用防伪标记盐？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！