通过经过身份验证的 Web 表单保护 ASP.net 中的 Ajax 请求 [英] Securing Ajax Requests in ASP.net via Authenticated Webforms

问题描述

我已经阅读了通过 GUID 保护 AJAX 请求和保护ajax请求.现在让我解释一下我的场景，下面是可能有助于解释主题的代码片段.

I already read Securing AJAX Requests via GUID and Securing an ajax request . Now let me explain my scenario, below would be code snippet that may aid at explaining in the subject matter.

[WebMethod[EnableSession = True]
[ScriptMethod]

    public static string CreateTitle(string strTitleName)
    {
    string strResult = "Custom jSon string";
    if(Session["Authorized"] == "True" && !String.IsNullOrEmpty(strTitleName))
    {
         String strTitle = Server.HtmlEncode(strTitleName);
         InsertRecordInDB(strTitle);
         strResult = "Custom jSOn string" + EncryptMD5("record id");
    }
           return strResult;
    }

及以下是发送参数的 javascript 调用.btnCreateTitle_click 是按钮客户端的点击事件.txtTitle 是接受标题名称的文本框.在页面上创建验证器来验证文本框.CreateTitle 是我使用脚本管理器调用的页面方法

and below is the javascript call to send in the parameters. btnCreateTitle_click is the click event of the button client side. txtTitle is the textbox accepting the title name. Validators are created on the page to validate the textbox too.CreateTitle is a page method i call using scriptmanager

function btnCreateTitle_Click(evnt){
if(Page.ClientValidate()){
if($get("txtTitle")){
PageMethods.CreateTitle($get("txtTitle").value,success,failure,context);
}}}

函数成功显示标题已创建的咆哮消息，并显示带有加密记录 ID 的链接作为查询字符串到 url 以查看创建标题的详细信息.

the function success shows a growl message that title was created and shows a link with encrypted record id as query string to the url to view the details of created title.

现在是迫切的问题，

1. 这是否足够安全?我错过了什么?
2. 我如何才能使流程更安全、更快捷?

推荐答案

虽然将任何方法限制为经过身份验证和授权的用户是微不足道的，但是当您在查询字符串中公开 db id 时，您确实打开了经过身份验证和授权用户的可能性可能会寻求访问他们没有的记录.当 db id 是整数或其他一些容易猜到的标识符时尤其如此.使用 Guid 作为 db id 可能会降低这种风险，但并非绝对如此.

While it is trivial to restrict any method to authenticated and authorised users, when you expose db id's in query strings you do open the possibility that an authenticated and authorised user may seek to access records that they aught not. This is particularly so when the db id's are integers or some other easily guessed identifier. Using Guids as db ids may mitigate the risk of this, though not absolutely.

您始终需要记住的是不要相信输入.通过默默无闻(即加密等)的安全性不是一种可靠的技术.您的服务应始终验证当前用户是否可以检索他们请求的记录.有时这称为行级安全性.这只能以编程方式完成.

What you always need to remember is DO NOT TRUST INPUT. Security through obscurity (ie encryption etc) is not a reliable technique. Your service should always verify the the current user is allowed to retrieve the records they have requested. Sometimes this is known as row level security. This can only be done programmatically.

例如，您不仅需要确定某人有权查看记录，还需要验证他们实际上是否有权访问他们请求的记录.

eg instead of only determining that someone is authorised to view a record, you need to verify that they have rights in fact to access the record they are requesting.

这意味着您需要某种方式将记录与经过身份验证的用户相关联.

This means you need some way of relating records to an authenticated user.

顺便说一句:任何 HTTP 请求都经过验证是否存在潜在危险的输入.

BTW: any HTTP request is validated for potentially dangerous input.

希望这会有所帮助，

这篇关于通过经过身份验证的 Web 表单保护 ASP.net 中的 Ajax 请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！