MVC3 URL参数 - 避免恶意攻击/安全漏洞 [英] MVC3 URL parameters - avoiding malicious attacks/security flaws
问题描述
当导航到一个新的网页,有一个最佳实践传递IDS左右。
When navigating to a new webpage, is there a "Best Practice" for passing Ids around.
例如,一个人注册使用一个网站,他们得到给定的ID,这需要大约在那里它被用来从数据库中检索相关的数据的网站/网页的其余部分要传递
For example, a person registers to use a website, they get given an Id, this needs to be passed around the rest of the website/pages where it is used to retrieve relevant data from a database.
如果该ID在传递的url: http://myWebsite.com/User/Details/1234 ,用户可以将其更改为
http://myWebsite.com/User/Details/4567 并可能retireve不同用户的详细信息。
If the Id is passed in the url: http://myWebsite.com/User/Details/1234, the user could change it to http://myWebsite.com/User/Details/4567 and potentially retireve a different user's details.
在一个隐藏字段把这个值,然后过帐不会很大无论是作为查看源文件将显示该值。
Putting this value in a hidden field and then POSTing wouldn't be great either as "view source" would display the value.
非常感谢
推荐答案
这就是为什么你应该总是验证此ID属于当前已验证用户。当前身份验证的用户存储在窗体身份验证cookie和的东西,因为这个值是加密的用户不能更改。这个cookie被发射时,在用户登录,你有一个实例 HttpContextBase (这是pretty在V和C多的几乎任何地方,你可以随处访问MVC模式的部分)。
That's why you should always verify that this id belongs to the currently authenticated user. The currently authenticated user is stored in the forms authentication cookie and is something that the user cannot change because the value is encrypted. This cookie is emitted when the user logs in and you can access it everywhere where you have an instance to HttpContextBase (which is pretty much almost anywhere in the V and C parts of the MVC pattern).
例如,像这样的:
[Authorize]
public ActionResult Foo(int id)
{
string currentUser = httpContext.User.Identity.Name;
// TODO: go ahead and check in your backed that the id
// belongs to the currently connected user
...
}
显然,一遍又一遍写这些检查在所有的控制器动作可能会很快变得无趣,更何况该方法的干燥。这就是为什么我们建议写这甚至会进入控制器操作之前进行这些检查的自定义授权属性。然后,你将用装点这个自定义属性您的控制器动作,你会肯定知道,如果code有动作伸进这意味着当前用户作为参数传递的ID的所有者。这个ID作为参数传递的方式并不重要。可能是路由数据,查询字符串,POST,等等。用户可以修改它,就像他喜欢。最重要的部分是,你保证他输入的值是一致的域的授权逻辑。
Obviously writing those checks over and over again in all controller actions could quickly become boring, not to mention the DRYness of the approach. That's why it is recommended to write a custom Authorize attribute which will perform those checks before even entering into the controller action. Then you will decorate your controller actions with this custom attribute and you will know for sure that if the code has reached inside the action it means that the current user is the owner of the id passed as parameter. The way this id is passed as parameter doesn't really matter. Could be route data, query string, POST, whatever. The user can modify it as much as he likes. The important part is that you ensure that the value he entered is coherent with your domain authorization logic.
所以:
public class AuthorizeOwnerAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
var authorized = base.AuthorizeCore(httpContext);
if (!authorized)
{
// the user is either not authenticated or not authorized
// no need to continue any further
return false;
}
// at this stage we know that the user is authenticated and
// authorized (in roles), so let's go ahead and see who this
// user is
string username = httpContext.User.Identity.Name;
// now let's read the id. In this example I fetch it from
// the route data but you could adapt according to your needs
string id = httpContext.Request.RequestContext.RouteData.Values["id"] as string;
// Now that we know the user and the id let's go ahead and
// check in our backend if the user is really the owner
// of this id:
return IsOwner(username, id);
}
private bool IsOwner(string username, string id)
{
// go ahead and hit the backend
throw new NotImplementedException();
}
}
和则:
[AuthorizeOwner]
public ActionResult Foo(int id)
{
...
}
这篇关于MVC3 URL参数 - 避免恶意攻击/安全漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
