ASP.NET MVC-关于GET请求的CSRF [英] ASP.NET MVC - CSRF on a GET request
问题描述
我们有一个ASP.NET MVC应用程序.通过使用@Html.AntiForgeryToken和ValidateAntiForgeryToken属性,已保护所有POST请求(表单提交)免受CSRF的侵害.
控制器上的一种操作方法是GET,它可以将报告返回给用户(带有数据库数据的pdf文件).签名是:
We have a ASP.NET MVC application. All the POST requests (form submits) have been protected from CSRF by using @Html.AntiForgeryToken and ValidateAntiForgeryToken attribute.
One of the action methods on a controller is a GET which returns a report to the user (a pdf file with data from database). The signature is:
[AcceptVerbs(HttpVerbs.Get)]
public ActionResult GetReport()
{
// get data from db
return GetReport();
}
以下是我针对此操作测试CSRF的步骤:
Here are the steps I am following to test the CSRF against this operation:
- 用户登录到应用程序
- 登录后,用户将打开以下HTML文件,然后单击提交"按钮:
- 报告已下载.
问题:
可以认为这是CSRF攻击吗?
Can this be considered a CSRF attack?
如果是,如何缓解?由于该操作方法是GET请求,因此如何使用MVC的CSRF方法(在该操作方法上应用@Html.AntiForgeryToken和ValidateAntiForgeryToken).
If yes, how can it be mitigated? Since the action method is a GET request, how can I use MVC's CSRF approach (applying @Html.AntiForgeryToken and ValidateAntiForgeryToken on the action method).
HTML文件:
<html>
<body>
<form action="https://<baseurl>/Analysis/GetReport">
<input type="submit" value="Submit request" />
</form>
</body>
</html>
推荐答案
简而言之,您刚刚描述的不是 XSRF攻击的示例...
In short, what you've just described is not an example of an XSRF attack...
CSRF和XSRF均用于描述所谓的Cross Site Request Forgery.在这里,恶意网站会利用您在另一个网站上的身份验证状态来执行欺诈性的跨站点请求.
Both CSRF and XSRF are used to describe what's called a Cross Site Request Forgery. It's where a malicious website takes advantage of your authenticated state on another website, to perform fraudulent cross-site requests.
假设您在银行网站上为authenticated,并且您的银行网站上包含form来创建新交易,所有操作都非常简单...
Imagine that you're authenticated on your bank's website, and that your banks website contains a form to create new transactions, all pretty straight forward...
<!-- Your bank -->
<form action="/send_moneh" method="POST">
<input type="text" name="amount" />
<input type="text" name="accountNumber" />
<input type="submit" value="Send Money" />
</form>
恶意网站
现在,让我们考虑一下您正在访问的Malicious website,假设它还包含一个form,该form已隐藏并且其值已预先填充...
The Malicious website
Now let's think of the Malicious website you're also visiting, imagine that it also contains a form, one that is hidden and the values of which are pre-populated...
<!-- Malicious website -->
<form action="http://yourbank.com/send_moneh" method="POST">
<input type="hidden" name="amount" value="100.00"/>
<input type="hidden" name="accountNumber" value="123456" />
</form>
在提交恶意网站上的表格后,HTTP request将直接从您发送到您的银行,并且由于您已经在银行的网站上进行了身份验证,因此可以接受该交易
When the form on the malicious website is submitted, an HTTP request will be sent straight from you to your bank, and because you're authenticated on your bank's website, the transaction could be accepted.
本质上,攻击者通过伪造请求并将您用作传递该请求的使者,使用您自己的身份验证针对您.
Essentially, an attacker is using your own authentication against you by forging requests and using you as the messenger to deliver that request.
您使用防伪令牌,该token是包含随机值的字符串,该令牌除了HTML表单外,还放置在您的cookies中.
You use an anti-forgery token, this token is a string containing a random value, the token is placed in your cookies, in addition to your HTML forms.
收到请求后,您将验证该表单包含一个防伪令牌,并且该表单与存储在Cookie中的那个令牌相匹配.恶意网站无法看到您的网站在客户端上设置的令牌,如果没有此信息,XSRF攻击将被阻止在其轨道上.
When you receive a request, you validate that the form contains an anti-forgery token and that it matches the one stored in your cookies. A malicious site can not see the tokens your website sets on a client, and without this information, XSRF attacks are stopped in their tracks.
在将要处理请求的控制器Action上,添加属性[ValidateAntiForgeryToken],然后以HTML格式添加(@Html.AntiForgeryToken()).
On your controller Action that will be handling the request, add the attribute [ValidateAntiForgeryToken], and in the HTML form add (@Html.AntiForgeryToken()).
public class ExampleController : Controller
{
[ValidateAntiForgeryToken]
[HttpPost]
public ActionResult Test(Foo fooModel)
{
// do your thing...
return this.View();
}
}
<form action="/Example/test" method="POST">
@Html.AntiForgeryToken()
<input type="text" name="bar" />
<input type="submit" value="Submit" />
</form>
就是这样!
执行GET请求时,防伪令牌没有多大意义,实际上,将它们放置在您未修改和持久保存数据的任何地方都没有意义,因为任何GET请求都会返回给您的用户,而不是攻击者.
Anti-Forgery Tokens don't make a lot of sense when performing GET requests, in fact, they don't make sense to have them anywhere that you're not modifying and persisting data, as any GET request will be returned to your user, not the attacker.
如果您要创建,更新或删除数据...请确保随后使用它.
If you're Creating, Updating or Deleting data... make sure that you're using it then.
这篇关于ASP.NET MVC-关于GET请求的CSRF的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
