从视图回发时保护实体ID的最有效方法 [英] Most effective method of protecting an entity ID when posting back from a view
问题描述
编辑-快速编辑,以一个明确的问题开始!我实际上要问的是,从视图发回时保护我的实体标识符的最有效方法是什么?
EDIT - Just a quick edit, to start this off with a clear question! What I'm essentially asking is, what is the most effective way of protecting my entity identifiers when posting back from a view?
我一直在考虑保护方法编辑视图模型时,POST上的ID。我们以实体为例
I've been thinking about ways to protect the ID on a POST when editing a view model. Let's take an example entity
public class Post
{
public int Id { get; set; }
public string Title { get; set; }
public string Content { get; set; }
}
及其相应的视图模型:
public class PostViewModel
{
public int Id { get; set; }
public string Title { get; set; }
public string Content { get; set; }
}
现在,当我将此视图模型传递给允许用户使用的视图时要对其进行编辑,我将要做这样的事情:
Now, when I pass this view model to a view that allows a user to edit it, I'm going to be doing something like this:
public ActionResult EditPost(PostViewModel viewModel)
{
Post post = database.Posts.Single(p => p.Id.Equals(viewModel.Id));
post.Title = viewModel.Title;
post.Content = viewModel.Content;
database.Entry(post).State = System.Data.EntityState.Modified;
database.SaveChanges();
return View(viewModel);
}
也可以通过以下参数列表传递ID:
Or maybe pass the ID through the parameter list like this:
public ActionResult EditPost(int postId, PostViewModel viewModel)
{
Post post = database.Posts.Single(p => p.Id.Equals(postId));
// and the rest
}
无论哪种方式,我们都需要返回我们正在更新的实体的标识符以及POST数据。我们如何确保更新的实体是预期的实体?
Either way, we need to return the identifier for the entity we're updating along with the POST data. How do we make sure that the entity updated is the one intended?
我想我们可以验证用户是否有足够的权限来更新该实体...但是如果用户的帐户被盗用,一些随机的 hacker 开始使用他们的帐户注入随机ID?随机更新各种 Post s。
I suppose we could validate whether a user has sufficient access to update this entity... but what if a user's account becomes compromised, and some random hacker starts injecting random IDs using their account? Updating all sorts of Posts at random.
对于以下情况,建议使用复杂的标识符(如GUID)实体,这将使猜测更加困难,但是这会使您的友善友善URL看上去对普通用户来说有点吓人,在查看 Post时必须将其传递出去。
Having a complex (like a GUID) identifier is likely recommended for entities, which would make guessing a lot harder, but then this makes your nice and friendly URLs look a bit intimidating to the average user, having to pass that around when viewing a Post for example.
我们如何在这里获得两全其美?保持URL干净,但保护我们的实体免受注入攻击吗?
How do we get the best of both worlds here? Keeping clean URLs, but protecting our entities from injection attacks?
推荐答案
这是直接参考攻击,根据oswap建议,您可以
This is a direct reference attack, and according to oswap recommendations, you can either
- 通过将ID交换为guid来混淆ID,然后将映射保留在内存/会话中
- 在会话中保留对该项目的引用,并确保返回的内容相同
我处理此问题的方式是带有属性的,我没有任何代码可供使用,因此您将需要类似
The way i tackle this is with an attribute, I haven't any code to hand so you will need to something like
Decorate get action with attribute
on gets, attribute clears item list from session
Pull Item from db
store items id in session for item
decorate post action with attribute
attribute makes sure modelstate is valid first (saves double validating)
attribute looks in session for id
attribute checks the id against the stored value
if id matches, action can continue
if id doesn't match, an entry is made in modelstate
中输入methodolgy,您可以防止他人在burpsuite等工具中摆弄自己的ID或使用浏览器的控制台模式翻转隐藏字段。
using this sort of methodolgy, you can protect yourself against someone fiddling with your ids in tools like burpsuite or using the console mode of a browser to flip the hidden fields.
为此,请始终确保您的获取项不会盲目地从数据库中获取,但首先要确保该人实际上可以获取该项,即。属于他们的数据集等
also, as a starter to this process, always ensure the your get item doesnt blindly get from the db, but first ensures that the person actually can get the item, ie. belongs to their datasets etc etc
这篇关于从视图回发时保护实体ID的最有效方法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
