通过保护Web表单Autenticated在ASP.net Ajax的请求 [英] Securing Ajax Requests in ASP.net via Autenticated Webforms

问题描述

我已经读
通过GUID 保护AJAX请求
和
保护一个Ajax请求
。现在让我解释一下我的情况，下面将是code片段，可在标的物有助于解释

  [的WebMethod [EnableSession = TRUE]
[ScriptMethod]    公共静态字符串CreateTitle（字符串strTitleName）
    {
    字符串strResult =自定义JSON字符串;
    如果（会话[授权] ==真与功放;＆安培;！String.IsNullOrEmpty（strTitleName））
    {
         字符串strTitle = Server.HtmlEn code（strTitleName）;
         InsertRecordInDB（strTitle）;
         strResult =自定义JSON字符串+ EncryptMD5（记录ID）;
    }
           返回strResult;
    }
 

和下面是JavaScript调用中的参数发送。 btnCreateTitle_click是按钮客户端的单击事件。 txtTitle是文本框接受标题名称。验证器在页面上创建验证文本框too.CreateTitle是一个页面的方法调用我使用的ScriptManager

 函数btnCreateTitle_Click（EVNT）{
如果（Page.ClientValidate（））{
如果（$得到（txtTitle））{
PageMethods.CreateTitle（$获得（txtTitle）值，成功，失败，上下文）;
}}}
 

功能成功表明，标题被创造了咆哮消息，并展示了加密记录ID的URL的链接作为查询字符串，查看创建标题的详细信息。

现在的亟待解决的问题，

1. 这是足够安全？我失去了什么？


2. 我如何才能让这个过程更加安全和快捷？

解决方案

虽然这是微不足道的限制身份验证和授权的用户的任何方法，当你暴露分贝的id在查询字符串你打开的可能性，经过身份验证和授权的用户可以寻求他们奥特不访问记录。这尤其是当数据库ID是整数或其他容易猜到的标识符。使用的GUID作为数据库ID可以减轻这种风险，虽然不是绝对的。

什么，你总是需要记住的是不要相信输入。通过隐藏（即加密等），安全不是一个可靠的技术。您的服务应始终验证当前允许用户检索他们所要求的记录。有时这被称为行级安全性。此只能以编程完成。

例如，而不是唯一的决定，有人被授权查看记录，您需要验证他们在事实上访问他们所请求的记录权利。

这意味着你需要与记录认证用户的某种方式。

BTW：任何HTTP请求被确认为有潜在危险的输入

。

希望这有助于

I already read Securing AJAX Requests via GUID and Securing an ajax request . Now let me explain my scenario, below would be code snippet that may aid at explaining in the subject matter.

[WebMethod[EnableSession = True]
[ScriptMethod]

    public static string CreateTitle(string strTitleName)
    {
    string strResult = "Custom jSon string";
    if(Session["Authorized"] == "True" && !String.IsNullOrEmpty(strTitleName))
    {
         String strTitle = Server.HtmlEncode(strTitleName);
         InsertRecordInDB(strTitle);
         strResult = "Custom jSOn string" + EncryptMD5("record id");
    }
           return strResult;
    }

and below is the javascript call to send in the parameters. btnCreateTitle_click is the click event of the button client side. txtTitle is the textbox accepting the title name. Validators are created on the page to validate the textbox too.CreateTitle is a page method i call using scriptmanager

function btnCreateTitle_Click(evnt){
if(Page.ClientValidate()){
if($get("txtTitle")){
PageMethods.CreateTitle($get("txtTitle").value,success,failure,context);
}}}

the function success shows a growl message that title was created and shows a link with encrypted record id as query string to the url to view the details of created title.

Now the burning question,

1. IS this secure enough? What am i missing?
2. How could i make the process more secure and faster?

解决方案

While it is trivial to restrict any method to authenticated and authorised users, when you expose db id's in query strings you do open the possibility that an authenticated and authorised user may seek to access records that they aught not. This is particularly so when the db id's are integers or some other easily guessed identifier. Using Guids as db ids may mitigate the risk of this, though not absolutely.

What you always need to remember is DO NOT TRUST INPUT. Security through obscurity (ie encryption etc) is not a reliable technique. Your service should always verify the the current user is allowed to retrieve the records they have requested. Sometimes this is known as row level security. This can only be done programmatically.

eg instead of only determining that someone is authorised to view a record, you need to verify that they have rights in fact to access the record they are requesting.

This means you need some way of relating records to an authenticated user.

BTW: any HTTP request is validated for potentially dangerous input.

Hope this helps,

这篇关于通过保护Web表单Autenticated在ASP.net Ajax的请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！