prevent跨站请求伪造 [英] Prevent Cross-Site Request Forgery

问题描述

据我了解跨站请求伪造并发现众多博客，对网络文章来处理它在<一个href=\"http://www.asp.net/web-api/overview/security/$p$pventing-cross-site-request-forgery-%28csrf%29-attacks\"相对=nofollow> asp.net mvc的，但还没有拿到一个像样的链接，有用的解决方案来应对asp.net网站applications.I CSRF攻击已经跑了的在我的网站的安全工具，其报告跨站请求伪造，并显示风险

I understand Cross-Site Request Forgery and found numerous blogs,articles on web to handle it in asp.net mvc,but have not got a decent links,helpful solutions to deal with CSRF attacks in asp.net web applications.I have ran a security tool on my website,and its reporting the cross site request forgery and showing the risk

的可以窃取或操纵客户会话和cookie，它可能被用来冒充合法用户，从而使
黑客可以查看或修改用户记录，并执行交易作为该用户的

我的问题是如何处理在ASP.NET Web应用程序CSRF攻击？

My question is how to deal with CSRF attacks in ASP.NET web applications?

推荐答案

的<一个href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_$p$pvention_Cheat_Sheet#Viewstate_.28ASP.NET.29\"相对=nofollow> ViewState的机制可以用来防止在Web窗体应用程序CSRF 。

ASP.NET必须保持你的ViewState的选项。 ViewState中
  指示何时提交给服务器的网页的状态。该
  状态通过放置在每个页面上有一个隐藏字段定义
   控制。视图状态可以作为跨站请求伪造
  防御，因为它是难以攻击者伪造有效
  视图状态。这不是不可能伪造一个有效的视图状态，因为它是
  可行的参数值可以由获得，或者猜测
  攻击者。然而，如果当前会话ID被添加到
  ViewState中，它会使得每个视图状态的独特，因而免疫
  CSRF

ASP.NET has an option to maintain your ViewState. The ViewState indicates the status of a page when submitted to the server. The status is defined through a hidden field placed on each page with a control. Viewstate can be used as a CSRF defense, as it is difficult for an attacker to forge a valid Viewstate. It is not impossible to forge a valid Viewstate since it is feasible that parameter values could be obtained or guessed by the attacker. However, if the current session ID is added to the ViewState, it then makes each Viewstate unique, and thus immune to CSRF

另外关于对CSRF您的其他问题：

Also regarding your other question on CSRF:

有可能窃取或操纵客户会话和cookie，它可能被用来冒充合法用户，从而使黑客可以查看或修改用户记录，并执行交易作为该用户

It is possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user

CSRF攻击通常不会允许攻击者查看任何事情，才使代表登录的用户的请求。但是，如果有不需要当前密码提交更改密码选项，攻击者可以利用受害者的会话的攻击者可以调用这个函数来再后来直接登录为受害用户。

A CSRF attack usually doesn't allow an attacker to view anything, only to make requests on behalf of the logged in user. However, if there was a change password option that doesn't require the current password to be submitted, the attacker might be able to call this function using the victim's session for the attacker to then later log in directly as the victim user.

这篇关于prevent跨站请求伪造的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！