ASP.NET MVC - 确实AntiForgeryToken prevent更改提交的表单值用户? [英] ASP.NET MVC - does AntiForgeryToken prevent the user from changing posted form values?
问题描述
据我了解,在ASP.NET MVC的AntiForgeryToken功能执行prevent跨站攻击。
I understand that the AntiForgeryToken feature in ASP.NET MVC does prevent cross-site attacks.
然而,不是prevent从POST之前,改变表单值?
However, does it prevent from changing form values before POST?
例如,恶意攻击者可能会发现,在评价页面总是包含一个隐藏字段contaning额定实体ID,并创建POST请求人为打分他所有的实体高。
For example, a malicious attacker may find out that the rating page always contains a hidden field contaning the rated entity ID and create POST requests to artificially rate all his own entities high.
什么是preferred方法,以确保一个GET和POST一间表单值没有改变?
What is the preferred way to ensure that the form values between a GET and a POST have not been changed?
推荐答案
AntiForgeryToken prevents一个恶意网站,欺骗用户到看起来像原来一样的格式,并张贴到原始网站。它并不prevent你所描述的情况。下面是攻击者可能为了规避令牌进行:
AntiForgeryToken prevents a malicious site to trick a user to a form that looks the same as the original and post it to the original site. It does not prevent the scenario you are describing. Here's how an attacker could proceed in order to circumvent the token:
- 黑客发送GET请求的形式。
- 他读了AntiForgeryToken产生的cookie的值
- 他POST到URL通过发送cookie,它具有相同的值的cookie和修改后的实体ID的RequestVerificationToken隐藏字段处理表单操作。
正如你所看到的,唯一的区别为,如果你还没有使用AntiForgeryToken的是,黑客需要发送一个额外的GET请求来读取标记的值。
As you can see the only difference to as if you haven't used AntiForgeryToken is that the hacker needs to send an additional GET request to read the value of the token.
有绝对没有办法prevent从修改多验证谁提交表单的用户(我想,为了投票用户进行身份验证)以外的隐藏字段的值,攻击者是不他是投票的实体ID的所有者。
There's absolutely no way to prevent an attacker from modifying the value of a hidden field other than verifying that the user who submitted the form (I suppose that in order to vote the user has to be authenticated) is not the owner of the entity ID he is voting for.
这篇关于ASP.NET MVC - 确实AntiForgeryToken prevent更改提交的表单值用户?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
