ASP.NET MVC3 AntiForgeryToken [英] ASP.NET MVC3 AntiForgeryToken

问题描述

在这里，我有两个表单提交的简单应用MVC3。为了保护CSRF攻击，我在这两种形式使用antiforgerytoken HTML辅助按<一个href=\"http://blog.stevensanderson.com/2008/09/01/$p$pvent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/\">guidance这里。

Here I have simple MVC3 application with two form posts. To protect CSRF attack, I have used antiforgerytoken html helpers in both forms as per guidance here.

下面是我的两个模型：

public class User
{
    public string FirstName { get; set; }
    public string LastName { get; set; }
}


public class Employee
{
    public int Id { get; set; }
    public string Name { get; set; }
}

下面是我的homeController.cs：

Here is my homeController.cs:

public class HomeController : Controller
{
    public ActionResult Index()
    {
        return View();
    }

    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult Index(User user)
    {
        if (ModelState.IsValid)
            return RedirectToAction("About");

        return View();
    }

    public ActionResult About()
    {
        return View();
    }

    [HttpPost]
    [ValidateAntiForgeryToken]
    public ActionResult About(Employee employee)
    {
        if (ModelState.IsValid)
            return RedirectToAction("PageA");

        return View();
    }
}

下面是我的Inex.cshtml：

Here is my Inex.cshtml:

@model MvcAntiforgeryToken.Models.User

@using (Html.BeginForm()) {

@Html.AntiForgeryToken()
<div>
    <fieldset>
        <legend>User Information</legend>

        <div class="editor-label">
            @Html.LabelFor(m => m.FirstName)
        </div>
        <div class="editor-field">
            @Html.TextBoxFor(m => m.FirstName)
            @Html.ValidationMessageFor(m => m.FirstName)
        </div>

        <div class="editor-label">
            @Html.LabelFor(m => m.LastName)
        </div>
        <div class="editor-field">
            @Html.PasswordFor(m => m.LastName)
            @Html.ValidationMessageFor(m => m.LastName)
        </div>
        <p>
            <input type="submit" value="Save" />
        </p>
    </fieldset>
</div>

}

下面是我的About.cshtml：

Here is my About.cshtml:

@model MvcAntiforgeryToken.Models.Employee

@using (Html.BeginForm()) {

@Html.AntiForgeryToken()
<div>
    <fieldset>
        <legend>Employee Information</legend>

        <div class="editor-label">
            @Html.LabelFor(m => m.Id)
        </div>
        <div class="editor-field">
            @Html.TextBoxFor(m => m.Id)
            @Html.ValidationMessageFor(m => m.Id)
        </div>

        <div class="editor-label">
            @Html.LabelFor(m => m.Name)
        </div>
        <div class="editor-field">
            @Html.PasswordFor(m => m.Name)
            @Html.ValidationMessageFor(m => m.Name)
        </div>
        <p>
            <input type="submit" value="Save" />
        </p>
    </fieldset>
</div>

}

首页/指数发布：

用户访问首页/索引，应用程序创建时 RequestVerificationToken_Lw 的cookie值与\"pG2/E00Q2DngYxs98f92x9qqrIvrh6zCT/+GGte67NFZLazKFlz++QqMSHpkZ08Qum9vsBCtq7O7MSzCawJkEa2/hdjrWoAcHlDWxxYRWKXm+OxPbqlRs609zam4fK7hReGEX3zf8YR4ltH3oYf4AZgt2mZV31ihRGShiZ7Oy9k=\"

when user visits Home/Index, application created "RequestVerificationToken_Lw" cookie with value "pG2/E00Q2DngYxs98f92x9qqrIvrh6zCT/+GGte67NFZLazKFlz++QqMSHpkZ08Qum9vsBCtq7O7MSzCawJkEa2/hdjrWoAcHlDWxxYRWKXm+OxPbqlRs609zam4fK7hReGEX3zf8YR4ltH3oYf4AZgt2mZV31ihRGShiZ7Oy9k="

和下面隐藏的表单输入

<input name="__RequestVerificationToken" type="hidden" value="B1KKzYEFEdINnuhy53MqqxHCHELPUd5pX3vRqYWz1+pkhBA6YGFvSVtXgSURkAn3yNwee3nrqDCMXB8MB0SWiUU3GuHnhH7+Qc1IQebJHoFJZR2CPXNOmUzINXbBWKZz+35pQQQXdiKptR3raLSoElfQi18ZC4Pr7xNREGIOM2A=" /> 

首页/关于发布

\"pG2/E00Q2DngYxs98f92x9qqrIvrh6zCT/+GGte67NFZLazKFlz++QqMSHpkZ08Qum9vsBCtq7O7MSzCawJkEa2/hdjrWoAcHlDWxxYRWKXm+OxPbqlRs609zam4fK7hReGEX3zf8YR4ltH3oYf4AZgt2mZV31ihRGShiZ7Oy9k=\"

when user visits Home/About, application created "RequestVerificationToken_Lw" cookie with value "pG2/E00Q2DngYxs98f92x9qqrIvrh6zCT/+GGte67NFZLazKFlz++QqMSHpkZ08Qum9vsBCtq7O7MSzCawJkEa2/hdjrWoAcHlDWxxYRWKXm+OxPbqlRs609zam4fK7hReGEX3zf8YR4ltH3oYf4AZgt2mZV31ihRGShiZ7Oy9k="

和下面的表单输入

<input name="__RequestVerificationToken" type="hidden" value="UOCMATdy93A0230aBmRPv5F0xpJlI2urE5sJ4nxsTSWrsi9/xM5qhrxQ4I2vWIjvVrhkW8gSgmGFp7c4XPQUQG5myMGipTAr2/mi5od+Sz6IcfrF2FxwjfWMslt96BcMG6b9BjaGbgnClQOVTkjfHEMIptOYUCTSbVK61dWp5qI=" /> 

下面是我的问题：

1. 为什么 RequestVerificationToken_Lw cookie值是两种形式一样吗？ shoudn't它被重建为每个表单帖子？

1. why "RequestVerificationToken_Lw" cookie value is same in both forms? shoudn't it be recreated for every form posts?

为什么 RequestVerificationToken_Lw cookie值和__RequestVerificationToken隐藏输入值是不同的？

why "RequestVerificationToken_Lw" cookie value and "__RequestVerificationToken" hidden input values are different ?

感谢很多您的答复！

推荐答案

在CSRF攻击向量的想法是这样的：我提出了一个恶毒的形式在我的网站https://fake-domain-that-looks-like-a-bank.com.我从您的网站的HTML和CSS，所以看起来一模一样。我有一个有效的证书，所有的标志花俏。现在，我诱骗用户访问我的网站。

The idea of the CSRF attack vector is this: I put up a malevolent form on my website https://fake-domain-that-looks-like-a-bank.com. I took the HTML and CSS from your site, so it looks exactly the same. I have a valid cert and all the logo bells and whistles. Now I trick users into visiting my site.

用户看到的通常的形式和做什么。不过，我更换了一些的投入，使他们无处可去，我添加了一些隐藏字段，以便我可以控制用户做什么（身不由己），如更换'OP =修改与 OP =删除。他的一切行动都是由他的（有效）AUTH的cookie支持。

The user sees the usual form and does something. However, I replaced some of the inputs so they go nowhere, and I added some hidden fields so I control what the user does (involuntarily), like replace 'op=modify with op=delete. All his actions are backed by his (valid) auth cookie.

现在的防伪造令牌保护用户，因为作为攻击者，我不能添加自己的cookie匹配我的形式有效的隐藏字段。如果我能以某种方式读他的饼干，我可以简单地盗取身份验证令牌这将是一个容易得多。

Now the anti forgery token protects the user because as the attacker, I can't add a valid hidden field that matches his cookie to my form. If I could read his cookies somehow, I could simply steal the auth token which would be a lot easier.

在MVC中，防伪造令牌绑定到登录的用户名。如果您使用 FormsAuthentication 并更改用户名的结构，与现有的cookie的用户都会遇到麻烦。作为一个侧面说明：一个常见的​​问题是，谁维护两个帐户的用户碰到 AntiForgeryTokenExceptions ，你可能要处理，如果它是一个有效的使用场景

In MVC, the anti forgery token is bound to the logged on user's name. If you're using FormsAuthentication and change the structure of user names, all users with existing cookies will run into trouble. As a side note: a common problem is that users who maintain two accounts run into AntiForgeryTokenExceptions, you might want to handle that if it is a valid usage scenario.

为什么该cookie不会改变

如果cookie值与每一个请求改变，多标签浏览将是一个问题。

If the cookie value changed with every request, multi-tab browsing would be a problem.

为什么cookie的形式和不同的价值

MVC的饼干有内部结构，所以它们的连载的版本看起来不同。实际的安全令牌，里面应该是相同的。串行存储不同的信息，这取决于哪些信息是present（用户身份姓名等）。还有一个版本字节，一个指标，这是否是一个会话cookie等。

MVC's cookies have internal structure, so their serialized version looks different. The actual security token that is inside should be identical. The serializer stores different information, depending on what information is present (user identity name, etc.). There is also a version byte, an indicator whether this is a session cookie, etc.

相关细节

如果您想了解更多，我建议你通过克隆 HTTP来源：//aspnetwebstack.$c$cplex.com/ 看看 System.Web.WebPages \\助手\\ AntiXsrf \\ TokenValidator.cs ，其他文件中。这是相当有帮助的各地拥有源在任何情况下。

If you want to know more, I recommend you clone the source via http://aspnetwebstack.codeplex.com/ and look at System.Web.WebPages\Helpers\AntiXsrf\TokenValidator.cs, among other files. It's quite helpful to have the source around in any case.

这篇关于ASP.NET MVC3 AntiForgeryToken的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！