与MVC preventing URL处理攻击? [英] Preventing Url manipulation attacks with MVC?
问题描述
任何一个好的策略,code段等为preventing URL处理?
Any good strategies, code snippets etc for preventing URL manipulation?
例如我有这个网址,的http://本地主机/型材/编辑/ 5
的ID可以很容易地改变任何东西,因此人们可以编辑自己的个人资料不应该太。
For example I have this url, http://localhost/profile/edit/5
the id could easily be changed to anything and thus people could edit profiles they are not supposed too.
下面有一些想法我想到了,但他们都没有缺点:
Here are a few ideas I thought of but they all have there drawbacks:
-
更改我的系统使用GUID主键 - 使得它几乎无法猜测的钥匙 - 但是人们仍然可以从应用程序的一部分采取GUID,并在另一个URL后用它
Change my system to use GUID primary keys - makes it almost impossible to guess the keys - but people can still take the GUID from one part of app and use it in another url later.
使用TempData的存储密钥 - prevents的URL被各地\\用于发送
更高版本。
Use TempData to store the keys - prevents urls being sent around\used later.
在显示页面之前,控制器执行检查 - 意味着你
要做adminy'code无处不在
检查行动。
Perform checks in the controller before displaying page - means you have to do 'adminy' code everywhere to check operations.
最新最好的事是什么?其中的一个或别的东西吗?
Whats the best thing to do? One of these or something else?
推荐答案
3号是做正确的事。服务器端安全验证始终是你需要的,因为这是你完全控制和可以依靠的机制。
Number 3 is the correct thing to do. Server-Side Security Validation is always what you need, because this is the mechanism that you completely control and can rely on.
1号是隐藏的安全,如果有人不小心他的职位地方的网址(如人们常常用会话ID的做时,他们复制/粘贴链接),你的安全性被打破了。
Number 1 is Security by Obscurity, and if someone accidentally posts his URL somewhere (like people often do with Session-IDs when they copy/paste links), your "Security" is broken.
2号似乎是一个脆弱的安全 - 如果你通过的麻烦,更好地实施适当的安全。这还让不让人书签的页面。
Number 2 seems like a weak security - if you go through the hassle, better implement proper security. That also allows people to bookmark the page.
这篇关于与MVC preventing URL处理攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!