一个安全的实现Page.IsPostBack的? [英] A secure implementation of Page.IsPostBack?
问题描述
随着我的前面的问题为ASP.net的默认Page.IsPostBack执行是否安全(它不是,它可以伪造...的HTTP动词甚至没有进行后!),我在想;当然必须有实现它一个更好的办法?我们可以拿出,当它是真实的,几乎可以保证,表明该页面是一个实际ASP.net回发一个Page.IsPostBack实现?这是重要的,如果一个人想这样做安全检查一次(像一些内容是否会出现,根据用户的角色(S)),并希望这样做只是,如果我们不处理的ASP.net回传
Following my previous question as to whether ASP.net's default Page.IsPostBack implementation is secure (it's not; it can be faked... the HTTP verb doesn't even have to be POST!), I was thinking; surely there must be a better way to implement it? Can we come up with a Page.IsPostBack implementation which, when it is true, is almost guaranteed to indicate that the page is an actual ASP.net postback? This is important if one wants to do security checking only once (like whether some content is going to appear, based on the user's role(s)), and wants to do it only if we're NOT dealing with an ASP.net postback.
我的第一个想法是如何做到这一点的实现在属性检查代码,这样我就可以这样写在的Page_Load :
My first thoughts as to how to do this are to implement the checking code in a property, so I can write something like this inside Page_Load:
if (!_isPostBack)
{
// Do security check
if (userIsNotAuthorized)
{
btnViewReports.Visible = false;
btnEditDetails.Visible = false;
// etc.
}
}
有没有的方式来实现安全 _isPostBack ?也许存储在ViewState的东西,就很难或不可能杰里 - 钻机假回发?一个随机字符串
Is there a way to securely implement _isPostBack? Perhaps storing something in the ViewState that would be hard or impossible to jerry-rig to fake a postback? A random string?
推荐答案
OK,这里是我认为该如何解决?Page.IsPostBack的是的已经足够安全,只要事件验证已启用。让我解释一下我下面的推理,我很乐意为任何人添加评论,如果我已经得到了一些错误。
OK, here's what I think is the solution: Page.IsPostBack is already secure enough, as long as event validation is enabled. Let me explain my reasoning below and I'd be happy for anyone to add a comment if I've gotten something wrong.
为了恶搞回发到贴到ASP.net并引发控件的的OnClick 事件,与事件验证启用,客户端发送 __ EVENTVALIDATION 形式领域。该字段包含一个独特生成的字符串,主要是告诉ASP.net控制该页面回发事件可能起源。如果你试图欺骗回发的按钮,这已 .Visibility = FALSE 设置就可以了,你会看到一个事件验证错误消息。因此,它看起来就像你不能直接伪造一个隐藏的控制的点击。
In order for a spoof postback to be posted to ASP.net and trigger a control's OnClick event, with event validation enabled, the client has to send the __EVENTVALIDATION form field. This field contains a uniquely-generated string that basically tells ASP.net which controls a postback event for that page may have originated from. If you try to spoof a postback for a button which has had .Visibility = false set on it, you'll see an event validation error message. So, it looks like you can't directly spoof a click on a hidden control.
什么欺骗页面上现有的按钮中的一个回送你的的被渲染(即你有权查看/点击它)?好了,你可以回发发送到页面,但你必须提交有效的 __ VIEWSTATE 或你只是得到一个国家信息无效的错误。为了有一个有效的 __ VIEWSTATE ,你已经需要已加载的页面作为非回发,对不对?这意味着,安全校验码将至少执行一次,隐藏适当的控制和记录,在 __ VIEWSTATE 。所以,当你发布恶搞回发,是的,它会引起 Page.IsPostBack 是真实的,但它并不重要,因为提交的 __ VIEWSTATE ,会已在先前的非回发页面加载生成隐藏,你不应该访问......所以,你可以欺骗回传的内容,但只能通过传递 __ VIEWSTATE 已经由一个非回发页面加载先前生成的。
What about spoofing a postback of one of the existing buttons on the page that you has been rendered (ie. you do have permission to view/click on it)? Well, you can send the postback to the page, but you need to submit a valid __VIEWSTATE or you'll just get a 'state information invalid' error. In order to have a valid __VIEWSTATE, you already need to have loaded the page as a non-postback, right? That means that the security-checking code will have executed at least once, hiding the appropriate controls and recording that in the __VIEWSTATE. So, when you post the spoof postback, yes it will cause Page.IsPostBack to be true, but it doesn't matter because the submitted __VIEWSTATE will already have been generated on the previous non-postback page load to hide the content that you shouldn't have access to... so, you can spoof a postback, but only by passing a __VIEWSTATE that has been previously generated by a non-postback page load.
所以,因为这些事实,它应该是安全的只有把安全检查代码 Page.IsPostBack ==虚假块内。前一个有效的回传,可以提交到服务器ASP.net这必须始终得到运行一次。还是我失去了一些东西?
So, because of these facts, it should be safe to only put security-checking code inside a Page.IsPostBack == false block. This must always get run once before a valid postback can be submitted to the ASP.net server. Or am I missing something?
这篇关于一个安全的实现Page.IsPostBack的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
