在对所有CSRF攻击的ASP.NET MVC prevent是否AntiForgeryToken？ [英] Does AntiForgeryToken in ASP.NET MVC prevent against all CSRF attacks?

问题描述

使用AntiForgeryToken要求每个请求通过有效的标记，因此恶意网页用简单的脚本发布数据到我的web应用程序将不会成功。

Using AntiForgeryToken requires each request to pass a valid token, so malicious web pages with simple script posting data to my web application won't succeed.

但是，如果一个恶意脚本会先进行一些简单的GET请求（阿贾克斯）以下载一个包含在一个隐藏的输入字段的防伪标记的页面，提取它，并用它使一个有效的 POST ？

But what if a malicious script will first make some simple GET request (by Ajax) in order to download the page containing the antiforgery token in a hidden input field, extracts it, and use it to make a valid POST?

是否有可能，还是我失去了一些东西？

Is it possible, or am I missing something?

推荐答案

是的，这是所有你需要做的。

Yes, this is all you need to do.

只要你生成每个受保护的页面上一个新的令牌，用＆LT;％= Html.AntiForgeryToken（）％＆GT; 并始终确保其签入任何受保护的动作，使用 [ValidateAntiForgeryToken]

As long as you generate a new token on each protected page, with <%= Html.AntiForgeryToken() %> and always ensure it is checked in any protected action, using [ValidateAntiForgeryToken]

这实现了同步标记模式为在<一个讨论href="http://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_$p$pvention_Cheat_Sheet">CSRF prevention小抄在OWASP。

This implements the Synchronizer Token Pattern as discussed at the CSRF Prevention Cheat Sheet at OWASP.

为了一个脚本制作一个可以接受的请求成功，它必须首先得到的形式和阅读记号，然后发布令牌。 同源策略将停止该被允许在浏览器中。站点canot，从AJAX风格的HTTP请求发送到另一个站点;不仅对本身。如果由于某种原因，同源策略可被突破，那么你就会变得脆弱。

In order for a script to succeed in making an acceptable request, it would have to first get the form and read the token and then post the token. Same Origin Policy will stop this from being allowed in a browser. A site canot make an AJAX style http request to another site; only to itself. If for some reason same origin policy can be breached, then you will become vulnerable.

请注意，如果你有一个跨站点脚本漏洞，那么攻击者可以滥用XSS漏洞来规避同源策略所提供的保护（因为剧本现在从您自己的站点上运行，所以SOP成功）。然后注入的脚本可以愉快地阅读和重新提交令牌。这种技术让过去通过XSS CSRF保护最近一直普遍在一些蠕虫。基本上，如果你有XSS，你的CSRF保护是浪费时间，因此可以保证你不容易要么。

Note that if you have a cross-site scripting vulnerability, then an attacker can abuse the xss vulnerability to circumvent the protection provided by the same origin policy (because the script is now running from your own site, so SOP succeeds). The injected script can then happily read and resubmit the token. This technique to get past CSRF protection via XSS has been common in some worms recently. Basically, if you have XSS, your CSRF-protection is a waste of time, so ensure you are not vulnerable to either.

另外一点需要注意的是Flash和Silverlight。这两种技术并不订阅同源策略，转而使用跨域策略文件来限制访问远程资源。闪存/ Silverlight的脚本只能在您的网站的访问资源，如果你对你自己的网站上发布一个跨域策略XML文件。如果你这样做发布此文件，永远只允许受信任的第三方服务器的白名单中，绝不允许*。

Another thing to watch out for is Flash and Silverlight. Both of these technologies do not subscribe to the same origin policy and instead use cross domain policy files to restrict access to remote resources. Flash/Silverlight script can only access resources on your site if you publish a cross domain policy xml file on your own site. If you do publish this file, only ever allow a whitelist of trusted third-party servers and never allow *.

了解更多关于 CSRF在OWASP 另请参阅： XSS prevention小抄

Read more about CSRF at OWASP See also: XSS Prevention Cheat Sheet

这篇关于在对所有CSRF攻击的ASP.NET MVC prevent是否AntiForgeryToken？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！