通过添加散列来防止查询字符串操作? [英] Prevent query string manipulation by adding a hash?
问题描述
这种方法是否可以防止用户操纵查询字符串值?这样做有没有其他缺点/副作用?
我对这个私人网络应用程序的'丑陋'网址并不特别担心。 Url's仍然是'可收藏的',因为散列对于相同的查询字符串参数总是相同的。
这是一个ASP.NET应用程序。
我不确定这是否提供任何形式的安全性。如果中间人攻击者想要更改参数,他所要做的就是更改查询字符串并重新计算SHA-1哈希值并将该请求发送到服务器。
例如,浏览器发送的URL可能是:
http://www.example.com/addUser.html?parameterA=foo&hash=SHA1 (parameterA = foo)
如果攻击者拦截了这一点,他可以通过这种方式进行编辑:
http://www.example.com/adduser.html?parameterA=bar&hash=SHA1 (parameterA = bar)
真的,这可以归结为你可以相信散列只是和参数本身一样。
解决这个问题的一种方法是,如果用户有一个只有他和服务器知道的密码,那么攻击者不可能如果他改变参数,重新计算散列值。例如:
http://www.example.com/addUser.html?parameterA=foo&hash=SHA1 (parameterA = foo+theuserpassword)
<但请不要将密码作为URL中的参数之一)
重要的是要注意,这不是最先进的验证双方之间传递的消息的完整性。今天使用的是基于哈希的消息认证码(HMAC)算法的一种形式,该算法在 HMAC ,并明确地在 RFC2104 和 To protect a web application from query string manipulation, I was considering adding a query string parameter to every url which stores a SHA1 hash of all the other query string parameters & values, then validating against the hash on every request. Does this method provide strong protection against user manipulation of query string values? Are there any other downsides/side-effects to doing this? I am not particularly concerned about the 'ugly' urls for this private web application. Url's will still be 'bookmarkable' as the hash will always be the same for the same query string arguments. This is an ASP.NET application. I'm not sure this provides any sort of security. If a man-in-the-middle attacker wants to change the parameters, all he must do is change the query string and recompute the SHA-1 hash and send that request along to the server. For example, the URL sent by the browser might be: http://www.example.com/addUser.html?parameterA=foo&hash=SHA1("parameterA=foo") If an attacker intercepts this, he can edit it in this way: http://www.example.com/adduser.html?parameterA=bar&hash=SHA1("parameterA=bar") Really, this boils down to the fact you can trust the hash only as much as the parameters themselves. One way you could fix this would be if the user has a password that only he and the server knows, then it would be impossible for the attacker to recompute the hash if he changes the parameters. For example: http://www.example.com/addUser.html?parameterA=foo&hash=SHA1("parameterA=foo"+"theuserpassword") But don't put the password as one of the parameters in the URL :) It is important to note that this isn't the state of the art for verifying the integrity of messages passed between two parties. What is used today is a form of the Hash-based Message Authenticion Code (HMAC) algorithm, which is pretty well described in HMAC, and definitively in RFC2104 and FIPS Pub 198-1. 这篇关于通过添加散列来防止查询字符串操作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
