防伪令牌盐有什么用?
在ASP.NET MVC 1.0中,有一个新功能可以处理跨站请求伪造安全问题:
<%= Html.AntiForgeryToken() %>
[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
// ... etc
}
我发现每次呈现新表单时,以html表单生成的令牌都会不断变化。
我想知道这些token是怎么生成的?并且当使用某些软件扫描该站点时,它会报告另一个安全问题:会话已修复。为什么?既然token不断变化,怎么会出现这个问题呢?
还有另一个函数,就是 antiForgeryToken 的“salt”,但我真的知道它的用途,即使我们不使用“salt”来生成令牌,令牌也会改变一直以来,那么为什么要有这样的功能呢?
In ASP.NET MVC 1.0, there is a new feature for handling cross site request forgery security problem:
<%= Html.AntiForgeryToken() %>
[ValidateAntiForgeryToken]
public ViewResult SubmitUpdate()
{
// ... etc
}
I found the token generated in html form keep changing every time a new form is rendered.
I want to know how these token is generated? And when use some software to scan this site, it will report another security problem: Session fixed. Why? Since the token keep changed, how can this problem come ?
And there is another function, that is "salt" for the antiForgeryToken, but I really know what this used for, even through we don't use "salt" to generate the token, the token will changes all the time, so why have such function?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
有关 AntiForgeryToken 的大量信息如下: http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
这是为了防止跨站点请求伪造 (CSRF)。单击“保存”提交表单并在服务器上执行某些操作(即保存用户的详细信息)是非常标准的行为。您如何知道提交表单的用户就是他们声称的用户?在大多数情况下,您会使用一些 cookie 或基于 Windows 的身份验证。
如果攻击者引诱您访问一个在隐藏的 IFRAME 中提交完全相同表单的网站,该怎么办?您的 cookie 会完整地提交,并且服务器不会将该请求视为与合法请求有任何不同。 (正如 gmail 所发现的:http://www.gnucitizen。 org/blog/google-gmail-e-mail-hijack-technique/)
防伪造令牌通过在每次生成页面时创建额外的 cookie 令牌来防止这种形式的攻击。令牌同时存在于表单和 cookie 中,如果表单和 cookie 不匹配,我们就会遭受 CSRF 攻击(因为攻击者将无法使用上述攻击读取防伪令牌)。
从上面的文章来看,盐有什么作用:
更新:令牌是如何生成的?下载源,并查看 AntiForgeryDataSerializer、AntiForgeryData 类。
Lots of info on the AntiForgeryToken here: http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
This is to prevent a Cross-Site Request Forgery (CSRF). It's pretty standard behavior to click 'Save' sumbit a form and perform some action on the server, i.e. save a user's details. How do you know the user submitting the form is the user they claim to be? In most cases you'd use some cookie or windows based auth.
What if an attacker lures you to a site which submits exactly the same form in a little hidden IFRAME? Your cookies get submitted intact and the server doesn't see the request as any different to a legit request. (As gmail has discovered: http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/)
The anti-forgery token prevents this form of attack by creating a additional cookie token everytime a page is generated. The token is both in the form and the cookie, if the form and cookie don't match we have a CSRF attack (as the attacker wouldn't be able to read the anti-forgery token using the attack described above).
And what does the salt do, from the article above:
Update: How is the token generated? Download the source, and have a look at the AntiForgeryDataSerializer, AntiForgeryData classes.
您问了一些不相关的问题:
这(大概)用于验证每个请求是否有效。因此,考虑到有人尝试提供指向页面
?x=1的链接,如果令牌未同时传递,则请求将被拒绝。此外,它(可以)防止重复发布同一项目。如果您单击“发布”两次,令牌可能会发生变化(每个请求),并且这种情况将通过以下方式检测到:我认为这种情况(它保护的攻击)的术语称为“CSRF”(跨站点请求)伪造),这些天。
You've ask a few unrelated problems:
This is used (presumably) to validate that each request is valid. So consider that someone tries to present a link to the page
?x=1, if the token is not also passed, the request will be rejected. Further, it (may) prevent duplicate posting of the same item. If you click 'post' twice, the token will likely change (each request), and this case will be detected via something like:I think the term for this (the attack it protects) is called "CSRF" (Cross-Site Request Forgery), these days.