当前位置: 文江博客话题详情

页面方法安全性

发布于 2024-08-25 13:03:39 字数 486 浏览 6 评论 0原文

我正在尝试“AJAX 化”我的网站,以改善 UI 体验。在性能方面,我也在尝试摆脱 UpdatePanel。我在 Encosia 上发现了一篇很棒的文章 显示使用 PageMethods 进行发布的方式。我的问题是,生产环境中页面方法的安全性如何?作为公开的,任何人都可以创建 JSON 脚本来直接 POST 到服务器,或者是否进行跨域检查?我的 PageMethods 还将数据写入数据库(过滤后)。

我在页面中使用表单身份验证,并且在页面加载时,它将未经身份验证的用户重定向到登录页面。如果用户直接 POST 到该方法,该页面上的页面方法是否也需要检查身份验证,或者该身份验证是为整个页面继承的吗? (本质上,即使用户设法仅向 PageMethod 发布内容,整个页面周期是否也会发生)?

谢谢

原文

I'm trying to 'AJAX-ify' my site in order to improve the UI experience. In terms of performance, I'm also trying to get rid of the UpdatePanel. I've come across a great article over at Encosia showing a way of posting using PageMethods. My question is, how secure are page methods in a production environment? Being public, can anyone create a JSON script to POST directly to the server, or are there cross-domain checks taking place? My PageMethods would also write the data into the database (after filtering).

I'm using Forms Authentication in my pages and, on page load, it redirects unauthenticated users to the login page. Would the Page Methods on this page also need to check authentication if the user POSTs directly to the method, or is that authentication inherited for the entire page? (Essentially, does the entire page cycle occur even if a user has managed to post only to the PageMethod)?

Thanks

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

守不住的情 2024-09-01 13:03:39

PageMethods 与它们所在的处理程序一样安全。

FormsAuthentication 将保护除登录页面之外的所有内容。

在不受保护的处理程序(例如登录)上,您应该仅公开 1) 不敏感或 2) 验证用户的方法。

编辑:为了回应有关 CSRF 和 XSS 的评论和其他答案,请参阅 http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how -asp-net-ajax-1-0-mitigates-这些-attacks.aspx

PageMethods are as secure as the handler in which they reside.

FormsAuthentication will protect everything except the Login page.

On an unprotected handler, like login, you should expose only methods that 1) are not sensitive or 2) validate the user.

EDIT: in response to comments and other answers regarding CSRF and XSS please see http://weblogs.asp.net/scottgu/archive/2007/04/04/json-hijacking-and-how-asp-net-ajax-1-0-mitigates-these-attacks.aspx

回复 原文
掩于岁月 2024-09-01 13:03:39

您正在尝试防范 CSRF 攻击。

通过在 POST 参数中要求授权代码并在初始页面加载中提供授权代码,可以防止这些攻击。 (授权码应该针对每个 IP 地址和每个用户,并且应该很快过期)

为了提高安全性,您可以使每个授权码只能使用一次,并让每个请求返回一个新的授权码。 (但是,如果任何请求失败,您需要重新加载页面)

You're trying to protect against CSRF attacks.

These attacks can be prevented by requiring an authorization code in the POST parameters, and supplying the auth code in the initial page load. (The auth code should be per-IP address and per-user, and should expire quickly)

For added security, you can make each auth-code only usable once, and have each request return a new auth-code. (However, if any request fails, you'll need to reload the page)

回复 原文
孤檠 2024-09-01 13:03:39

我正在开发一个大量使用 ASP.Net WebForms 页面方法的项目,我谈到使用 Ajax。这对我来说比用 JavaScript 编写所有代码要方便得多。

然而,保护页面方法成为困扰我的一个问题。我发现我可以通过 Postman 和 Fiddler 访问页面方法,从而使黑客能够利用您的 API。

我的解决方案非常简单,是我偶然发现的。将静态 Cookie 请求添加到页面方法将为任何非网站的应用程序返回错误。

 [WebMethod]
[ScriptMethod(UseHttpGet = false, ResponseFormat = ResponseFormat.Json)]
public static string GetAnything(object dat)
{
    HttpCookie myguid = HttpContext.Current.Request.Cookies.Get(Constants.Session.PreventHacking);
    var hackguid = myguid.Value ?? ""; //other page method contents
    return "anything";
}

对此方法的邮递员请求将返回:

{
"Message": "There was an error processing the request.",
"StackTrace": "",
"ExceptionType": ""}

如果在 LocalHost 上,则会显示更详细的错误。

据我所知,有些浏览器插件可以通过位于网站旁边来拦截 API 调用。我没有测试过这个。然而,必须为此构建一个单独的安全修复程序。
一旦我执行一些测试,我会在这里更新。

I am working on a project that heavily utilizes ASP.Net WebForms Page Methods which I talk to using Ajax. This is rather very convenient for me than writing all my codes in JavaScript.

However, Securing the page methods became an issue which troubled me. I see that I can access the page methods via Postman and Fiddler hence, enabling hackers to play with your APIs.

My solution was quite simple which I discovered accidentally. Adding a static Cookie request to the page method would return error for any app that is NOT the website.

 [WebMethod]
[ScriptMethod(UseHttpGet = false, ResponseFormat = ResponseFormat.Json)]
public static string GetAnything(object dat)
{
    HttpCookie myguid = HttpContext.Current.Request.Cookies.Get(Constants.Session.PreventHacking);
    var hackguid = myguid.Value ?? ""; //other page method contents
    return "anything";
}

A postman request to this method would return :

{
"Message": "There was an error processing the request.",
"StackTrace": "",
"ExceptionType": ""}

While a more detailed error would show if on LocalHost.

I understand there are browser ad-ons that can intercept API calls by sitting just beside the website. I have not tested this. A separate security fix has to be built for this however.
I'll update here once I perform some tests.

回复 原文
幻想少年梦 2024-09-01 13:03:39

将 Pagemethods 想象成页面本地的迷你网络服务。事实上,除了那些放置在整个网站上的检查和验证以及您选择放置的检查和验证之外,他们不会进行额外的检查和验证。

从“封装”的角度来看,使用 Pagemethods 是一个聪明的主意,并且如果当你要使用它们时,尝试采取一些额外的安全措施并没有什么坏处。

Think of Pagemethods like a mini webservie local to the page. The fact is they will have no extra checks and verifications in place except those that are placed on the entire website, and those that you choose to put in.

Using Pagemethods is a smart idea from the point of view of 'Encapsulation', and if you're going to use them it doesn't hurt trying to put in some extra security measures in place.

回复 原文
~没有更多了~

关于作者

梦一生花开无言

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

胡图图

文章 0 评论 0

zt006

文章 0 评论 0

z祗昰~

文章 0 评论 0

冰葑

文章 0 评论 0

野の

文章 0 评论 0

天空

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文