将在公共计算机或信息亭上使用的 ASP.Net Web 应用程序的安全注意事项
我有一个无需身份验证即可在公共场所的计算机上使用的应用程序。这是一个简单的四页应用程序,允许用户申请结婚证。一些办公室将设有公共电脑亭,申请人可以在前往办事员处之前填写自己的信息。他们也可以在去办公室之前在家中这样做。我应该考虑哪些因素来确保用户无法访问前一个用户的输入?某些表单数据将包含敏感信息,例如出生日期、社会安全号码和母亲的婚前姓名。
1.禁用自动完成
到目前为止,我已在母版页表单标记中设置了 autocomplete=false。
<form id="frmMain" runat="server" autocomplete="false">
2.禁用页面缓存
我还能够在 IE 和 FF 中禁用页面缓存,但无法在 Safari 和 Chrome 中执行此操作。有人知道窍门吗?点击后退按钮仍然会在 Safari 和 Chrome 中显示表单填充的数据。
// Disables page-caching in IE
Response.Cache.SetAllowResponseInBrowserHistory(false);
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Response.Expires = 0;
// HACK: fixes Firefoxes cache issue
Response.AddHeader("ETag", new Random().Next(1111111, 9999999).ToString());
3.管理会话
我还在每个页面上实现了一个计时器,它将在 n 分钟后终止会话。会话保存当前应用程序 ID,页面使用该 ID 加载先前输入的数据。他们可以通过单击按钮获得更多时间。当计时器到时,它会重定向回主页,我在主页中终止 Page_Load 中的会话。当用户单击“完成/提交”按钮时,我也会重定向到此页面。一旦会话被终止,通过 URL 导航到页面将永远不会加载以前的应用程序。它将被视为新的。
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
Session.Abandon();
}
4.我还应该做什么?
Your awesome suggestions/tips here
I have an application that can be used without authentication on computers in public locations. It's a simple four page application that allows users to apply for a marriage license. Some offices will have a public computer kiosk where applicants can fill out their own information before proceeding to the clerk. They can also do so at home before visiting the office. What considerations should I take to make sure that a user cannot get access to the previous user's input? Some form data will contain sensitive info such as DOB, SSN and Mother's Maiden Name.
1. Disable AutoComplete
So far, I've set autocomplete=false in my Master page form tag.
<form id="frmMain" runat="server" autocomplete="false">
2. Disable Page Caching
I've also been able to disable page caching in IE and FF, but cannot do so in Safari and Chrome. Anybody know the trick? Hitting the back button still shows the form-filled data in Safari and Chrome.
// Disables page-caching in IE
Response.Cache.SetAllowResponseInBrowserHistory(false);
Response.Cache.SetCacheability(HttpCacheability.NoCache);
Response.Cache.SetNoStore();
Response.Expires = 0;
// HACK: fixes Firefoxes cache issue
Response.AddHeader("ETag", new Random().Next(1111111, 9999999).ToString());
3. Manage the session
I've also implemented a timer on each page that will kill the session after n number of minutes. The session holds the current application ID with which the pages use to load previously entered data. They can get more time by clicking a button. When the timer is up, it redirects back to the main page where I kill the session in Page_Load. I also redirect to this page when the users click the "Finished/Submit" button. Once the session is killed, navigating to the pages by URL will never load the previous application. It'll be treated as a new one.
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
Session.Abandon();
}
4. what else should I do?
Your awesome suggestions/tips here
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
由于这是一个 Kiosk 应用程序,您需要确保浏览器配置为接受不缓存任何内容的请求。
上次我研究服务器端无缓存标头的有效性时,我意识到任何使用自定义、有缺陷或不常见的浏览器的人都可能不会接受不缓存文档的请求。
您可能还想在某些页面(例如某些会话结束页面)上添加 javascript 后退按钮断路器和历史导航威慑,但不是所有页面,因为没有人喜欢后退按钮被破坏。
Since this is a Kiosk app, you'd want to make sure that the browser is configured to honor requests to not cache anything.
Last time I researched the effectiveness of server side no-cache headers, I realized that any one using customized, buggy or uncommon browser might not be honor requests to not cache documents.
You may also want to add javascript back-button breakers on some pages (e.g. some end of session page) and a history navigation deterrent, but not all pages because no one like the back button to be broken.
我认为你的想法是正确的。我建议终止“完成/提交”会话。仍然阅读 owasp 前 10 名,并牢记您常见的漏洞。
1) 确保您使用 HTTPS。
2) 在推出应用程序之前,始终始终测试您的应用程序是否存在漏洞。我建议使用 Wapiti(免费)、Acunetix($) 或 NTOSpider($$$$)。
3) 保持服务器最新,确保运行 OpenVAS 以确保服务器安全。
I think you have the right idea. Killing the session on "finish/submit" is what I would have recommender. Still read over the owasp top 10 and keep your usual vulnerabilities in mind.
1)Make sure you use HTTPS.
2) Always always always test your application for vulnerabilities before rolling it out. I recommend using Wapiti(free), Acunetix($) or NTOSpider($$$$).
3) Keep your server up to date, make sure you run OpenVAS to make sure your server is secure.
在这里:开发人员之前应该了解什么建立一个公共网站
Here you are: What should a developer know before building a public web site
使用 JavaScript。您必须捕获并阻止每个表单的
submit事件,获取数据,通过 ajax 提交它,然后使用表单的本机reset()方法。从那里您可以导航到其他地方或根据 ajax 结果显示验证错误。使用 jQuery 很容易。Use JavaScript. You will have to capture and prevent each form's
submitevent, grab the data, submit it via ajax, then use the form's nativereset()method. From there you can navigate elsewhere or show validation errors depending on the ajax result. It's easy with jQuery.