将 AntiCSRF 与 ajax 结合使用
我已经安装了 AntiCSRF HTTPModule 但我需要将它与 ajax 一起使用。
令牌字段名称:RaiseException。
Cookie 名称:__CSRFCOOKIE。
我应该使用 ajax POST 手动发送令牌字段值还是还有其他事情要做?
由于我们在这里使用 cookie,任何人都不能创建一个具有相同名称和相同值的 cookie,并将隐藏字段中出现的值发送到服务器并获取数据,或者对此有一些限制?!< br> 谢谢
I have installed the AntiCSRF HTTPModule but I need to use it with ajax .
The token field name : RaiseException .
CookieName : __CSRFCOOKIE .
Should I send the token field value manually with ajax POST or there is something else to be done ?
And since we use here a cookie, can't anyone create a cookie with the same name and the same value and send the value that appear in the hidden filed to the server and get the data or there is some restrictions about this ?!
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我不熟悉您正在使用的特定反 CSRF 模块。 ASP.Net 中内置了反 CSRF 支持,但它与 AJAX 兼容。
大多数站点使用安全的仅 HTTP cookie 进行身份验证。所有浏览器都支持同源策略,这意味着只有创建 cookie 的站点才能访问它。
CSRF 攻击之所以有效,是因为黑客不需要查看 cookie,因为用户的浏览器会将它们与任何请求一起发送到您的站点。因此,黑客创建了一个将数据发送到您的网站的表单:
黑客不是您网站的管理员,但他们可以欺骗为他们做事的用户。
大多数反 CSRF 保护的工作方式相同:要求 POST 表单数据具有站点可以访问但黑客无法欺骗的附加令牌。
因此,.Net 的默认实现会添加一个带有令牌的 cookie,即隐藏输入中的相同令牌,然后检查它们是否匹配。黑客看不到 cookie,因此无法重现隐藏的输入。
这是 AJAX 调用的问题,原因有两个:
听起来您需要做的就是手动将令牌字段名称的值添加到 AJAX 调用中,并确保您正在发送表单数据。
I'm not familiar with the specific anti-CSRF module that you're using. There's anti-CSRF support built into ASP.Net, but it struggles with AJAX.
Most sites use a secured HTTP-only cookie for authentication. All the browsers support a same origin policy which means that only the site that creates a cookie can access it.
A CSRF attack works because that hacker doesn't need to see the cookies, as the user's browser will send them along with any request to your site. So the hacker creates a form that sends data to your site:
The hacker isn't an admin on your site, but they can trick a user who is into doing stuff for them.
Most anti CSRF protections work in the same way: by requiring the POST-ed form data to have an additional token that the site can access but that the hackers can't spoof.
So .Net's default implementation adds a cookie with a token, the same token in a hidden input, and then checks that they match. The hacker can't see the cookie, so can't reproduce the hidden input.
This is problem for AJAX calls for two reasons:
It sounds like what you need to do is manually add the value of your token's field name to the AJAX call, and make sure that you're sending form data.