如何保护 MVC RESTful URL 免受黑客攻击?
我最近读了一篇关于花旗集团黑客事件的有趣文章 http://www .nytimes.com/2011/06/14/technology/14security.html?_r=2&pagewanted=1&ref=technology
这让我思考,我说我的数据库中有一个包含 100,000 行的敏感员工数据表。该表有一个名为 Id 的主键,它是一个身份列。
员工可以登录到 Web 门户,并通过 RESTful Url ({Controller}/{Action}/{Id}) 检索他的详细信息,例如 /Employee/Details/31
现在,有什么可以阻止我替换 {Id} 参数对于任何参数(例如 Id = 32)并且 正在检索员工 #32 的详细信息?这就是花旗集团的遭遇吗?
你如何防止这种情况发生?即用户已在 Web 门户上经过身份验证 但没有权限查看其他用户的记录?我应该使用其他特定的“令牌”吗 客户除了 ID 之外?
I read an interesting article recently on the CitiGroup Hacking incident
http://www.nytimes.com/2011/06/14/technology/14security.html?_r=2&pagewanted=1&ref=technology
This got me thinking, say I have a table of sensitive Employee data in my database with 100,000 rows. The table has a Primary Key called Id, which is an Identity column.
The Employee can log in to the Web Portal and his details are retrieved via a RESTful Url ({Controller}/{Action}/{Id}) e.g. /Employee/Details/31
Now, what's to stop me substituting the {Id} parameter for any parameter (e.g. Id = 32) and
retrieving details for Employee #32? Is this what happened with CitiGroup?
How do you prevent this? i.e. where the User has already been Authenticated on the Web Portal
but is not Authorized to view other users records? Should I use some other specific 'token' for
the customer in addition to the Id ?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
这就是我在完全相同的情况下所做的,首先我声明了对象的扩展:
然后在控制器中:
This is what I did for exactly the same situation, first I declared an extension to the object:
And then in the controller:
您将需要使用 ASP.NET 角色和成员资格 API。如果您已经这样做了,那么您需要做的就是使用
IsUserInRole检查来标记控制器。您可以在此处找到有关角色类的更多信息:
MSDN 角色类
You will want to utilize the ASP.NET Roles and Membership API. If you are already doing that then all you need to do to start is mark controller with a
IsUserInRolecheck.You can find more information about the Roles Class here:
MSDN Roles Class
我使用一个多对多表来保存用户和允许他们修改的实体 ID 之间的关系。每当有人尝试更改其中一个实体时,我都会进行检查以确保他们被允许这样做。我还在保存实体的表上放置了一个触发器,每当删除实体时,触发器就会删除该多对多表中的关联记录。这对我来说效果很好。
您可以做的另一件事是使用 Guid 而不是 int 作为主键。这将防止人们猜测主键。
I use a many-to-many table that holds a relationship between the user and the ID of the entities they are allowed to modify. Every time anyone attempts to change one of those entities, I do a check to make sure that they are allowed to do it. I also put a trigger on the table that holds the entities that will delete associated records in that many-to-many table whenever an entity is deleted. This has worked out quite well for me.
Another thing you could do is use a Guid instead of an int for your primary key. That will prevent people from guessing the primary key.