ASP.NET 网页中的安全问题
我正在使用一个按钮进行回发
<asp:Button ID="SendButton" Enabled="True" Width="70" runat="server" PostBackUrl='<%# Eval("GroupName", "SendMessage.aspx?GroupName={0}") %>' Text='Send'></asp:Button>
,将 GroupName 发送到 SendMessage.aspx 页面。但我觉得它很容易受到攻击,比如欺骗(如果我错了,请纠正我)。
http://localhost:40092/SurelyK/SendMessage.aspx?GroupName=Acc
Url 包含可以被攻击者更改的组名 我怎样才能防止我的网站受到此类攻击。请给我一些建议。
I am using a button to do postback
<asp:Button ID="SendButton" Enabled="True" Width="70" runat="server" PostBackUrl='<%# Eval("GroupName", "SendMessage.aspx?GroupName={0}") %>' Text='Send'></asp:Button>
to send the GroupName to SendMessage.aspx page. But I feel it is vulnerable to attack, something like spoofing (correct me if i am wrong).
http://localhost:40092/SurelyK/SendMessage.aspx?GroupName=Acc
The Url contains the groupname which can be changed by attackers
How can I prevent my website from such attack. give me some suggestions pls.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
![扫码二维码加入Web技术交流群](/public/img/jiaqun_03.jpg)
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
防止这种情况的常用方法是在服务器端验证您的输入,恶意客户端无法执行任何操作。如果您在服务器上看到无效的组名称,您只需返回一个页面说明这一点,而不是对有效组名称执行任何处理。
如果您不希望值发生更改,则可以将数据存储在
ViewState
(已加密)或Session
(存储在服务器上)中,并且客户端无法访问。)不过,鉴于您有一个用于提交此信息的按钮,我认为正确的服务器端验证是正确的路径。
同样,如果您没有通过要求身份验证和授权来保护此页面,那么您当然也应该这样做,以便只有您认识和信任的用户才能访问该页面。
The usual method to protect against this is to validate your inputs on the server side, where malicious clients can't do anything. If you see an invalid group name on the server, you can just return a page saying so, rather than performing whatever processing you would for a valid group name.
If you don't expect the values to change, then you can store the data either in
ViewState
(which is encrypted) or in theSession
(which is stored on the server, and is inaccessible to clients.)Given that you have a button for submitting this information, though, I think proper server-side validation is the correct path.
As well, if you haven't secured this page by requiring authentication and authorization, then you should of course do so as well, so that only users you know and trust can access the page regardless.
使用
Session
变量来保存相关数据怎么样?会话数据会跨多个页面持续存在,直到会话结束。我从未听说过会话变量调整。
How about using
Session
variables to hold relevant data instead? Session data persists across multiple pages, until the session ends.I've never heard of Session variable tempering.