Does ASP.NET use a mechanism for disallowing manipulation of data between client and server?
ASP.NET是否使用一种机制来禁止客户端和服务器之间的数据操作?
If not, does it mean we should use SSL? What kind of attacks can SSL prevent?
如果没有,这是否意味着我们应该使用SSL? SSL可以防止哪种攻击?
If yes what is this mechanism?
如果是,这个机制是什么?
3 个解决方案
#1
0
ASP.Net uses Viewstate on the client side to retain values - which is practically unbreakable. However, any web application passes (posts) data to server via webbrowser which is passed in the chunks of packet data using TCP/IP protocol. This information can be easily monitored using some software to see what data is being transmitted (however, changing this data while being transmitted to server seems very very difficult in real time). SSL simply encrypts the data (say your user name and password you typed in the login box) before browser sends it the server; this data while being transmitted on TCP/IP channels can be monitored but it would be in encrypted format. Thus, secure.
ASP.Net在客户端使用Viewstate来保留值 - 这几乎是牢不可破的。但是,任何Web应用程序都通过webbrowser将数据传递(发布)到服务器,webbrowser使用TCP / IP协议传递到数据包数据块中。可以使用某些软件轻松监视此信息,以查看正在传输的数据(但是,在传输到服务器时更改此数据似乎非常难以实时)。 SSL只是在浏览器将数据发送到服务器之前加密数据(比如您在登录框中输入的用户名和密码);可以监视在TCP / IP信道上传输的数据,但它将采用加密格式。因此,安全。
However you can make your application secure by taking care of the points from this links:
但是,您可以通过此链接中的点来确保您的应用程序安全:
#2
4
No, the ASP.NET webforms and mvc frameworks do nothing to protect transport of data between client and server. The viewstate is an encrypted piece of data in webforms, but that does not mean it can't be tampered with on the way to the server or client. The short answer is to use at least 128 bit ssl using a CA signed certificate if you want to prevent man in the middle attacks.
不,ASP.NET webforms和mvc框架无法保护客户端和服务器之间的数据传输。 viewstate是webforms中的一段加密数据,但这并不意味着它在通往服务器或客户端的途中无法被篡改。简短的回答是如果你想防止中间人攻击,使用CA签名证书至少使用128位ssl。
#3
1
To disallow data manipulation between client and server, you have to have a way for the server to detect such manipulation. For viewstates this can be enabled in asp.net by making sure the viewstates have mac and encryption enabled. Oh, and you should also set a viewstateuserkey.
要禁止客户端和服务器之间的数据操作,您必须有一种方法让服务器检测此类操作。对于视图状态,可以通过确保视图状态启用了mac和加密来在asp.net中启用。哦,你还应该设置一个viewstateuserkey。
For other parameters however, an attacker can manipulate the parameters. So use SSL/TLS. SSL/TLS sets up a encrypted connection between your client and server, making it impossible (unless poorly configured) for an attacker to sniff out data or manipulate the content.
但是,对于其他参数,攻击者可以操纵参数。所以使用SSL / TLS。 SSL / TLS在您的客户端和服务器之间建立加密连接,使攻击者无法嗅探数据或操纵内容(除非配置不当)。
Not using SSL/TLS, allows all sorts of attacks (sniffing session cookies on open wireless networks, injecting packets and manipulating the returned web page etc.)
不使用SSL / TLS,允许各种攻击(在开放的无线网络上嗅探会话cookie,注入数据包并操纵返回的网页等)
#1
0
ASP.Net uses Viewstate on the client side to retain values - which is practically unbreakable. However, any web application passes (posts) data to server via webbrowser which is passed in the chunks of packet data using TCP/IP protocol. This information can be easily monitored using some software to see what data is being transmitted (however, changing this data while being transmitted to server seems very very difficult in real time). SSL simply encrypts the data (say your user name and password you typed in the login box) before browser sends it the server; this data while being transmitted on TCP/IP channels can be monitored but it would be in encrypted format. Thus, secure.
ASP.Net在客户端使用Viewstate来保留值 - 这几乎是牢不可破的。但是,任何Web应用程序都通过webbrowser将数据传递(发布)到服务器,webbrowser使用TCP / IP协议传递到数据包数据块中。可以使用某些软件轻松监视此信息,以查看正在传输的数据(但是,在传输到服务器时更改此数据似乎非常难以实时)。 SSL只是在浏览器将数据发送到服务器之前加密数据(比如您在登录框中输入的用户名和密码);可以监视在TCP / IP信道上传输的数据,但它将采用加密格式。因此,安全。
However you can make your application secure by taking care of the points from this links:
但是,您可以通过此链接中的点来确保您的应用程序安全:
#2
4
No, the ASP.NET webforms and mvc frameworks do nothing to protect transport of data between client and server. The viewstate is an encrypted piece of data in webforms, but that does not mean it can't be tampered with on the way to the server or client. The short answer is to use at least 128 bit ssl using a CA signed certificate if you want to prevent man in the middle attacks.
不,ASP.NET webforms和mvc框架无法保护客户端和服务器之间的数据传输。 viewstate是webforms中的一段加密数据,但这并不意味着它在通往服务器或客户端的途中无法被篡改。简短的回答是如果你想防止中间人攻击,使用CA签名证书至少使用128位ssl。
#3
1
To disallow data manipulation between client and server, you have to have a way for the server to detect such manipulation. For viewstates this can be enabled in asp.net by making sure the viewstates have mac and encryption enabled. Oh, and you should also set a viewstateuserkey.
要禁止客户端和服务器之间的数据操作,您必须有一种方法让服务器检测此类操作。对于视图状态,可以通过确保视图状态启用了mac和加密来在asp.net中启用。哦,你还应该设置一个viewstateuserkey。
For other parameters however, an attacker can manipulate the parameters. So use SSL/TLS. SSL/TLS sets up a encrypted connection between your client and server, making it impossible (unless poorly configured) for an attacker to sniff out data or manipulate the content.
但是,对于其他参数,攻击者可以操纵参数。所以使用SSL / TLS。 SSL / TLS在您的客户端和服务器之间建立加密连接,使攻击者无法嗅探数据或操纵内容(除非配置不当)。
Not using SSL/TLS, allows all sorts of attacks (sniffing session cookies on open wireless networks, injecting packets and manipulating the returned web page etc.)
不使用SSL / TLS,允许各种攻击(在开放的无线网络上嗅探会话cookie,注入数据包并操纵返回的网页等)