I've built an application that uses jQuery and JSON to consume an ASP.NET .asmx web service to perform crud operations. The application and .asmx are on the same domain. I dont mind people consuming the read operations of the .asmx remotely but dont want people randomly deleting stuff!!!
我已经构建了一个使用jQuery和JSON来使用ASP.NET .asmx Web服务来执行crud操作的应用程序。应用程序和.asmx位于同一个域中。我不介意人们远程使用.asmx的读取操作,但不希望人们随意删除东西!
I can split the methods i'd like to be publicly accessible and the 'hidden' ones into 2 web services. How can I lock calls to the 'hidden'.asmx web service to the same domain that its hosted in?
我可以将我希望公开访问的方法和“隐藏”的方法拆分为2个Web服务。如何将对“hidden”.asmx Web服务的调用锁定到其托管的同一域?
Thanks in advance.
提前致谢。
Edit: Can someone comment on this, seems plausible ( source: http://www.slideshare.net/simon/web-security-horror-stories-presentation ): Ajax can set Http headers, normal forms cant. Ajax requests must be from the same domain.
编辑:有人可以对此发表评论,似乎有道理(来源:http://www.slideshare.net/simon/web-security-horror-stories-presentation):Ajax可以设置Http标头,普通表格不能。 Ajax请求必须来自同一个域。
So "x-requested-with" "XMLHttpRequest" requests must be from the same domain.
因此,“x-requested-with”“XMLHttpRequest”请求必须来自同一个域。
3 个解决方案
#1
8
There are two scenarios you need to secure with web services:
使用Web服务需要保护两种方案:
- Is the user authenticated?
- 用户是否经过身份验证?
- Is the action coming from my page?
- 动作来自我的页面吗?
The authentication piece is already taken care of if you're using Forms Authentication. If your web service sits in a Forms Authentication-protected area of the site, nobody will be able to access your web services unless they're logged in.
如果您正在使用表单身份验证,则已经处理了身份验证。如果您的Web服务位于站点的受表单身份验证保护的区域,则除非他们已登录,否则任何人都无法访问您的Web服务。
The second scenario is a slightly trickier story. The attack is known as CSRF or XSRF (Cross Site Request Forgery). This means that a malicious website performs actions on behalf of your user while they're still logged in to your site. Here's a great writeup on XSRF.
第二种情况是一个稍微棘手的故事。该攻击称为CSRF或XSRF(跨站点请求伪造)。这意味着恶意网站在用户仍然登录到您的网站时代表您的用户执行操作。这是一篇关于XSRF的精彩文章。
Jeff Atwood sort of sums it all up in the link above, but here is XSRF protection in four steps:
杰夫阿特伍德总结了上面的链接,但这里有四个步骤的XSRF保护:
- Write a GUID to your user's cookie.
- 将GUID写入用户的cookie。
- Before your AJAX call, read this value out of the cookie and add it to the web service POST.
- 在AJAX调用之前,从cookie中读取该值并将其添加到Web服务POST。
- On the server side, compare the FORM value with the cookie value.
- 在服务器端,将FORM值与cookie值进行比较。
- Because sites cannot read cookies from another domain, you're safe.
- 由于网站无法从其他域读取Cookie,因此您是安全的。
#2
-1
In AJAX the browser makes the calls, so even if you were to check that the domain is the same it wouldnt be secure enough because it can easily be faked.
在AJAX中,浏览器会进行调用,因此即使您要检查域是否相同,它也不够安全,因为它很容易被伪造。
You need to use some sort of authetication/autharization tokens (preferably with a time out) to keep things safe.
您需要使用某种认证/自动化令牌(最好是超时)以保证安全。
#3
-1
Quick and dirty solution would be to use IP address restrictions to allow only your domain's IP address access via IIS.
快速而肮脏的解决方案是使用IP地址限制,只允许通过IIS访问域的IP地址。
Probably better would be using HTTP authentication. There are many ways to do this, I found Authentication in ASP.NET Web Services a helpful overview.
可能更好的是使用HTTP身份验证。有很多方法可以做到这一点,我发现ASP.NET Web Services中的身份验证是一个有用的概述。
#1
8
There are two scenarios you need to secure with web services:
使用Web服务需要保护两种方案:
- Is the user authenticated?
- 用户是否经过身份验证?
- Is the action coming from my page?
- 动作来自我的页面吗?
The authentication piece is already taken care of if you're using Forms Authentication. If your web service sits in a Forms Authentication-protected area of the site, nobody will be able to access your web services unless they're logged in.
如果您正在使用表单身份验证,则已经处理了身份验证。如果您的Web服务位于站点的受表单身份验证保护的区域,则除非他们已登录,否则任何人都无法访问您的Web服务。
The second scenario is a slightly trickier story. The attack is known as CSRF or XSRF (Cross Site Request Forgery). This means that a malicious website performs actions on behalf of your user while they're still logged in to your site. Here's a great writeup on XSRF.
第二种情况是一个稍微棘手的故事。该攻击称为CSRF或XSRF(跨站点请求伪造)。这意味着恶意网站在用户仍然登录到您的网站时代表您的用户执行操作。这是一篇关于XSRF的精彩文章。
Jeff Atwood sort of sums it all up in the link above, but here is XSRF protection in four steps:
杰夫阿特伍德总结了上面的链接,但这里有四个步骤的XSRF保护:
- Write a GUID to your user's cookie.
- 将GUID写入用户的cookie。
- Before your AJAX call, read this value out of the cookie and add it to the web service POST.
- 在AJAX调用之前,从cookie中读取该值并将其添加到Web服务POST。
- On the server side, compare the FORM value with the cookie value.
- 在服务器端,将FORM值与cookie值进行比较。
- Because sites cannot read cookies from another domain, you're safe.
- 由于网站无法从其他域读取Cookie,因此您是安全的。
#2
-1
In AJAX the browser makes the calls, so even if you were to check that the domain is the same it wouldnt be secure enough because it can easily be faked.
在AJAX中,浏览器会进行调用,因此即使您要检查域是否相同,它也不够安全,因为它很容易被伪造。
You need to use some sort of authetication/autharization tokens (preferably with a time out) to keep things safe.
您需要使用某种认证/自动化令牌(最好是超时)以保证安全。
#3
-1
Quick and dirty solution would be to use IP address restrictions to allow only your domain's IP address access via IIS.
快速而肮脏的解决方案是使用IP地址限制,只允许通过IIS访问域的IP地址。
Probably better would be using HTTP authentication. There are many ways to do this, I found Authentication in ASP.NET Web Services a helpful overview.
可能更好的是使用HTTP身份验证。有很多方法可以做到这一点,我发现ASP.NET Web Services中的身份验证是一个有用的概述。