All my project's page need authentication.. And Normally I dont use [ValidateAntiForgeryToken] and @Html.AntiForgeryToken() on my Controller and View.. Only login page has it..
我所有的项目页面都需要认证。通常我不会在我的控制器和视图上使用[ValidateAntiForgeryToken]和@Html.AntiForgeryToken()。只有登录页面才有。
- What are they
[ValidateAntiForgeryToken] and @Html.AntiForgeryToken()?? - 它们是什么[ValidateAntiForgeryToken]和@Html.AntiForgeryToken()?
- Do I need to use them??
- 我需要使用它们吗?
- Which cookieless I have to use??
- 我要用哪个无趣的?
My web.config's part like this;
我的网络。配置是这样的;
<authorization>
<deny users="?" />
</authorization>
<authentication mode="Forms">
<forms loginUrl="~/User/Login" timeout="30" cookieless="UseDeviceProfile" name="AbosSMSP" />
</authentication>
My error like this; 
我这样的错误;
1 个解决方案
#1
19
Think of the antiforgerytoken is a way of ensuring that the request that is coming to a post action is actually one that originated from your outputted view. It stops cross site scripting attacks and i think it handles post replay attacks too.
考虑到antiforgerytoken是一种确保发送到post操作的请求实际上来自于您的输出视图的方法。它停止跨站点脚本攻击,我认为它也处理后重放攻击。
Securing the front door to your application is a good start, it stops people having their data stolen by brute force, however, it doesn't stop all forms of attacks. things like social engineering and phishing can let someone in to your site without them breaking the login page.
保护应用程序的前门是一个良好的开端,它阻止人们的数据被蛮力窃取,然而,它并不能阻止所有形式的攻击。社交工程和网络钓鱼之类的东西可以让某人进入你的网站,而不会破坏登录页面。
Once in, there are all sorts of nastiness that they can get up to, so look at the OSWAP recommendations and see if there are any other attacks that you might be vulnerable to. http://www.ergon.ch/fileadmin/doc/Airlock_Factsheet_OWASP_en.pdf
一旦进入,他们就会有各种各样的麻烦,所以看看OSWAP推荐,看看是否有其他的攻击你可能容易受到攻击。http://www.ergon.ch/fileadmin/doc/Airlock_Factsheet_OWASP_en.pdf
If in doubt, you can have your site pen tested by ethical hackers for a few hundred stirling, if you are looking after sensitive data, then i would recommend that, as they will pull up things that you might not even think of.
如果你有疑问,你可以让你的网站笔被道德黑客测试几百斯特灵,如果你正在关注敏感数据,那么我建议你这么做,因为他们会把你想都想不到的东西拿出来。
My top tips for security
我的安全秘诀
- Antiforgerytoken on the login page
- 登录页面上的反伪造令牌
- Slow all authentication attempts down by at least a second (makes brute force impractical)
- 将所有身份验证尝试降低至少一秒(使蛮力不切实际)
- Implement an account lock out procedure on n amounts of invalid logons
- 对n个无效登录执行帐户锁定过程
- Always use a generic error message on your failed logins to prevent hackers knowing which part of a login is wrong
- 始终在失败的登录中使用通用错误消息,以防止黑客知道登录的哪个部分是错误的
- Always encrypt your passwords in the db with a salt, the salt should be per user to prevent a rainbow attack on a stolen database
- 总是在数据库中使用salt加密您的密码,salt应该针对每个用户,以防止对被盗数据库的彩虹攻击
- Always make sure that any data displayed or retrieved is valid for that user
- 始终确保显示或检索的任何数据对该用户都是有效的。
- Always use parameterised sql
- 总是使用parameterised sql
- Try and obfuscate the ids passed around in your urls and views to prevent modification or an attempt at a direct reference attack
- 尝试混淆在url和视图中传递的id,以防止修改或尝试直接引用攻击
Following that, I think you will cover off most of what a pen test would raise and set you on a good stead for a secure site
在此之后,我认为你将会掩盖笔试的大部分内容,并为你的安全网站打下良好的基础。
#1
19
Think of the antiforgerytoken is a way of ensuring that the request that is coming to a post action is actually one that originated from your outputted view. It stops cross site scripting attacks and i think it handles post replay attacks too.
考虑到antiforgerytoken是一种确保发送到post操作的请求实际上来自于您的输出视图的方法。它停止跨站点脚本攻击,我认为它也处理后重放攻击。
Securing the front door to your application is a good start, it stops people having their data stolen by brute force, however, it doesn't stop all forms of attacks. things like social engineering and phishing can let someone in to your site without them breaking the login page.
保护应用程序的前门是一个良好的开端,它阻止人们的数据被蛮力窃取,然而,它并不能阻止所有形式的攻击。社交工程和网络钓鱼之类的东西可以让某人进入你的网站,而不会破坏登录页面。
Once in, there are all sorts of nastiness that they can get up to, so look at the OSWAP recommendations and see if there are any other attacks that you might be vulnerable to. http://www.ergon.ch/fileadmin/doc/Airlock_Factsheet_OWASP_en.pdf
一旦进入,他们就会有各种各样的麻烦,所以看看OSWAP推荐,看看是否有其他的攻击你可能容易受到攻击。http://www.ergon.ch/fileadmin/doc/Airlock_Factsheet_OWASP_en.pdf
If in doubt, you can have your site pen tested by ethical hackers for a few hundred stirling, if you are looking after sensitive data, then i would recommend that, as they will pull up things that you might not even think of.
如果你有疑问,你可以让你的网站笔被道德黑客测试几百斯特灵,如果你正在关注敏感数据,那么我建议你这么做,因为他们会把你想都想不到的东西拿出来。
My top tips for security
我的安全秘诀
- Antiforgerytoken on the login page
- 登录页面上的反伪造令牌
- Slow all authentication attempts down by at least a second (makes brute force impractical)
- 将所有身份验证尝试降低至少一秒(使蛮力不切实际)
- Implement an account lock out procedure on n amounts of invalid logons
- 对n个无效登录执行帐户锁定过程
- Always use a generic error message on your failed logins to prevent hackers knowing which part of a login is wrong
- 始终在失败的登录中使用通用错误消息,以防止黑客知道登录的哪个部分是错误的
- Always encrypt your passwords in the db with a salt, the salt should be per user to prevent a rainbow attack on a stolen database
- 总是在数据库中使用salt加密您的密码,salt应该针对每个用户,以防止对被盗数据库的彩虹攻击
- Always make sure that any data displayed or retrieved is valid for that user
- 始终确保显示或检索的任何数据对该用户都是有效的。
- Always use parameterised sql
- 总是使用parameterised sql
- Try and obfuscate the ids passed around in your urls and views to prevent modification or an attempt at a direct reference attack
- 尝试混淆在url和视图中传递的id,以防止修改或尝试直接引用攻击
Following that, I think you will cover off most of what a pen test would raise and set you on a good stead for a secure site
在此之后,我认为你将会掩盖笔试的大部分内容,并为你的安全网站打下良好的基础。