I am trying to develop a website, the website got a pop-up modal which allows the user to subscribe to our latest promotion. In that input, we got a textbox to allow users to key in their email.
我正在尝试开发一个网站,该网站有一个弹出模式,允许用户订阅我们的最新促销。在该输入中,我们有一个文本框,允许用户输入他们的电子邮件。
However, when we look at the HTML code, the HTTP POST URL is visible:
但是,当我们查看HTML代码时,HTTP POST URL可见:
If someone is trying to use this URL, and spam HTTP POST requests (see below), unlimited entries can be created in the subscriber database table.
如果有人试图使用此URL和垃圾邮件HTTP POST请求(见下文),则可以在订阅者数据库表中创建无限条目。
for (int a = 0; a < 999999; a++)
{
var values = new Dictionary<string, string>
{
{ "email", a+"@gmail.com" }
};
var content = new FormUrlEncodedContent(values);
var response = await client.PostAsync("http://www.example.com/recepticle.aspx", content);
var responseString = await response.Content.ReadAsStringAsync();
}
How can I prevent this from happening? We cannot put a capcha, since this is subscriber to our promotion.
我怎样才能防止这种情况发生?我们不能加盖,因为这是我们促销的订户。
Edit: Please note that a ANTI-forgery token will not work, because the hacker can download entire HTML string using GET, and get the value from the anti forgery token textbox and POST the value to the POST URL again, so it will not work and the same anti-forgery token can use multiple times, it is not secure.
编辑:请注意,ANTI伪造令牌不起作用,因为黑客可以使用GET下载整个HTML字符串,并从防伪令牌文本框中获取值并再次将值POST到POST URL,因此它将无法正常工作并且相同的防伪令牌可以多次使用,这是不安全的。
2 个解决方案
#1
6
You can choose one of the below option to implement what you are looking for.
您可以选择以下选项之一来实现您要查找的内容。
1- Implement CAPTCHA/re-CAPTCHA, it will make sure that using any tool request can't be made. I understand that you don't want to use CAPTCHA, I still feel you should go with it, as it is the best approach to handle this type of scenarios.
1-实施CAPTCHA / re-CAPTCHA,它将确保无法使用任何工具请求。我知道你不想使用CAPTCHA,我仍然认为你应该使用它,因为这是处理这种情况的最佳方法。
2- IP Based restriction, lock submitting the request from one IP for some time.
2-基于IP的限制,锁定从一个IP提交请求一段时间。
3- Other option can be OTP (one time password), you can send the OTP to the email, and only after successful verification you can register the email.
3-其他选项可以是OTP(一次性密码),您可以将OTP发送到电子邮件,只有在成功验证后才能注册电子邮件。
#2
4
Use AntiForgeryToken. Read more about Antiforgery Tokens here
使用AntiForgeryToken。在此处阅读有关Antiforgery Tokens的更多信息
-
In your form Razor View, Add an
@Html.AntiForgeryToken()as a form field.在您的Razor View表单中,添加@ Html.AntiForgeryToken()作为表单字段。
@using (Html.BeginForm()) { @Html.AntiForgeryToken() <div class="form-horizontal"> @*Rest of the form*@ } -
In your Action Method use
ValidateAntiForgeryTokenAttribute在您的Action方法中,使用ValidateAntiForgeryTokenAttribute
[HttpPost] [ValidateAntiForgeryToken] public ActionResult Edit( MyViewModel form) { if (ModelState.IsValid) { // Rest of ur code } }
#1
6
You can choose one of the below option to implement what you are looking for.
您可以选择以下选项之一来实现您要查找的内容。
1- Implement CAPTCHA/re-CAPTCHA, it will make sure that using any tool request can't be made. I understand that you don't want to use CAPTCHA, I still feel you should go with it, as it is the best approach to handle this type of scenarios.
1-实施CAPTCHA / re-CAPTCHA,它将确保无法使用任何工具请求。我知道你不想使用CAPTCHA,我仍然认为你应该使用它,因为这是处理这种情况的最佳方法。
2- IP Based restriction, lock submitting the request from one IP for some time.
2-基于IP的限制,锁定从一个IP提交请求一段时间。
3- Other option can be OTP (one time password), you can send the OTP to the email, and only after successful verification you can register the email.
3-其他选项可以是OTP(一次性密码),您可以将OTP发送到电子邮件,只有在成功验证后才能注册电子邮件。
#2
4
Use AntiForgeryToken. Read more about Antiforgery Tokens here
使用AntiForgeryToken。在此处阅读有关Antiforgery Tokens的更多信息
-
In your form Razor View, Add an
@Html.AntiForgeryToken()as a form field.在您的Razor View表单中,添加@ Html.AntiForgeryToken()作为表单字段。
@using (Html.BeginForm()) { @Html.AntiForgeryToken() <div class="form-horizontal"> @*Rest of the form*@ } -
In your Action Method use
ValidateAntiForgeryTokenAttribute在您的Action方法中,使用ValidateAntiForgeryTokenAttribute
[HttpPost] [ValidateAntiForgeryToken] public ActionResult Edit( MyViewModel form) { if (ModelState.IsValid) { // Rest of ur code } }