How do you properly ensure that a user isnt tampering with querystring values or action url values? For example, you might have a Delete Comment action on your CommentController which takes a CommentID. The action url might look like /Comments/Delete/3 to delete the comment with the id 3.
如何正确确保用户不会篡改查询字符串值或操作URL值?例如,您可能在CommentController上有一个Delete Comment操作,它采用CommentID。操作URL可能看起来像/ Comments / Delete / 3以删除ID为3的注释。
Now obviously you dont want anyone to be able to delete comment 3. Normally on the owner of the comment or an admin has permission to do so. Ive seen this security enforced different ways and would like to know how some of you do it.
现在显然你不希望任何人能够删除评论3.通常在评论的所有者或管理员有权这样做。我看到这种安全性强制执行不同的方式,并想知道你们中的一些人是如何做到的。
Do you make multiple Database calls to retrieve the comment and check that the author of the comment matches the user invoking the delete action?
您是否进行多个数据库调用以检索注释并检查注释的作者是否与调用删除操作的用户匹配?
Do you instead pass the CommentID and the UserID down to the stored procedure who does the delete and do a Delete where UserID and CommentID equal the values passed in?
您是否将CommentID和UserID向下传递给执行删除的存储过程并执行删除操作,其中UserID和CommentID等于传入的值?
Is it better to encrypt the query string values?
加密查询字符串值是否更好?
7 个解决方案
#1
17
You don't.
It is a cardinal rule of programming, especially in this day and age, that you never trust any input which comes from the user, the browser, the client, etc.
它是编程的基本规则,特别是在这个时代,您永远不会相信来自用户,浏览器,客户端等的任何输入。
It is also a cardinal rule of programming that you should probably not try to implement encryption and security yourself, unless you really know what you are doing. And even if you do know what you are doing, you will only remain one step ahead of the tard-crackers. The smart ones are still going to laugh at you.
它也是编程的基本规则,您可能不应该尝试自己实现加密和安全性,除非您真的知道自己在做什么。即使你确实知道自己在做什么,你也只能领先于捣蛋鬼。聪明的人仍然会嘲笑你。
Do the extra query to ensure the logged-in user has the right set of permissions. That will make everyone's lives just that much simpler.
执行额外查询以确保登录用户具有正确的权限集。这将使每个人的生活变得更加简单。
#2
9
Enrypting and decrypting query params is a trivial process and there are some great examples of how to do so using an HttpModule here on *.
Enrypting和解密查询参数是一个简单的过程,并且有一些很好的例子,说明如何在*上使用HttpModule。
"You Don't", "You can't", or "It's not easy" are simply not acceptable responses in this day and age...
“你不要”,“你不能”或“这不容易”在这个时代根本不可接受的回应......
#3
3
Vyrotek: The input method is not important. GET, POST, encrypted/obfuscated GET - no real difference. No matter the way your application receives commands, to perform an administrative action it must make sure that the issuing user is allowed to do the stuff he wants. The permission check must take place AFTER the command is received and BEFORE it gets executed. Otherwise it's no security at all.
Vyrotek:输入法并不重要。 GET,POST,加密/混淆GET - 没有真正的区别。无论您的应用程序接收命令的方式如何,执行管理操作都必须确保允许发布用户执行他想要的操作。必须在收到命令之后进行权限检查,并在执行之前进行。否则它根本没有安全性。
#4
2
Consider using technique outlined in Stephen Walther's article Tip #46 – Don’t use Delete Links because they create Security Holes which uses [AcceptVerbs(HttpVerbs.Delete)]
考虑使用Stephen Walther的文章提示#46中概述的技术 - 不要使用删除链接,因为它们会创建使用[AcceptVerbs(HttpVerbs.Delete)]的安全漏洞
#5
1
You can also allow only Post requests to Delete controller action by using the Accept Verbs attribute as seen below.
您还可以通过使用Accept Verbs属性仅允许Post请求删除控制器操作,如下所示。
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Delete(int? id)
{
//Delete
}
Then you could also use the antiforgery token as discussed here:
然后你也可以使用这里讨论的防伪令牌:
#6
0
I've done funky things take the querystring, compress it, Base64 or just hex encode it, so that "commentid=4&userid=12345" becomes "code=1a2b23de12769"
我做了一些时髦的东西,使用查询字符串,压缩它,Base64或只是十六进制编码,这样“commentid = 4&userid = 12345”变成“code = 1a2b23de12769”
It's basically "Security through obscurity" but it does make a lot of work for someone trying to hack the site.
它基本上是“通过默默无闻的安全”,但它确实为试图破解该网站的人做了很多工作。
#7
0
You cannot easily do this.
你不能轻易做到这一点。
I have fond memories of a site that used action urls to do deletes.
我对使用动作网址删除的网站有着美好的回忆。
All was good until they started search crawling the intranet.
一切都很好,直到他们开始搜索爬网内网。
Ooops, goodbye data.
哎呀,再见数据。
I would recommend a solution whereby you do not use querystrings for anything you do not wish to be edited.
我建议一个解决方案,你不要使用查询字符串来做任何你不想编辑的事情。
#1
17
You don't.
It is a cardinal rule of programming, especially in this day and age, that you never trust any input which comes from the user, the browser, the client, etc.
它是编程的基本规则,特别是在这个时代,您永远不会相信来自用户,浏览器,客户端等的任何输入。
It is also a cardinal rule of programming that you should probably not try to implement encryption and security yourself, unless you really know what you are doing. And even if you do know what you are doing, you will only remain one step ahead of the tard-crackers. The smart ones are still going to laugh at you.
它也是编程的基本规则,您可能不应该尝试自己实现加密和安全性,除非您真的知道自己在做什么。即使你确实知道自己在做什么,你也只能领先于捣蛋鬼。聪明的人仍然会嘲笑你。
Do the extra query to ensure the logged-in user has the right set of permissions. That will make everyone's lives just that much simpler.
执行额外查询以确保登录用户具有正确的权限集。这将使每个人的生活变得更加简单。
#2
9
Enrypting and decrypting query params is a trivial process and there are some great examples of how to do so using an HttpModule here on *.
Enrypting和解密查询参数是一个简单的过程,并且有一些很好的例子,说明如何在*上使用HttpModule。
"You Don't", "You can't", or "It's not easy" are simply not acceptable responses in this day and age...
“你不要”,“你不能”或“这不容易”在这个时代根本不可接受的回应......
#3
3
Vyrotek: The input method is not important. GET, POST, encrypted/obfuscated GET - no real difference. No matter the way your application receives commands, to perform an administrative action it must make sure that the issuing user is allowed to do the stuff he wants. The permission check must take place AFTER the command is received and BEFORE it gets executed. Otherwise it's no security at all.
Vyrotek:输入法并不重要。 GET,POST,加密/混淆GET - 没有真正的区别。无论您的应用程序接收命令的方式如何,执行管理操作都必须确保允许发布用户执行他想要的操作。必须在收到命令之后进行权限检查,并在执行之前进行。否则它根本没有安全性。
#4
2
Consider using technique outlined in Stephen Walther's article Tip #46 – Don’t use Delete Links because they create Security Holes which uses [AcceptVerbs(HttpVerbs.Delete)]
考虑使用Stephen Walther的文章提示#46中概述的技术 - 不要使用删除链接,因为它们会创建使用[AcceptVerbs(HttpVerbs.Delete)]的安全漏洞
#5
1
You can also allow only Post requests to Delete controller action by using the Accept Verbs attribute as seen below.
您还可以通过使用Accept Verbs属性仅允许Post请求删除控制器操作,如下所示。
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Delete(int? id)
{
//Delete
}
Then you could also use the antiforgery token as discussed here:
然后你也可以使用这里讨论的防伪令牌:
#6
0
I've done funky things take the querystring, compress it, Base64 or just hex encode it, so that "commentid=4&userid=12345" becomes "code=1a2b23de12769"
我做了一些时髦的东西,使用查询字符串,压缩它,Base64或只是十六进制编码,这样“commentid = 4&userid = 12345”变成“code = 1a2b23de12769”
It's basically "Security through obscurity" but it does make a lot of work for someone trying to hack the site.
它基本上是“通过默默无闻的安全”,但它确实为试图破解该网站的人做了很多工作。
#7
0
You cannot easily do this.
你不能轻易做到这一点。
I have fond memories of a site that used action urls to do deletes.
我对使用动作网址删除的网站有着美好的回忆。
All was good until they started search crawling the intranet.
一切都很好,直到他们开始搜索爬网内网。
Ooops, goodbye data.
哎呀,再见数据。
I would recommend a solution whereby you do not use querystrings for anything you do not wish to be edited.
我建议一个解决方案,你不要使用查询字符串来做任何你不想编辑的事情。