I have many Ajax.ActionLink's on my ASP.NET MVC (v1) page that perform destructive operations. This is "legal" because I set HttpMethod to DELETE in this case so it's not a destructive GET.
我在我的ASP.NET MVC(v1)页面上有许多执行破坏性操作的Ajax.ActionLink。这是“合法的”,因为我在这种情况下将HttpMethod设置为DELETE,因此它不是破坏性的GET。
My question though is how to mitigate XSRF attacks on this operation so that other sites cannot craft this same Ajax DELETE request to delete user data from another site. This ActionLink does appear within a form that includes <%= Html.AntiForgeryToken() %> but since ActionLinks don't post the form, the anti-forgery token doesn't go to the controller, so it can't validate it.
我的问题是如何缓解此操作的XSRF攻击,以便其他站点无法制作相同的Ajax DELETE请求以从其他站点删除用户数据。此ActionLink确实出现在包含<%= Html.AntiForgeryToken()%>的表单中,但由于ActionLinks不发布表单,因此防伪标记不会发送到控制器,因此无法对其进行验证。
2 个解决方案
#1
1
To prevent against Cross-Site Request Forgery attacks you must block requests that originate from another site. In asp.net you can do this by checking to see if Request.UrlReferrer isn't from your host name. If the ajax request originated from a different server, then you should ignore the ajax request. If the referrer is null, then you should also ignore the request.
要防止跨站点请求伪造攻击,您必须阻止来自其他站点的请求。在asp.net中,您可以通过检查Request.UrlReferrer是否不是您的主机名来执行此操作。如果ajax请求来自不同的服务器,那么您应该忽略ajax请求。如果引用者为空,那么您也应该忽略该请求。
#2
0
This link covers one solution http://tpeczek.com/2010/05/using-antiforgerytoken-with-other-verbs.html
此链接包含一个解决方案http://tpeczek.com/2010/05/using-antiforgerytoken-with-other-verbs.html
However the most ideal solution is that when you use the actionlink it adds the Anti Forgery token into the query string so I'm going to try writing my own ActionLink extension method that appends that on.
然而,最理想的解决方案是,当您使用actionlink时,它会将Anti Forgery标记添加到查询字符串中,因此我将尝试编写自己的ActionLink扩展方法,将其附加到该方法上。
Finally I'm going to write an attribute that inherits from the ValidateAntiForgeryTokenAttribute and that accepts forgery tokens in both the Request.Form and Request.QueryString
最后,我将编写一个继承自ValidateAntiForgeryTokenAttribute的属性,并在Request.Form和Request.QueryString中接受伪造令牌。
#1
1
To prevent against Cross-Site Request Forgery attacks you must block requests that originate from another site. In asp.net you can do this by checking to see if Request.UrlReferrer isn't from your host name. If the ajax request originated from a different server, then you should ignore the ajax request. If the referrer is null, then you should also ignore the request.
要防止跨站点请求伪造攻击,您必须阻止来自其他站点的请求。在asp.net中,您可以通过检查Request.UrlReferrer是否不是您的主机名来执行此操作。如果ajax请求来自不同的服务器,那么您应该忽略ajax请求。如果引用者为空,那么您也应该忽略该请求。
#2
0
This link covers one solution http://tpeczek.com/2010/05/using-antiforgerytoken-with-other-verbs.html
此链接包含一个解决方案http://tpeczek.com/2010/05/using-antiforgerytoken-with-other-verbs.html
However the most ideal solution is that when you use the actionlink it adds the Anti Forgery token into the query string so I'm going to try writing my own ActionLink extension method that appends that on.
然而,最理想的解决方案是,当您使用actionlink时,它会将Anti Forgery标记添加到查询字符串中,因此我将尝试编写自己的ActionLink扩展方法,将其附加到该方法上。
Finally I'm going to write an attribute that inherits from the ValidateAntiForgeryTokenAttribute and that accepts forgery tokens in both the Request.Form and Request.QueryString
最后,我将编写一个继承自ValidateAntiForgeryTokenAttribute的属性,并在Request.Form和Request.QueryString中接受伪造令牌。