在我们的系统中,我们使用ASP.Net WebForms页面。
我们的系统中有一个自我注册网页,用户可以在此注册并注册以开始使用我们的系统。
我们最近发现,我们的一位客户正在从他们的网站向该页面发布表单数据,然后在页面上提交该表单。
我们希望阻止这种情况发生。我们不介意他们是否将页面嵌入到IFrame中,因为无论如何它都无法正常工作。但是我们需要阻止他们将表单数据从他们的系统/网站发布到该页面。
是否有我们可以设置的属性或阻止外部发布到该页面的内容?或者也许是另一种选择,Ajax似乎会浮现在脑海中?
不引用确定要搜索的内容,在线快速搜索但找不到任何内容。
想要预防此事的原因:
当该页面出现问题时,尝试注册的用户不会从我们的系统返回任何错误消息,因此我们得到了大量支持。当然,我们可以添加支持功能,但我们宁愿不支持。还希望防止对该页面的僵尸攻击,因为如果用户不存在,每个提交都会创建一个用户。
答案 0 :(得分:3)
从Visual Studio 2012开始,Microsoft为新的Web表单应用程序项目添加了内置的CSRF保护。要使用此代码,请在解决方案中添加新的ASP .NET Web窗体应用程序,并查看页面后面的Site.Master代码。此解决方案将对从Site.Master页面继承的所有内容页面应用CSRF保护。
此解决方案必须满足以下要求:
所有进行数据修改的网络表单都必须使用Site.Master页面。所有进行数据修改的请求都必须使用ViewState。该网站必须没有所有跨站点脚本(XSS)漏洞。有关详细信息,请参阅如何使用Microsoft .Net Web Protection Library修复跨站点脚本(XSS)。另见it
public partial class SiteMaster : MasterPage
{
private const string AntiXsrfTokenKey = "__AntiXsrfToken";
private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
private string _antiXsrfTokenValue;
protected void Page_Init(object sender, EventArgs e)
{
//First, check for the existence of the Anti-XSS cookie
var requestCookie = Request.Cookies[AntiXsrfTokenKey];
Guid requestCookieGuidValue;
//If the CSRF cookie is found, parse the token from the cookie.
//Then, set the global page variable and view state user
//key. The global variable will be used to validate that it matches in the view state form field in the Page.PreLoad
//method.
if (requestCookie != null
&& Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
{
//Set the global token variable so the cookie value can be
//validated against the value in the view state form field in
//the Page.PreLoad method.
_antiXsrfTokenValue = requestCookie.Value;
//Set the view state user key, which will be validated by the
//framework during each request
Page.ViewStateUserKey = _antiXsrfTokenValue;
}
//If the CSRF cookie is not found, then this is a new session.
else
{
//Generate a new Anti-XSRF token
_antiXsrfTokenValue = Guid.NewGuid().ToString("N");
//Set the view state user key, which will be validated by the
//framework during each request
Page.ViewStateUserKey = _antiXsrfTokenValue;
//Create the non-persistent CSRF cookie
var responseCookie = new HttpCookie(AntiXsrfTokenKey)
{
//Set the HttpOnly property to prevent the cookie from
//being accessed by client side script
HttpOnly = true,
//Add the Anti-XSRF token to the cookie value
Value = _antiXsrfTokenValue
};
//If we are using SSL, the cookie should be set to secure to
//prevent it from being sent over HTTP connections
if (FormsAuthentication.RequireSSL &&
Request.IsSecureConnection)
responseCookie.Secure = true;
//Add the CSRF cookie to the response
Response.Cookies.Set(responseCookie);
}
Page.PreLoad += master_Page_PreLoad;
}
protected void master_Page_PreLoad(object sender, EventArgs e)
{
//During the initial page load, add the Anti-XSRF token and user
//name to the ViewState
if (!IsPostBack)
{
//Set Anti-XSRF token
ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;
//If a user name is assigned, set the user name
ViewState[AntiXsrfUserNameKey] =
Context.User.Identity.Name ?? String.Empty;
}
//During all subsequent post backs to the page, the token value from
//the cookie should be validated against the token in the view state
//form field. Additionally user name should be compared to the
//authenticated users name
else
{
//Validate the Anti-XSRF token
if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
|| (string)ViewState[AntiXsrfUserNameKey] !=
(Context.User.Identity.Name ?? String.Empty))
{
throw new InvalidOperationException("Validation of
Anti-XSRF token failed.");
}
}
}
}
答案 1 :(得分:1)
基本没什么难事,你可以将Guid生成一个隐藏的领域,然后检查你得到同一个,它不像验证码那样安全,但会阻止在不填写表单的情况下发布给您的随机内容,但不会阻止实际填写表单并从页面发布的脚本。
<asp:Hidden ID="Validation" runat="server" />
页面加载:
var guid = Guid.NewGuid();
Validation.Text = guid.ToString();
Session["Token"] = guid;
然后在回发检查中你会得到同样的回复......
或者,看看Captcha NuGet package。它适用于webforms和MVC。
展示验证码:
<%@ Register Assembly="BotDetect" Namespace="BotDetect.Web.UI"
TagPrefix="BotDetect" %>
[…]
<BotDetect:Captcha ID="SampleCaptcha" runat="server" />
<asp:TextBox ID="CaptchaCodeTextBox" runat="server" />
验证帖子:
if (IsPostBack)
{
// validate the Captcha to check we're not dealing with a bot
bool isHuman = SampleCaptcha.Validate(CaptchaCodeTextBox.Text);
CaptchaCodeTextBox.Text = null; // clear previous user input
if (!isHuman)
{
// TODO: Captcha validation failed, show error message
}
else
{
// TODO: Captcha validation passed, proceed with protected action
}
}