經(jīng)常看到在項(xiàng)目中ajax post數(shù)據(jù)到服務(wù)器不加防偽標(biāo)記,造成CSRF攻擊
在Asp.net Mvc里加入防偽標(biāo)記很簡單在表單中加入Html.AntiForgeryToken()即可。
Html.AntiForgeryToken()會(huì)生成一對(duì)加密的字符串,分別存放在Cookies 和 input 中。
我們?cè)赼jax post中也帶上AntiForgeryToken
@model WebApplication1.Controllers.Person
@{
ViewBag.Title = "Index";
}
h2>Index/h2>
form id="form1">
div class="form-horizontal">
h4>Persen/h4>
hr />
@Html.ValidationSummary(true, "", new { @class = "text-danger" })
div class="form-group">
@Html.LabelFor(model => model.Name, htmlAttributes: new { @class = "control-label col-md-2" })
div class="col-md-10">
@Html.EditorFor(model => model.Name, new { htmlAttributes = new { @class = "form-control" } })
@Html.ValidationMessageFor(model => model.Name, "", new { @class = "text-danger" })
/div>
/div>
div class="form-group">
@Html.LabelFor(model => model.Age, htmlAttributes: new { @class = "control-label col-md-2" })
div class="col-md-10">
@Html.EditorFor(model => model.Age, new { htmlAttributes = new { @class = "form-control" } })
@Html.ValidationMessageFor(model => model.Age, "", new { @class = "text-danger" })
/div>
/div>
div class="form-group">
div class="col-md-offset-2 col-md-10">
input type="button" id="save" value="Create" class="btn btn-default" />
/div>
/div>
/div>
/form>
script src="~/Scripts/jquery-1.10.2.min.js">/script>
script src="~/Scripts/jquery.validate.min.js">/script>
script src="~/Scripts/jquery.validate.unobtrusive.min.js">/script>
script type="text/javascript">
$(function () {
//var token = $('[name=__RequestVerificationToken]');
//獲取防偽標(biāo)記
var token = $('@Html.AntiForgeryToken()').val();
var headers = {};
//防偽標(biāo)記放入headers
//也可以將防偽標(biāo)記放入data
headers["__RequestVerificationToken"] = token;
$("#save").click(function () {
$.ajax({
type: 'POST',
url: '/Home/Index',
cache: false,
headers: headers,
data: { Name: "yangwen", Age: "1" },
success: function (data) {
alert(data)
},
error: function () {
alert("Error")
}
});
})
})
/script>
放在cookies里面的加密字符串
控制器中代碼
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Web;
using System.Web.Helpers;
using System.Web.Mvc;
namespace WebApplication1.Controllers
{
public class HomeController : Controller
{
public ActionResult Index()
{
return View();
}
[HttpPost]
[MyValidateAntiForgeryToken]
public ActionResult Index(Person p)
{
return Json(true, JsonRequestBehavior.AllowGet);
}
}
public class Person
{
public string Name { get; set; }
public int Age { get; set; }
}
public class MyValidateAntiForgeryToken : AuthorizeAttribute
{
public override void OnAuthorization(AuthorizationContext filterContext)
{
var request = filterContext.HttpContext.Request;
if (request.HttpMethod == WebRequestMethods.Http.Post)
{
if (request.IsAjaxRequest())
{
var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];
var cookieValue = antiForgeryCookie != null
? antiForgeryCookie.Value
: null;
//從cookies 和 Headers 中 驗(yàn)證防偽標(biāo)記
//這里可以加try-catch
AntiForgery.Validate(cookieValue, request.Headers["__RequestVerificationToken"]);
}
else
{
new ValidateAntiForgeryTokenAttribute()
.OnAuthorization(filterContext);
}
}
}
}
}
這里注釋掉ajax中防偽標(biāo)記在請(qǐng)求
$("#save").click(function () {
$.ajax({
type: 'POST',
url: '/Home/Index',
cache: false,
// headers: headers,
data: { Name: "yangwen", Age: "1" },
success: function (data) {
alert(data)
},
error: function () {
alert("Error")
}
});
})
默認(rèn)返回500的狀態(tài)碼。
這里修改ajax中的防偽標(biāo)記
$(function () {
//var token = $('[name=__RequestVerificationToken]');
//獲取防偽標(biāo)記
var token = $('@Html.AntiForgeryToken()').val();
var headers = {};
//防偽標(biāo)記放入headers
//也可以將防偽標(biāo)記放入data
headers["__RequestVerificationToken"] = token+11111111111111111111111111111111111;
$("#save").click(function () {
$.ajax({
type: 'POST',
url: '/Home/Index',
cache: false,
headers: headers,
data: { Name: "yangwen", Age: "1" },
success: function (data) {
alert(data)
},
error: function () {
alert("Error")
}
});
})
})
也是500的狀態(tài)碼。
以上內(nèi)容就是本文的全部敘述,切記ajax中要帶上AntiForgeryToken防止CSRF攻擊,小伙伴們?cè)谑褂眠^程發(fā)現(xiàn)有疑問,請(qǐng)給我留言,謝謝!
您可能感興趣的文章:- PHP實(shí)現(xiàn)登陸表單提交CSRF及驗(yàn)證碼
- Yii框架防止sql注入,xss攻擊與csrf攻擊的方法
- 啟用Csrf后POST數(shù)據(jù)時(shí)出現(xiàn)的400錯(cuò)誤
- PHP開發(fā)中常見的安全問題詳解和解決方法(如Sql注入、CSRF、Xss、CC等)
- PHP開發(fā)中csrf攻擊的簡單演示和防范
