问题描述
我读到关于如何保护我的网站从一个ASP.NET MVC Web应用程序CSRF攻击。他们提到的两种方式来做到这一点,无论是:
I read about how to protect my web site from CSRF attacks in an ASP.NET MVC web application. They mentioned two ways to do so, either by:
- 使用令牌验证通过
< @ Html.AntiForgeryToken()>
和[ValidateAntiforgeryToken]
使用HTTP引用验证,例如:
using HTTP referrer validation such as:
public class IsPostedFromThisSiteAttribute : AuthorizeAttribute
{
public override void OnAuthorize(AuthorizationContext filterContext)
{
if (filterContext.HttpContext != null)
{
if (filterContext.HttpContext.Request.UrlReferrer == null)
throw new System.Web.HttpException("Invalid submission");
if (filterContext.HttpContext.Request.UrlReferrer.Host !=
"mysite.com")
throw new System.Web.HttpException
("This form wasn't submitted from this site!");
}
}
}
和
[IsPostedFromThisSite]
public ActionResult Register(…)
所以我就搞不清楚我是否应该使用他们两个保护我的网站从CSRF攻击还是我可以选择其中一种方法?
推荐答案
检查引用是有问题的。首先,HTTP规范特别允许客户端不发送引用字符串(各种隐私的原因)。所以,你的一些客户可能不包括它。其次,引荐字符串可以伪造,在足够的技能的攻击者就可以使它们看起来像他们所需要的是为了开展成功的CSRF攻击。
Checking the referrer is problematic. First of all, the HTTP specification specifically allows for clients to not send referrer strings (for various privacy reasons). So, some of your clients may not include it. Second, referrer strings can be spoofed, where an attacker of sufficient skill can make them look like what they need to be in order to carry out a successful CSRF attack.
使用CSRF验证令牌是个要强的做法,反对CSRF攻击mitigiation的preferred方法。您可以了解为什么这是在。
Using a CSRF validation token is a stronger approach and is the preferred method of mitigiation against CSRF attacks. You can read about why this is on the OWASP CSRF Cheat Sheet.
我也指出,没有任何理由,你为什么不能两者都做。防御深度(DID)的策略,通常希望,使攻击者需要击败多个独立的,防御执行一次成功的攻击。你可以实现一个弱引用检查办法(如果引荐由客户提供,确保它是它应该是什么作用于请求之前;如果引用不是present,继续就好像它是$用CSRF验证令牌沿p $ psent和正确的)。这样一来,你检查提到的信息,如果客户端提供它同时还利用更强的验证令牌的方法。
I will also point out that there is no reason why you cannot do both. A Defense-In-Depth (DiD) strategy is usually desirable, so that an attacker would need to defeat multiple, independent, defenses to execute a successful attack. You could implement a weak-referrer-checking approach (IF a referrer is provided by the client, make sure it is what it should be before acting on the request; if the referrer is not present, proceed as if it were present and correct) along with a CSRF validation token. That way, you check the referred information if the client provides it while still making use of the stronger validation token approach.
这篇关于我应该使用HTTP引用验证或令牌验证,以prevent CSRF攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!