我正在寻找一个抽象的基类或母版页解决方案,它将阻止任何人使用令牌和ttl来执行XSRF。有人能指出我正确的方向吗?
编辑:理想的解决方案将利用默认会员提供商向客户端发送的cookie。
答案 0 :(得分:3)
您可以在母版页上放置隐藏字段,在母版页的Page_Load事件期间生成密钥,将密钥指定为隐藏字段的值,然后将该值添加到Cookie中。然后你只是比较这些值。
答案 1 :(得分:0)
我启动了一个母版页可以继承的基类。我选择使用viewstate而不是隐藏输入,因为使用这种方法我不需要担心页面/ etc上的多个表单。找到这个值比单纯的“查看源”
需要更多的工作以下是我要纠正的一些问题。
当我刷新页面时(不是 post-back)viewstate,并隐藏 输入,(当我开始这种方法时) 值不会像cookie一样更新
当我导航到里面的新页面时 我的应用程序,新页面开始 没有有效的viewstate因此 我的比较在这种情况下失败了......
以下是我正在进行的工作;)
public class PreventXSRF : MasterPage
{
HttpCookie mCookie = null;
FormsAuthenticationTicket mPreviousAuthenticationTicket = null;
FormsAuthenticationTicket mNewAuthenticationTicket = null;
public bool IsXSRF()
{
if ((Request.Cookies(".ASPXAUTH") != null)) {
mCookie = Request.Cookies(".ASPXAUTH");
//get the current auth ticket so we can verify the token (userData) matches the value of the hidden input
mPreviousAuthenticationTicket = FormsAuthentication.Decrypt(mCookie.Value);
}
else {
///'the membership cookie does not exist so this is not an authenticated user
return true;
}
//** ** **
// verify the cookie value matches the viewstate value
// if it does then verify the ttl is valid
//** ** **
if ((mPreviousAuthenticationTicket != null)) {
if (mPreviousAuthenticationTicket.UserData == Token) {
if ((TTL != null)) {
if (Convert.ToDateTime(TTL).AddMinutes(5) < DateTime.Now()) {
///'the ttl has expired so this is not a valid form submit
return true;
}
}
else {
//** ** **
// ?? what about a hack that could exploit this when a user tries to BF
// a value for the token and simply keeps the viewstate for ttl null ??
//** ** **
}
}
else {
//** ** **
// ?? I hit this when I navigate to another page in the app (GET)
// in this event, it was hit because the cookie has a valid token
// but the page is new so viewstate is not valid ... ??
//** ** **
///'the cookie value does not match the form so this is not a valid form submit
return true;
}
}
else {
///'the authentication ticket does not exist so this is not a valid form submit
return true;
}
//** ** **
// if the code gets this far the form submit is 99.9% valid, so now we gen a new token
// and set this new value on the auth cookie and reset the viewstate value
// so it matches the cookie
//** ** **
//gen a new ttl and set the viewstate value
TTL = GenerateTTL();
//gen a new token and set the viewstate value
Token = GenerateToken();
if ((mPreviousAuthenticationTicket != null)) {
//** ** **
// create a new authticket using the current values + a custom token
// we are forced to do this because the current cookie is read-only
// ** ** **
mNewAuthenticationTicket = new FormsAuthenticationTicket(mPreviousAuthenticationTicket.Version, mPreviousAuthenticationTicket.Name, mPreviousAuthenticationTicket.IssueDate, mPreviousAuthenticationTicket.Expiration, mPreviousAuthenticationTicket.IsPersistent, Token);
}
else {
///'TODO: if no auth ticket exists we need to return as this won't be valid
}
if ((mCookie != null)) {
//** ** **
// take the new auth ticket with the userdata set to the new token value
// encrypt this, update the cookie, and finally apply this to the users machine
//** ** **
mCookie.Value = FormsAuthentication.Encrypt(mNewAuthenticationTicket);
Response.Cookies.Add(mCookie);
}
else {
///'TODO: if no cookie exists we need to return as this won't be valid
}
//if we got this far without a return true, it must not be a xsrf exploit so return false
return false;
}
private string GenerateToken()
{
RNGCryptoServiceProvider random = new RNGCryptoServiceProvider();
byte[] randBytes = new byte[32];
random.GetNonZeroBytes(randBytes);
return Convert.ToBase64String(randBytes);
}
private string GenerateTTL()
{
return DateTime.Now();
}
private string TTL {
get { return ViewState("TTL"); }
set { ViewState("TTL") = value; }
}
private string Token {
get { return ViewState("Token"); }
set { ViewState("Token") = value; }
}
}