如何防止ASP.Net Web应用程序中的CSRF攻击?

时间:2014-11-18 10:44:47

标签: c# asp.net cookies session-cookies csrf

我想阻止我的Web应用程序受到CSRF攻击。

我在母版页中应用此解决方案,所有网页都从此母版页继承。

public partial class SiteMaster : MasterPage
{
    private const string AntiXsrfTokenKey = "__AntiXsrfToken";
    private const string AntiXsrfUserNameKey = "__AntiXsrfUserName";
    private string _antiXsrfTokenValue;

    protected void Page_Init(object sender, EventArgs e)
    {
        //First, check for the existence of the Anti-XSS cookie
        var requestCookie = Request.Cookies[AntiXsrfTokenKey];
        Guid requestCookieGuidValue;

        //If the CSRF cookie is found, parse the token from the cookie.
        //Then, set the global page variable and view state user
        //key. The global variable will be used to validate that it matches in the view state form field in the Page.PreLoad
        //method.
        if (requestCookie != null
        && Guid.TryParse(requestCookie.Value, out requestCookieGuidValue))
        {
            //Set the global token variable so the cookie value can be
            //validated against the value in the view state form field in
            //the Page.PreLoad method.
            _antiXsrfTokenValue = requestCookie.Value;

            //Set the view state user key, which will be validated by the
            //framework during each request
            Page.ViewStateUserKey = _antiXsrfTokenValue;
        }
        //If the CSRF cookie is not found, then this is a new session.
        else
        {
            //Generate a new Anti-XSRF token
            _antiXsrfTokenValue = Guid.NewGuid().ToString("N");

            //Set the view state user key, which will be validated by the
            //framework during each request
            Page.ViewStateUserKey = _antiXsrfTokenValue;

            //Create the non-persistent CSRF cookie
            var responseCookie = new HttpCookie(AntiXsrfTokenKey)
            {
                //Set the HttpOnly property to prevent the cookie from
                //being accessed by client side script
                HttpOnly = true,

                //Add the Anti-XSRF token to the cookie value
                Value = _antiXsrfTokenValue
            };

            //If we are using SSL, the cookie should be set to secure to
            //prevent it from being sent over HTTP connections
            if (FormsAuthentication.RequireSSL &&
            Request.IsSecureConnection)
            responseCookie.Secure = true;

            //Add the CSRF cookie to the response
            Response.Cookies.Set(responseCookie);
        }

            Page.PreLoad += master_Page_PreLoad;
        }

        protected void master_Page_PreLoad(object sender, EventArgs e)
        {
            //During the initial page load, add the Anti-XSRF token and user
            //name to the ViewState
            if (!IsPostBack)
            {
                //Set Anti-XSRF token
                ViewState[AntiXsrfTokenKey] = Page.ViewStateUserKey;

                //If a user name is assigned, set the user name
                ViewState[AntiXsrfUserNameKey] =
                Context.User.Identity.Name ?? String.Empty;
            }
            //During all subsequent post backs to the page, the token value from
            //the cookie should be validated against the token in the view state
            //form field. Additionally user name should be compared to the
            //authenticated users name
            else
            {
                //Validate the Anti-XSRF token
                if ((string)ViewState[AntiXsrfTokenKey] != _antiXsrfTokenValue
                || (string)ViewState[AntiXsrfUserNameKey] !=
                (Context.User.Identity.Name ?? String.Empty))
            {
            throw new InvalidOperationException("Validation of
            Anti-XSRF token failed.");
            }
        }
    }
}

通过这个解决方案,我无法实现我想要的目标。

如果用户A登录,执行某些活动并从Fiddler捕获请求并注销,现在用户B登录并触发捕获的请求并成功完成任务。所以我的申请没有被阻止。

我可以看到Request.Cookies [AntiXsrfTokenKey]值对于特定会话和新会话是相同的Request.Cookies [AntiXsrfTokenKey]值是不同的。

我应该怎么做这条线

throw new InvalidOperationException("Validation of Anti-XSRF token failed.");

在LogOut按钮上单击我清除每个和所有内容。 

 FormsAuthentication.SignOut();

        Session.Clear();
        Session.Abandon();
        Session.RemoveAll();

        HttpCookie cookies = Context.Request.Cookies[FormsAuthentication.FormsCookieName];//Or Response
        cookies.Expires = DateTime.Now.AddDays(-1);
        Context.Response.Cookies.Add(cookies);

        if (Request.Cookies["ASP.NET_SessionId"] != null)
        {
            Response.Cookies["ASP.NET_SessionId"].Value = string.Empty;
            Response.Cookies["ASP.NET_SessionId"].Expires = DateTime.Now.AddMonths(-20);
        }

        if (Request.Cookies["AuthToken"] != null)
        {
            Response.Cookies["AuthToken"].Value = string.Empty;
            Response.Cookies["AuthToken"].Expires = DateTime.Now.AddMonths(-20);
        }

        if (Request.Cookies[AntiXsrfTokenKey] != null)
        {
            Response.Cookies[AntiXsrfTokenKey].Value = string.Empty;
            Response.Cookies[AntiXsrfTokenKey].Expires = DateTime.Now.AddMonths(-20);
        }


        //Response.Redirect("Logon.aspx");
        FormsAuthentication.RedirectToLoginPage();

2 个答案:

答案 0 :(得分:1)

只需在发送数据的表单中添加@Html.AntiForgeryToken()即可。然后使用[ValidateAntiForgeryToken]msdn

装饰操作方法或控制器

答案 1 :(得分:0)

使用“AntiForgeryToken”来防止CSRF攻击。为了更好地理解,请参考以下链接:

http://www.asp.net/web-api/overview/security/preventing-cross-site-request-forgery-(csrf)-attacks

http://www.codeproject.com/Articles/686881/Hack-Proof-Your-ASP-NET-Applica

相关问题
最新问题