Base-64 char数组的长度无效

时间:2010-08-04 07:38:14

标签: asp.net xss viewstate jmeter antiforgerytoken

我使用asp.net + MVC1.0并且在网页中我有几种形式,在每个表单中我都调用了以下函数AntiForgeryToken()来生成隐藏值,而在Controller函数中我有一个validate属性

当我使用JMeter并使用正则表达式捕获令牌然后将带有我的表单的令牌发布到服务器时,我发现它抛出了这样的例外:


Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.FormatException: Invalid length for a Base-64 char array.

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Version Information: Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3082

[FormatException]: Invalid length for a Base-64 char array.
   at System.Convert.FromBase64String(String s)
   at System.Web.UI.ObjectStateFormatter.Deserialize(String inputString)
   at System.Web.UI.ObjectStateFormatter.System.Web.UI.IStateFormatter.Deserialize(String serializedState)
   at System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken)
[HttpAntiForgeryException]: A required anti-forgery token was not supplied or was invalid.
   at System.Web.Mvc.AntiForgeryDataSerializer.Deserialize(String serializedToken)
   at System.Web.Mvc.ValidateAntiForgeryTokenAttribute.OnAuthorization(AuthorizationContext filterContext)
   at System.Web.Mvc.ControllerActionInvoker.InvokeAuthorizationFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor)
   at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
   at System.Web.Mvc.Controller.ExecuteCore()
   at System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext)
   at System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext)
   at System.Web.Mvc.MvcHandler.ProcessRequest(HttpContextBase httpContext)
   at System.Web.Mvc.MvcHandler.ProcessRequest(HttpContext httpContext)
   at System.Web.Mvc.MvcHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext httpContext)
   at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

This error page might contain sensitive information because ASP.NET is configured to show verbose error messages using <customErrors mode="Off"/>. Consider using <customErrors mode="On"/> or <customErrors mode="RemoteOnly"/> in production environments.

我确信捕获的令牌与我们生成的令牌完全相同,为什么会发生这种异常?

1 个答案:

答案 0 :(得分:1)

刚刚解决,因为我没有在发布到服务器之前对令牌进行编码。