如何避免滥用ASHX处理程序?

时间:2016-06-14 17:44:59

标签: javascript .net ajax security ssl

我创建了一个JavaScript应用程序。它与ASHX处理程序进行通信。使用有效的SSL证书保护连接。

当用户点击“提交”时,我会构建一个JSON对象,代表他们对某些问题的回答。

JS代码将对象作为URL上的参数发送给处理程序,以便可以对其进行处理。

如果我打开Fiddler并观察这些请求,我可以清楚地看到JSON对象及其将要访问的URL。

此应用程序适用于个人创建一次性数据点。按原样,使用这个公开可用的处理程序编写脚本在我们的数据库中创建1000行将是微不足道的。

我已经研究过“如何保护JSON数据”,答案似乎总是“使用SSL”。但我使用SSL,我仍然可以看到数据通过网络传输。

我可以通过在浏览器栏中打一个正确形成的URL并按“输入”来手动创建数据。

我可以阻止用户查看处理程序网址及其接受的数据格式吗?数据本身并不是秘密,但我不希望对写入数据库的API调用进行反向工程变得容易。

我的“提交时”功能的通用版本如下,供参考。

function createGenericThing() {
    document.getElementById('btnDoSomething').disabled = true;
    document.getElementById('btnDoSomething').value = "Working...";
    var evt = GetJSONObjectFromUserInput();  //returns a valid JSON string
    //expected format: /MyHandler.ashx?command=dosomething&data={json string}
    var handlerurl = getHandlerURL("MyHandler.ashx");
    //grab the parameters they have entered in the user interface
    var params = "cmd=dosomething&data=" + encodeURIComponent(JSON.stringify(evt));

    //set up our request object
    if (window.XMLHttpRequest) {
        window.xmlhttp = new XMLHttpRequest();
    } else {
        window.xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
    }

    //set up to catch the result after the server replies
    window.xmlhttp.onreadystatechange = function () {
        if (window.xmlhttp.readyState === 4 && window.xmlhttp.status === 200) {
            //this code will happen after we get a reply.
            //the value in "context.Response.Write()" will come back as .responseText
            if (-1 < window.xmlhttp.responseText.indexOf("Error") || -1 < window.xmlhttp.responseText.indexOf("error")) {
                //if the call returned an error, show it to the user
                document.getElementById('lblError').innerHTML = "An error occurred.  The error was: " + window.xmlhttp.responseText;
                document.getElementById('btnDoSomething').disabled = false;
                document.getElementById('btnDoSomething').value = "Do something";
            } else {
                //if we get here, then the action completed.
                //navigate wherever we are configured to go (a URL which is in a hidden field), with a param indicating success.
                //it is up to the navigate-to-page to actually pay attention to that parameter and do anything about it (i.e,. show a confirmation message)
                var navigateto = document.getElementById('hfNavigateAfterURL').value;
                navigateto = navigateto + "?datasaved=" + window.xmlhttp.responseText;
                window.location.href = navigateto;
            }
        }
    }

    //get the results from our handler.  this line actually causes SQL to execute on the server.
    //if you watch in Fiddler, you'll see something like:
    //https://someserver/someurl.ashx?cmd=dosomething&data={properly formed JSON}
    //that's the problem.
    window.xmlhttp.open("GET", handlerurl + "?" + params, true);
    window.xmlhttp.send();
}

1 个答案:

答案 0 :(得分:0)

这是我为此制定的解决方案。

请记住,用户数据本身并不是秘密。

我只希望阻止恶意用户监控该数据的发布并恶意发布给我的处理程序。

页面加载:

1 - 在页面加载时,服务器生成两件事:guid和加密时间戳。*

2 - guid存储在ASP.NET会话中。这两个值都传递给客户端中的隐藏字段。

以下是相关的Page_Load代码:

'give this session a guid.  also encrypt a timestamp.
'when they submit their data, the HTTP request will include both pieces of data.
'we'll verify that the guid actually exists in session.
'we'll also decrypt the timestamp and decide whether they timed out or not.
'this is to mitigate the risk of malicious users posting invalid data to our ASHX handler.
'all of the verification and checking happens in the handler
Dim epochTime = (Date.UtcNow - New DateTime(1970, 1, 1)).TotalSeconds.ToString() '# of seconds since the epoch, to avoid time zone issues
Dim sessionGuid = Guid.NewGuid()
hfAuth.Value = sessionGuid.ToString() + EncryptionHelper.Encrypt(epochTime).ToString()
Session.Add("EVENTKEY", sessionGuid.ToString())

<强>标记

只是一个新的HiddenField,允许上面显示的分配。

<强>的JavaScript

JS只有一个变化:当我执行GET请求时,我将guid和加密时间戳的组合以及请求的其余部分附加到处理程序。

以问题的原始代码为基础,我刚刚添加了这一行:

params = params + "&guidkey=" + document.getElementById('hfAuth').value;

<强>处理程序

处理程序现在可以验证GET请求附带的密钥。根据我们对传入令牌的了解,这很简单。

...in the ProcessRequest method...
Dim authenticationKey = context.Request.Params(2).ToString()
If IsKeyValid(authenticationKey, context) Then
    context.Response.Write(CreateCRMEvent(eventJSON))
Else
    'if the caller didn't know the key we expected, then just quietly fail
    'by returning a guid.  no need to let malicious users know they failed.
    context.Response.Write(Guid.NewGuid())
End If

...and a new method...
Private Shared Function IsKeyValid(keyToAuthenticate As String, context As HttpContext) As Boolean
    Try
        'a key is valid if:
        '1: it begins with a guid that we have in session
        '2: it contains a timestamp that has been encrypted with our key, and is within the timeout period
        Dim sessionGuid = String.Empty
        Dim lengthOfAGuid = Guid.Empty.ToString.Length '36
        If context.Session("EVENTKEY") IsNot Nothing Then
            sessionGuid = context.Session("EVENTKEY").ToString().ToUpper()
        End If

        If String.IsNullOrEmpty(keyToAuthenticate) OrElse String.IsNullOrEmpty(sessionGuid) Then
            Return False 'invalid because they provided no key, or we have no knowledge of issuing one
        End If

        If keyToAuthenticate.Length <= lengthOfAGuid Then
            Return False 'invalid because their key does not contain a valid guid + encrypted timestamp
        End If

        Dim expectedGuid = keyToAuthenticate.Substring(0, 36).ToUpper()
        If sessionGuid <> expectedGuid Then
            Return False 'invalid because the guid they gave is not one we remember issuing
        End If

        'they knew the guid we have in session.  Check the timestamp.
        Dim iEpochSeconds = 0.0
        Try
            Dim encryptedTimeStamp = keyToAuthenticate.Substring(lengthOfAGuid, keyToAuthenticate.Length - lengthOfAGuid)
            Dim decryptedTimeStamp = EncryptionHelper.Decrypt(encryptedTimeStamp)
            If Not Double.TryParse(decryptedTimeStamp, iEpochSeconds) Then
                Return False 'invalid because the timestamp decrypted, but not to a valid # of seconds
            End If
        Catch
            Return False 'invalid because whatever timestamp they tried to give us doesn't decrypt
        End Try

        'give them 30 minutes to finish.  we can tweak this later if it'keyToAuthenticate a problem.
        Const timeoutSeconds = 1800.0
        Dim maxAllowedEpochTime = (Date.UtcNow - New DateTime(1970, 1, 1)).TotalSeconds + timeoutSeconds
        If iEpochSeconds > maxAllowedEpochTime Then
            Return False 'invalid because their timestamp expired
        End If

        'couldn't find anything wrong.  let it through.
        Return True
    Catch
        Return False 'invalid because the request was in a format we do not recognize.
    End Try
End Function

*加密是使用this class完成的(当然密钥除外)

时间戳是自UNIX纪元开始以来的秒数。我选择这个来避免时区问题。