0

我正在寻找一个抽象基类或母版页解决方案,以防止任何人同时使用令牌和 ttl 进行 XSRF。谁能指出我正确的方向?

编辑:理想的解决方案将利用默认会员提供者发送给客户端的 cookie。

4

2 回答 2

3

您可以在母版页上放置一个隐藏字段,在母版页的 Page_Load 事件期间生成一个密钥,将密钥分配为隐藏字段的值,然后将该值添加到您的 cookie。然后你只需比较这些值。

于 2008-10-20T20:49:44.837 回答
0

我启动了一个母版页可以继承的基类。我选择使用视图状态而不是隐藏输入,因为使用这种方法我不需要担心页面/等上的多个表单。与简单的“查看源代码”相比,找到这个值也需要更多的工作

以下是我试图纠正的一些问题。

  • 当我刷新页面(不是回发)时,视图状态和隐藏输入(当我开始这种方法时)值不会像 cookie 那样更新

  • 当我导航到我的应用程序内的新页面时,新页面在没有有效视图状态的情况下开始,因此我的比较在这种情况下失败......

以下是我正在进行的工作;)

 public class PreventXSRF : MasterPage
 {

     HttpCookie mCookie = null;
     FormsAuthenticationTicket mPreviousAuthenticationTicket = null;
     FormsAuthenticationTicket mNewAuthenticationTicket = null;

     public bool IsXSRF()
     {
         if ((Request.Cookies(".ASPXAUTH") != null)) {
             mCookie = Request.Cookies(".ASPXAUTH");
             //get the current auth ticket so we can verify the token (userData) matches the value of the hidden input
             mPreviousAuthenticationTicket = FormsAuthentication.Decrypt(mCookie.Value);
         }
         else {
             ///'the membership cookie does not exist so this is not an authenticated user
             return true;
         }

         //** ** **
         // verify the cookie value matches the viewstate value
         // if it does then verify the ttl is valid
         //** ** **

         if ((mPreviousAuthenticationTicket != null)) {
             if (mPreviousAuthenticationTicket.UserData == Token) {
                 if ((TTL != null)) {
                     if (Convert.ToDateTime(TTL).AddMinutes(5) < DateTime.Now()) {
                         ///'the ttl has expired so this is not a valid form submit
                         return true;
                     }
                 }
                 else {
                     //** ** **
                     // ?? what about a hack that could exploit this when a user tries to BF
                     // a value for the token and simply keeps the viewstate for ttl null ??
                     //** ** **
                 }
             }
             else {
                 //** ** **
                 // ?? I hit this when I navigate to another page in the app (GET)
                 // in this event, it was hit because the cookie has a valid token
                 // but the page is new so viewstate is not valid ... ??
                 //** ** **
                 ///'the cookie value does not match the form so this is not a valid form submit
                 return true;
             }
         }
         else {
             ///'the authentication ticket does not exist so this is not a valid form submit
             return true;
         }

         //** ** **
         // if the code gets this far the form submit is 99.9% valid, so now we gen a new token
         // and set this new value on the auth cookie and reset the viewstate value
         // so it matches the cookie
         //** ** **

         //gen a new ttl and set the viewstate value
         TTL = GenerateTTL();
         //gen a new token and set the viewstate value
         Token = GenerateToken();

         if ((mPreviousAuthenticationTicket != null)) {
             //** ** **
             // create a new authticket using the current values + a custom token
             // we are forced to do this because the current cookie is read-only
             // ** ** **
             mNewAuthenticationTicket = new FormsAuthenticationTicket(mPreviousAuthenticationTicket.Version, mPreviousAuthenticationTicket.Name, mPreviousAuthenticationTicket.IssueDate, mPreviousAuthenticationTicket.Expiration, mPreviousAuthenticationTicket.IsPersistent, Token);
         }
         else {
             ///'TODO: if no auth ticket exists we need to return as this won't be valid
         }

         if ((mCookie != null)) {
             //** ** **
             // take the new auth ticket with the userdata set to the new token value
             // encrypt this, update the cookie, and finally apply this to the users machine
             //** ** **
             mCookie.Value = FormsAuthentication.Encrypt(mNewAuthenticationTicket);
             Response.Cookies.Add(mCookie);
         }
         else {
             ///'TODO: if no cookie exists we need to return as this won't be valid
         }

         //if we got this far without a return true, it must not be a xsrf exploit so return false
         return false;
     }

     private string GenerateToken()
     {
         RNGCryptoServiceProvider random = new RNGCryptoServiceProvider();
         byte[] randBytes = new byte[32];
         random.GetNonZeroBytes(randBytes);
         return Convert.ToBase64String(randBytes);
     }

     private string GenerateTTL()
     {
         return DateTime.Now();
     }

     private string TTL {
         get { return ViewState("TTL"); }
         set { ViewState("TTL") = value; }
     }

     private string Token {
         get { return ViewState("Token"); }
         set { ViewState("Token") = value; }
     }

 }
于 2008-10-23T17:58:51.747 回答