删除ASP.Net MVC中的记录的安全方法
作者:互联网
我想从ASP.Net MVC 5网站上删除产品.我想知道添加[AntiForgeryToken]和[Authorize]是否足以确保Delete操作的安全?
视图
<p>Delete: @Model.Name</p>
@using (Html.BeginForm("Delete", "ProductController", FormMethod.Post, new { ProductId = Model.ProductId }))
{
@Html.AntiForgeryToken()
<button type="submit">Delete</button>
}
控制者
[HttpPost]
[Authorize]
[ValidateAntiForgeryToken]
public ActionResult Delete(long ProductId)
{
/* Do I need to check if the logged in User has permission to delete the product?
var product = ProductRepository.Get(Id);
if (product.Creator == User.Identity.GetUserId<long>())
{
ProductRepository.Delete(ProductId);
}
*/
// or, can I avoid the trip to DB and just delete the record?
ProductRepository.Delete(ProductId);
}
场景:一名黑客在我的网站上注册并创建了一个有效帐户.现在,黑客查看了自己的产品,显然他拥有一个AntiForgeryToken.他现在可以只在浏览器中更改ProductId并发布删除他人产品的请求吗?
解决方法:
简短的答案.这还不够.
反伪造令牌只是说发出原始页面请求的人就是进行更新的人.
基本authorize属性仅验证用户已登录.
您正在寻找的是数据安全性.微软自己的网站上有example个.
您在上一段中所说的,黑客可以注册一个帐户来创建自己的产品列表,并根据您在url中显示的内容猜测其他合法记录进行编辑
假设您有一个网址
https://example.com/product/edit/13
是什么阻止用户/黑客猜测
https://example.com/product/edit/12
要么
https://example.com/product/edit/14
如果在数据级别没有说出用户可以访问或无法访问/更新的记录的安全性,就会遇到恶意用户可以查看或编辑各种信息的情况.
这是FISERV发现暴露其他客户端信息的确切情况
从文章
Hermansen had signed up to get email alerts any time a new transaction
posted to his account, and he noticed the site assigned his alert a
specific “event number.” Working on a hunch that these event numbers
might be assigned sequentially and that other records might be
available if requested directly, Hermansen requested the same page
again but first edited the site’s code in his browser so that his
event number was decremented by one digit.
标签:asp-net-mvc-5,antiforgerytoken,c,asp-net-mvc 来源: https://codeday.me/bug/20191108/2009114.html