发表新帖
发表新帖

Security with QueryString values in Asp.net MVC

前端 未结
关注
7 1096
迷失自我
迷失自我 2020-12-10 08:30

How do you properly ensure that a user isnt tampering with querystring values or action url values? For example, you might have a Delete Comment action on your CommentContro

相关标签:
7条回答
  • 慢半拍i
    2020-12-10 08:44

    Consider using technique outlined in Stephen Walther's article Tip #46 – Don’t use Delete Links because they create Security Holes which uses [AcceptVerbs(HttpVerbs.Delete)]

    0 讨论(0)
  • 天涯浪人
    2020-12-10 08:51

    You can also allow only Post requests to Delete controller action by using the Accept Verbs attribute as seen below. 

    [AcceptVerbs(HttpVerbs.Post)]
public ActionResult Delete(int? id)
{
    //Delete
}

    Then you could also use the antiforgery token as discussed here:

    http://blog.codeville.net/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/

    0 讨论(0)
  • 有刺的猬
    2020-12-10 08:54

    Vyrotek: The input method is not important. GET, POST, encrypted/obfuscated GET - no real difference. No matter the way your application receives commands, to perform an administrative action it must make sure that the issuing user is allowed to do the stuff he wants. The permission check must take place AFTER the command is received and BEFORE it gets executed. Otherwise it's no security at all.

    0 讨论(0)
  • 予麋鹿
    2020-12-10 09:01

    Enrypting and decrypting query params is a trivial process and there are some great examples of how to do so using an HttpModule here on StackOverflow.

    "You Don't", "You can't", or "It's not easy" are simply not acceptable responses in this day and age...

    0 讨论(0)
  • 挽巷
    2020-12-10 09:07

    You don't.

    It is a cardinal rule of programming, especially in this day and age, that you never trust any input which comes from the user, the browser, the client, etc.

    It is also a cardinal rule of programming that you should probably not try to implement encryption and security yourself, unless you really know what you are doing. And even if you do know what you are doing, you will only remain one step ahead of the tard-crackers. The smart ones are still going to laugh at you.

    Do the extra query to ensure the logged-in user has the right set of permissions. That will make everyone's lives just that much simpler.

    0 讨论(0)
  • 不思量自难忘°
    2020-12-10 09:07

    You cannot easily do this.

    I have fond memories of a site that used action urls to do deletes.

    All was good until they started search crawling the intranet.

    Ooops, goodbye data.

    I would recommend a solution whereby you do not use querystrings for anything you do not wish to be edited.

    0 讨论(0)
 看不清?
提交回复
热议问题