CSRF(Cross-site request forgery)跨站请求伪造,也被称为“One Click Attack”或者Session Riding,通常缩写为CSRF或者XSRF,是一种对网站的恶意利用。尽管听起来像跨站脚本(XSS),但它与XSS非常不同,XSS利用站点内的信任用户,而CSRF则通过伪装成受信任用户的请求来利用受信任的网站。与XSS攻击相比,CSRF攻击往往不大流行(因此对其进行防范的资源也相当稀少)和难以防范,所以被认为比XSS更具危险性。
---- 摘自《百度百科》
那我们如何防御呢?
一、在页面添加:@Html.AntiForgeryToken()
二、在我们的过滤器里添加过滤
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, Inherited = true, AllowMultiple = false)]
public class AntiForgeryAttribute : FilterAttribute, IAuthorizationFilter
{
private readonly bool _ignore;
/// <summary>
/// Anti-forgery security attribute
/// </summary>
/// <param name="ignore">Pass false in order to ignore this security validation</param>
public AdminAntiForgeryAttribute(bool ignore = false)
{
this._ignore = ignore;
}
public virtual void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
throw new ArgumentNullException("filterContext");
if (_ignore)
return;
//don‘t apply filter to child methods
if (filterContext.IsChildAction)
return;
//only POST requests
if (!String.Equals(filterContext.HttpContext.Request.HttpMethod, "POST", StringComparison.OrdinalIgnoreCase))
return;
if (!DataSettingsHelper.DatabaseIsInstalled())
return;
var securitySettings = EngineContext.Current.Resolve<SecuritySettings>();
if (!securitySettings.EnableXsrfProtectionForAdminArea)
return;
var validator = new ValidateAntiForgeryTokenAttribute();
validator.OnAuthorization(filterContext);
}
}
三、然后在控制器上添加过滤:
[AntiForgery] public class BaseTController : BaseController
四、在我们的页面的js里发送post前添加:
addAntiForgeryToken(postData);
$.ajax({
type: "POST",
url: "@(Url.Action("actionx", "controllerx"))",
data: postData,
complete: function(data) {
},
error: function(xhr, ajaxOptions, thrownError) {
alert(thrownError);
},
traditional: true
});
五、调用的这个addAntiForgeryToken方法是什么呢?
// CSRF (XSRF) security
function addAntiForgeryToken(data) {
//if the object is undefined, create a new one.
if (!data) {
data = {};
}
//add token
var tokenInput = $(‘input[name=__RequestVerificationToken]‘);
if (tokenInput.length) {
data.__RequestVerificationToken = tokenInput.val();
}
return data;
};
这样我们就能防御跨站请求伪造了。
ASP.NET MVC CSRF (XSRF) security
原文:https://www.cnblogs.com/mantishell/p/10660376.html