經常看到在項目中ajax post資料到伺服器不加防偽標記,造成CSRF攻擊
在Asp.net Mvc裡加入防偽標記很簡單在表單中加入Html.AntiForgeryToken()即可。
Html.AntiForgeryToken()會產生一對加密的字串,分別存放在Cookies 和 input 中。
我們在ajax post中也帶上AntiForgeryToken
@model WebApplication1.Controllers.Person@{ ViewBag.Title = "Index";}<h2>Index</h2><form id="form1"> <div class="form-horizontal"> <h4>Persen</h4> <hr /> @Html.ValidationSummary(true, "", new { @class = "text-danger" }) <div class="form-group"> @Html.LabelFor(model => model.Name, htmlAttributes: new { @class = "control-label col-md-2" }) <div class="col-md-10"> @Html.EditorFor(model => model.Name, new { htmlAttributes = new { @class = "form-control" } }) @Html.ValidationMessageFor(model => model.Name, "", new { @class = "text-danger" }) </div> </div> <div class="form-group"> @Html.LabelFor(model => model.Age, htmlAttributes: new { @class = "control-label col-md-2" }) <div class="col-md-10"> @Html.EditorFor(model => model.Age, new { htmlAttributes = new { @class = "form-control" } }) @Html.ValidationMessageFor(model => model.Age, "", new { @class = "text-danger" }) </div> </div> <div class="form-group"> <div class="col-md-offset-2 col-md-10"> <input type="button" id="save" value="Create" class="btn btn-default" /> </div> </div> </div></form><script src="~/Scripts/jquery-1.10.2.min.js"></script><script src="~/Scripts/jquery.validate.min.js"></script><script src="~/Scripts/jquery.validate.unobtrusive.min.js"></script><script type="text/javascript"> $(function () { //var token = $('[name=__RequestVerificationToken]'); //擷取防偽標記 var token = $('@Html.AntiForgeryToken()').val(); var headers = {}; //防偽標記放入headers //也可以將防偽標記放入data headers["__RequestVerificationToken"] = token; $("#save").click(function () { $.ajax({ type: 'POST', url: '/Home/Index', cache: false, headers: headers, data: { Name: "yangwen", Age: "1" }, success: function (data) { alert(data) }, error: function () { alert("Error") } }); }) })</script>
放在cookies裡面的加密字串
控制器中代碼
using System;using System.Collections.Generic;using System.Linq;using System.Net;using System.Web;using System.Web.Helpers;using System.Web.Mvc;namespace WebApplication1.Controllers { public class HomeController : Controller { public ActionResult Index() { return View(); } [HttpPost] [MyValidateAntiForgeryToken] public ActionResult Index(Person p) { return Json(true, JsonRequestBehavior.AllowGet); } } public class Person { public string Name { get; set; } public int Age { get; set; } } public class MyValidateAntiForgeryToken : AuthorizeAttribute { public override void OnAuthorization(AuthorizationContext filterContext) { var request = filterContext.HttpContext.Request; if (request.HttpMethod == WebRequestMethods.Http.Post) { if (request.IsAjaxRequest()) { var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName]; var cookieValue = antiForgeryCookie != null ? antiForgeryCookie.Value : null; //從cookies 和 Headers 中 驗證防偽標記 //這裡可以加try-catch AntiForgery.Validate(cookieValue, request.Headers["__RequestVerificationToken"]); } else { new ValidateAntiForgeryTokenAttribute() .OnAuthorization(filterContext); } } } } }
這裡注釋掉ajax中防偽標記在請求
$("#save").click(function () { $.ajax({ type: 'POST', url: '/Home/Index', cache: false, // headers: headers, data: { Name: "yangwen", Age: "1" }, success: function (data) { alert(data) }, error: function () { alert("Error") } });})
預設返回500的狀態代碼。
這裡修改ajax中的防偽標記
$(function () { //var token = $('[name=__RequestVerificationToken]'); //擷取防偽標記 var token = $('@Html.AntiForgeryToken()').val(); var headers = {}; //防偽標記放入headers //也可以將防偽標記放入data headers["__RequestVerificationToken"] = token+11111111111111111111111111111111111; $("#save").click(function () { $.ajax({ type: 'POST', url: '/Home/Index', cache: false, headers: headers, data: { Name: "yangwen", Age: "1" }, success: function (data) { alert(data) }, error: function () { alert("Error") } }); })})
也是500的狀態代碼。
以上內容就是本文的全部敘述,切記ajax中要帶上AntiForgeryToken防止CSRF攻擊,小夥伴們在使用過程發現有疑問,請給我留言,謝謝!