asp.net 安全(2)--QueryString，session,event

最新推荐文章于 2020-12-17 16:51:11 发布

weixin_30267697

最新推荐文章于 2020-12-17 16:51:11 发布

阅读量50

点赞数

原文链接：http://www.cnblogs.com/SumYang/archive/2011/03/18/1988048.html

版权

1、在使用querystring的时候，不要使用自动增长的作为依据如以下

？XXX=001 xxx=002

2、GUID 并不能很好的解决这个问题

3、不要再hidden field放重要信息

4、http://www.codeplex.com/AntiCSRF 使用这个组件来anti CSRF

5、net的事件验证

Event validation is the default behavior for ASP.NET. When validation is enabled, controls that render

(which excludes those controls that are not visible) will register themselves with event validation.

When a postback occurs, ASP.NET looks through the registered events to discover if the control

that would receive the event has been registered.

不能依靠事件验证

Event validation should be part of your defense in depth strategy. However, it should not be your

sole defense. Because it is up to controls to register for event validation, it is possible that a third -

party control (or, indeed, one of your own custom controls) may not register for event validation

如果某些动态控件请使用

RegisterForEventValidation

? Never change state via a GET request. — The HTTP specifi cations state that GET requests

must not change state.

? Do not use direct, sequential object references. — Always use indirect object references

(such as a GUID) to refer to resources on a Web server. Direct object references can be

changed easily to allow attackers to access objects they should not be able to see. Check that

the current user is authorized to see the object requested.

? Do not use hidden form fi elds to hold sensitive information, unless they are properly pro-

tected. — Remember that form fi elds (and query strings) can be manipulated by attackers.

? Add a CSRF token to your forms. — This will allow you to check that the request came

from your own Web site.

? Check the Request type when checking if a request is a postback. — This will protect you

from ASP.NET considering query string -driven requests as potential postbacks.

? Do not disable event validation, but do not rely on it. — Registering for event validation is

optional for controls. Always check conditions within postback events.

? Do not rely on Request headers. — Combine the steps outlined in this chapter with the

validation checklist provided in Chapter 3.

转载于:https://www.cnblogs.com/SumYang/archive/2011/03/18/1988048.html

weixin_30267697

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
asp.net 安全(2)--QueryString，session,event

1、在使用querystring的时候，不要使用自动增长的作为依据如以下？XXX=001 xxx=0022、GUID 并不能很好的解决这个问题3、不要再hidden field放重要信息 4、http://www.codeplex.com/AntiCSRF 使用这个组件来anti CSRF5、net的事件验证Eventvalidation is the default behav...
复制链接

扫一扫

评论

被折叠的条评论为什么被折叠?

到【灌水乐园】发言

查看更多评论

添加红包

成就一亿技术人!

hope_wisdom

发出的红包

实付元

使用余额支付

点击重新获取

扫码支付

钱包余额 0

抵扣说明：

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。