asp.net 安全(2)--QueryString,session,event
1、在使用querystring的时候,不要使用自动增长的作为依据如以下
?XXX=001 xxx=002
2、GUID 并不能很好的解决这个问题
3、不要再hidden field放重要信息
4、http://www.codeplex.com/AntiCSRF 使用这个组件来anti CSRF
5、net的事件验证
Event validation is the default behavior for ASP.NET. When validation is enabled, controls that render
(which excludes those controls that are not visible) will register themselves with event validation.
When a postback occurs, ASP.NET looks through the registered events to discover if the control
that would receive the event has been registered.
不能依靠事件验证
Event validation should be part of your defense in depth strategy. However, it should not be your
sole defense. Because it is up to controls to register for event validation, it is possible that a third -
party control (or, indeed, one of your own custom controls) may not register for event validation
如果某些动态控件请使用
RegisterForEventValidation
? Never change state via a GET request. — The HTTP specifi cations state that GET requests
must not change state.
? Do not use direct, sequential object references. — Always use indirect object references
(such as a GUID) to refer to resources on a Web server. Direct object references can be
changed easily to allow attackers to access objects they should not be able to see. Check that
the current user is authorized to see the object requested.
? Do not use hidden form fi elds to hold sensitive information, unless they are properly pro-
tected. — Remember that form fi elds (and query strings) can be manipulated by attackers.
? Add a CSRF token to your forms. — This will allow you to check that the request came
from your own Web site.
? Check the Request type when checking if a request is a postback. — This will protect you
from ASP.NET considering query string -driven requests as potential postbacks.
? Do not disable event validation, but do not rely on it. — Registering for event validation is
optional for controls. Always check conditions within postback events.
? Do not rely on Request headers. — Combine the steps outlined in this chapter with the
validation checklist provided in Chapter 3.