随笔 - 432  文章 - 0  评论 - 15  阅读 - 63万

切记ajax中要带上AntiForgeryToken防止CSRF攻击

经常看到在项目中ajax post数据到服务器不加防伪标记,造成CSRF攻击

在Asp.net Mvc里加入防伪标记很简单在表单中加入Html.AntiForgeryToken()即可。

Html.AntiForgeryToken()会生成一对加密的字符串,分别存放在Cookies 和 input 中。

我们在ajax post中也带上AntiForgeryToken

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
<h2>Index</h2>
<form id="form1">
    <div class="form-horizontal">
        <h4>Persen</h4>
        <hr />
        @Html.ValidationSummary(true, "", new { @class = "text-danger" })
        <div class="form-group">
            @Html.LabelFor(model => model.Name, htmlAttributes: new { @class = "control-label col-md-2" })
            <div class="col-md-10">
                @Html.EditorFor(model => model.Name, new { htmlAttributes = new { @class = "form-control" } })
                @Html.ValidationMessageFor(model => model.Name, "", new { @class = "text-danger" })
            </div>
        </div>
        <div class="form-group">
            @Html.LabelFor(model => model.Age, htmlAttributes: new { @class = "control-label col-md-2" })
            <div class="col-md-10">
                @Html.EditorFor(model => model.Age, new { htmlAttributes = new { @class = "form-control" } })
                @Html.ValidationMessageFor(model => model.Age, "", new { @class = "text-danger" })
            </div>
        </div>
        <div class="form-group">
            <div class="col-md-offset-2 col-md-10">
                <input type="button" id="save" value="Create" class="btn btn-default" />
            </div>
        </div>
    </div>
</form>
<script src="~/Scripts/jquery-1.10.2.min.js"></script>
<script src="~/Scripts/jquery.validate.min.js"></script>
<script src="~/Scripts/jquery.validate.unobtrusive.min.js"></script>
<script type="text/javascript">
 $(function () {
  //var token = $('[name=__RequestVerificationToken]');
  //获取防伪标记
  var token = $('@Html.AntiForgeryToken()').val();
  var headers = {};
  //防伪标记放入headers
  //也可以将防伪标记放入data
  headers["__RequestVerificationToken"] = token;
  $("#save").click(function () {
   $.ajax({
    type: 'POST',
    url: '/Home/Index',
    cache: false,
    headers: headers,
    data: { Name: "yangwen", Age: "1" },
    success: function (data) {
     alert(data)
    },
    error: function () {
     alert("Error")
    }
   });
  })
 })
</script>

  

  

放在cookies里面的加密字符串

控制器中代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Web;
using System.Web.Helpers;
using System.Web.Mvc;
namespace WebApplication1.Controllers
{
    public class HomeController : Controller
    {
        public ActionResult Index()
        {
            return View();
        }
        [HttpPost]
        [MyValidateAntiForgeryToken]
        public ActionResult Index(Person p)
        {
            return Json(true, JsonRequestBehavior.AllowGet);
        }
    }
    public class Person
    {
        public string Name { get; set; }
        public int Age { get; set; }
    }
    public class MyValidateAntiForgeryToken : AuthorizeAttribute
    {
        public override void OnAuthorization(AuthorizationContext filterContext)
        {
            var request = filterContext.HttpContext.Request;
            if (request.HttpMethod == WebRequestMethods.Http.Post)
            {
                if (request.IsAjaxRequest())
                {
                    var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];
                    var cookieValue = antiForgeryCookie != null
                     ? antiForgeryCookie.Value
                     : null;
                    //从cookies 和 Headers 中 验证防伪标记
                    //这里可以加try-catch
                    AntiForgery.Validate(cookieValue, request.Headers["__RequestVerificationToken"]);
                }
                else
                {
                    new ValidateAntiForgeryTokenAttribute()
                     .OnAuthorization(filterContext);
                }
            }
        }
    }
}

  这里注释掉ajax中防伪标记在请求

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<script type="text/javascript">
    $("#save").click(function () {
        $.ajax({
            type: 'POST',
            url: '/Home/Index',
            cache: false,
            //  headers: headers,
            data: { Name: "yangwen", Age: "1" },
            success: function (data) {
                alert(data)
            },
            error: function () {
                alert("Error")
            }
        });
    })
</script>

  

默认返回500的状态码。

这里修改ajax中的防伪标记

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
<script type="text/javascript">
    $(function () {
        //var token = $('[name=__RequestVerificationToken]');
        //获取防伪标记
        var token = $('@Html.AntiForgeryToken()').val();
        var headers = {};
        //防伪标记放入headers
        //也可以将防伪标记放入data
        headers["__RequestVerificationToken"] = token + 11111111111111111111111111111111111;
        $("#save").click(function () {
            $.ajax({
                type: 'POST',
                url: '/Home/Index',
                cache: false,
                headers: headers,
                data: { Name: "yangwen", Age: "1" },
                success: function (data) {
                    alert(data)
                },
                error: function () {
                    alert("Error")
                }
            });
        })
    })
 
</script>

  

也是500的状态码。

以上内容就是本文的全部叙述,切记ajax中要带上AntiForgeryToken防止CSRF攻击。

posted on   狼来了  阅读(369)  评论(0编辑  收藏  举报
编辑推荐:
· 没有源码,如何修改代码逻辑?
· 一个奇形怪状的面试题:Bean中的CHM要不要加volatile?
· [.NET]调用本地 Deepseek 模型
· 一个费力不讨好的项目,让我损失了近一半的绩效!
· .NET Core 托管堆内存泄露/CPU异常的常见思路
阅读排行:
· DeepSeek “源神”启动!「GitHub 热点速览」
· 微软正式发布.NET 10 Preview 1:开启下一代开发框架新篇章
· C# 集成 DeepSeek 模型实现 AI 私有化(本地部署与 API 调用教程)
· DeepSeek R1 简明指南:架构、训练、本地部署及硬件要求
· NetPad:一个.NET开源、跨平台的C#编辑器
< 2025年2月 >
26 27 28 29 30 31 1
2 3 4 5 6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 1
2 3 4 5 6 7 8

点击右上角即可分享
微信分享提示