經常看到在項目中ajax post數據到服務器不加防偽標記，造成CSRF攻擊

在Asp.net Mvc里加入防偽標記很簡單在表單中加入Html.AntiForgeryToken()即可。

Html.AntiForgeryToken()會生成一對加密的字符串，分別存放在Cookies 和?input 中。

我們在ajax post中也帶上AntiForgeryToken

@model WebApplication1.Controllers.Person @{ViewBag.Title = "Index"; }<h2>Index</h2> <form id="form1"><div class="form-horizontal"><h4>Persen</h4><hr />@Html.ValidationSummary(true, "", new { @class = "text-danger" })<div class="form-group">@Html.LabelFor(model => model.Name, htmlAttributes: new { @class = "control-label col-md-2" })<div class="col-md-10">@Html.EditorFor(model => model.Name, new { htmlAttributes = new { @class = "form-control" } })@Html.ValidationMessageFor(model => model.Name, "", new { @class = "text-danger" })</div></div><div class="form-group">@Html.LabelFor(model => model.Age, htmlAttributes: new { @class = "control-label col-md-2" })<div class="col-md-10">@Html.EditorFor(model => model.Age, new { htmlAttributes = new { @class = "form-control" } })@Html.ValidationMessageFor(model => model.Age, "", new { @class = "text-danger" })</div></div><div class="form-group"><div class="col-md-offset-2 col-md-10"><input type="button" id="save" value="Create" class="btn btn-default" /></div></div></div></form> <script src="~/Scripts/jquery-1.10.2.min.js"></script> <script src="~/Scripts/jquery.validate.min.js"></script> <script src="~/Scripts/jquery.validate.unobtrusive.min.js"></script> <script type="text/javascript">$(function () {//var token = $('[name=__RequestVerificationToken]');//獲取防偽標記var token = $('@Html.AntiForgeryToken()').val();var headers = {};//防偽標記放入headers//也可以將防偽標記放入dataheaders["__RequestVerificationToken"] = token;$("#save").click(function () {$.ajax({type: 'POST',url: '/Home/Index',cache: false,headers: headers,data: { Name: "yangwen", Age: "1" },success: function (data) {alert(data)},error: function () {alert("Error")}});})}) </script>

放在cookies里面的加密字符串

控制器中代碼

---

using System; using System.Collections.Generic; using System.Linq; using System.Net; using System.Web; using System.Web.Helpers; using System.Web.Mvc;namespace WebApplication1.Controllers{public class HomeController : Controller{public ActionResult Index(){return View();}[HttpPost][MyValidateAntiForgeryToken]public ActionResult Index(Person p){return Json(true, JsonRequestBehavior.AllowGet);}}public class Person{public string Name { get; set; }public int Age { get; set; }}public class MyValidateAntiForgeryToken : AuthorizeAttribute{public override void OnAuthorization(AuthorizationContext filterContext){var request = filterContext.HttpContext.Request;if (request.HttpMethod == WebRequestMethods.Http.Post){ if (request.IsAjaxRequest()){var antiForgeryCookie = request.Cookies[AntiForgeryConfig.CookieName];var cookieValue = antiForgeryCookie != null? antiForgeryCookie.Value: null;//從cookies 和 Headers 中 驗證防偽標記//這里可以加try-catchAntiForgery.Validate(cookieValue, request.Headers["__RequestVerificationToken"]);}else{new ValidateAntiForgeryTokenAttribute().OnAuthorization(filterContext);}}}}}

這里注釋掉ajax中防偽標記在請求

$("#save").click(function () {$.ajax({type: 'POST',url: '/Home/Index',cache: false,// headers: headers,data: { Name: "yangwen", Age: "1" },success: function (data) {alert(data)},error: function () {alert("Error")}});})

默認返回500的狀態碼。

這里修改ajax中的防偽標記

$(function () {//var token = $('[name=__RequestVerificationToken]');//獲取防偽標記var token = $('@Html.AntiForgeryToken()').val();var headers = {};//防偽標記放入headers//也可以將防偽標記放入dataheaders["__RequestVerificationToken"] = token+11111111111111111111111111111111111;$("#save").click(function () {$.ajax({type: 'POST',url: '/Home/Index',cache: false,headers: headers,data: { Name: "yangwen", Age: "1" },success: function (data) {alert(data)},error: function () {alert("Error")}});})})

也是500的狀態碼。

總結

以上是生活随笔為你收集整理的ajax中加上AntiForgeryToken防止CSRF攻击的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。