我一直使用jQuery和*的.asmx Web服务还很少,我想是安全的意识这样做。
I've been working with jQuery and *.asmx web services lately, and I'm trying to be security-conscious in doing so.
我想,这将有可能提出一个AJAX请求 - 即使在注销时 - 以一种资源,应该只访问,而登录的
I figure it would be possible to submit an AJAX request -- even when logged-out -- to a resource that should only be accessible while logged-in.
所以,我包括为了执行某些服务器端操作之前验证用户的状态,特殊键和散列与这些AJAX请求。
Thus, I include special keys and hashes with each of these AJAX requests in order to validate the user's state before performing certain server-side actions.
然而
我一直以为回发是安全的在这方面。如果收到已被篡改的请求。NET将抛出一个错误。
I always assumed that Postbacks were safe in that regard. That .NET would throw an error if it received a request that had been tampered with.
那是一个安全的假设?或者我应该验证所有请求,无论他们是通过AJAX或者非Ajax HTTP POST接收到的?
Is that a safe assumption? Or should I validate ALL requests, whether they're received via AJAX or a non-AJAX HTTP POST?
我想无论在技术上HTTP职位,但AJAX的人们只要提交你明确地传递,而一个正常的ASP.NET一个包括所有的视图状态值。这是否正确?
I suppose both are technically HTTP POSTs, but the AJAX one only submits what you explicitly pass, whereas a normal ASP.NET one includes all viewstate values. Is that correct?
非常感谢,
迈克尔
推荐答案您应该不相信任何东西来通过HTTP - 这是微不足道的制造GET或POST请求
You shouldn't trust anything that comes in over HTTP - it's trivial to manufacture a GET or POST request.
更多推荐
回发安全
发布评论