我创建了一个JavaScript应用程序。它与ASHX处理程序对话。该连接使用有效的SSL证书进行保护。
当用户单击"提交"时,我会构建一个JSON对象,表示他们对某些问题的回答。
JS代码将对象作为URL上的参数发送给处理程序,以便对其进行处理。
如果我打开Fiddler并观察这些请求,我可以清楚地看到JSON对象和它要去的URL
此应用程序适用于个人创建一次性数据点。事实上,对于某人来说,使用这个公开可用的处理程序编写一个在我们的数据库中创建1000行的脚本是微不足道的。
我研究过"如何保护JSON数据",答案似乎总是"使用SSL"。但是我正在使用SSL,并且我仍然可以看到数据通过导线。
我可以手动创建数据,只需在浏览器栏中点击一个格式正确的URL,然后按"回车"。
我可以阻止用户看到处理程序url及其接受的数据格式吗?数据本身并不是秘密的,但我不希望对写入数据库的API调用进行反向工程变得容易。
下面是我的"提交时"函数的通用版本,供参考。
function createGenericThing() {
document.getElementById('btnDoSomething').disabled = true;
document.getElementById('btnDoSomething').value = "Working...";
var evt = GetJSONObjectFromUserInput(); //returns a valid JSON string
//expected format: /MyHandler.ashx?command=dosomething&data={json string}
var handlerurl = getHandlerURL("MyHandler.ashx");
//grab the parameters they have entered in the user interface
var params = "cmd=dosomething&data=" + encodeURIComponent(JSON.stringify(evt));
//set up our request object
if (window.XMLHttpRequest) {
window.xmlhttp = new XMLHttpRequest();
} else {
window.xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
}
//set up to catch the result after the server replies
window.xmlhttp.onreadystatechange = function () {
if (window.xmlhttp.readyState === 4 && window.xmlhttp.status === 200) {
//this code will happen after we get a reply.
//the value in "context.Response.Write()" will come back as .responseText
if (-1 < window.xmlhttp.responseText.indexOf("Error") || -1 < window.xmlhttp.responseText.indexOf("error")) {
//if the call returned an error, show it to the user
document.getElementById('lblError').innerHTML = "An error occurred. The error was: " + window.xmlhttp.responseText;
document.getElementById('btnDoSomething').disabled = false;
document.getElementById('btnDoSomething').value = "Do something";
} else {
//if we get here, then the action completed.
//navigate wherever we are configured to go (a URL which is in a hidden field), with a param indicating success.
//it is up to the navigate-to-page to actually pay attention to that parameter and do anything about it (i.e,. show a confirmation message)
var navigateto = document.getElementById('hfNavigateAfterURL').value;
navigateto = navigateto + "?datasaved=" + window.xmlhttp.responseText;
window.location.href = navigateto;
}
}
}
//get the results from our handler. this line actually causes SQL to execute on the server.
//if you watch in Fiddler, you'll see something like:
//https://someserver/someurl.ashx?cmd=dosomething&data={properly formed JSON}
//that's the problem.
window.xmlhttp.open("GET", handlerurl + "?" + params, true);
window.xmlhttp.send();
}
以下是我为此制定的解决方案。
请记住,用户数据本身并不是秘密。
我只想防止恶意用户监视该数据的发布并恶意发布到我的处理程序。
页面加载:
1-在页面加载时,服务器生成两个东西:一个guid和一个加密的时间戳。*
2-guid存储在ASP.NET会话中。这两个值都会传递到客户端中的一个隐藏字段。
以下是相关的Page_Load代码:
'give this session a guid. also encrypt a timestamp.
'when they submit their data, the HTTP request will include both pieces of data.
'we'll verify that the guid actually exists in session.
'we'll also decrypt the timestamp and decide whether they timed out or not.
'this is to mitigate the risk of malicious users posting invalid data to our ASHX handler.
'all of the verification and checking happens in the handler
Dim epochTime = (Date.UtcNow - New DateTime(1970, 1, 1)).TotalSeconds.ToString() '# of seconds since the epoch, to avoid time zone issues
Dim sessionGuid = Guid.NewGuid()
hfAuth.Value = sessionGuid.ToString() + EncryptionHelper.Encrypt(epochTime).ToString()
Session.Add("EVENTKEY", sessionGuid.ToString())
标记
只是一个新的HiddenField,以允许上面显示的分配。
JavaScript
JS只得到一个更改:当我执行GET请求时,我将guid和加密的时间戳的组合以及请求的其余部分附加到处理程序。
以问题中的原始代码为基础,我只添加了这一行:
params = params + "&guidkey=" + document.getElementById('hfAuth').value;
处理程序
处理程序现在的任务是验证GET请求附带的密钥。基于我们对传入令牌的了解,这很简单。
...in the ProcessRequest method...
Dim authenticationKey = context.Request.Params(2).ToString()
If IsKeyValid(authenticationKey, context) Then
context.Response.Write(CreateCRMEvent(eventJSON))
Else
'if the caller didn't know the key we expected, then just quietly fail
'by returning a guid. no need to let malicious users know they failed.
context.Response.Write(Guid.NewGuid())
End If
...and a new method...
Private Shared Function IsKeyValid(keyToAuthenticate As String, context As HttpContext) As Boolean
Try
'a key is valid if:
'1: it begins with a guid that we have in session
'2: it contains a timestamp that has been encrypted with our key, and is within the timeout period
Dim sessionGuid = String.Empty
Dim lengthOfAGuid = Guid.Empty.ToString.Length '36
If context.Session("EVENTKEY") IsNot Nothing Then
sessionGuid = context.Session("EVENTKEY").ToString().ToUpper()
End If
If String.IsNullOrEmpty(keyToAuthenticate) OrElse String.IsNullOrEmpty(sessionGuid) Then
Return False 'invalid because they provided no key, or we have no knowledge of issuing one
End If
If keyToAuthenticate.Length <= lengthOfAGuid Then
Return False 'invalid because their key does not contain a valid guid + encrypted timestamp
End If
Dim expectedGuid = keyToAuthenticate.Substring(0, 36).ToUpper()
If sessionGuid <> expectedGuid Then
Return False 'invalid because the guid they gave is not one we remember issuing
End If
'they knew the guid we have in session. Check the timestamp.
Dim iEpochSeconds = 0.0
Try
Dim encryptedTimeStamp = keyToAuthenticate.Substring(lengthOfAGuid, keyToAuthenticate.Length - lengthOfAGuid)
Dim decryptedTimeStamp = EncryptionHelper.Decrypt(encryptedTimeStamp)
If Not Double.TryParse(decryptedTimeStamp, iEpochSeconds) Then
Return False 'invalid because the timestamp decrypted, but not to a valid # of seconds
End If
Catch
Return False 'invalid because whatever timestamp they tried to give us doesn't decrypt
End Try
'give them 30 minutes to finish. we can tweak this later if it'keyToAuthenticate a problem.
Const timeoutSeconds = 1800.0
Dim maxAllowedEpochTime = (Date.UtcNow - New DateTime(1970, 1, 1)).TotalSeconds + timeoutSeconds
If iEpochSeconds > maxAllowedEpochTime Then
Return False 'invalid because their timestamp expired
End If
'couldn't find anything wrong. let it through.
Return True
Catch
Return False 'invalid because the request was in a format we do not recognize.
End Try
End Function
*加密是用这个类完成的(当然除了密钥不同)
时间戳是自UNIX epoch开始以来的秒数。我选择这个是为了避免时区问题。