javascript - 如何避免让 ASHX 处理程序受到滥用？

Question

我创建了一个 JavaScript 应用程序。它与 ASHX 处理程序对话。使用有效的 SSL 证书保护连接。

当用户点击“提交”时，我构建了一个 JSON 对象来表示他们对某些问题的回答。

JS 代码将对象作为 URL 上的参数发送给处理程序，以便对其进行处理。

如果我打开 Fiddler 并观察这些请求，我可以清楚地看到 JSON 对象和它要去的 URL。

此应用程序旨在供个人创建一次性数据点。照原样，某人使用这个公开可用的处理程序编写脚本在我们的数据库中创建 1000 行是微不足道的。

我研究过“如何保护 JSON 数据”，答案似乎总是“使用 SSL”。但我正在使用 SSL，我仍然可以看到数据通过网络传输。

我可以通过在浏览器栏中输入格式正确的 URL 并按“输入”来手动创建数据。

我可以阻止用户看到处理程序 url 和它接受的数据格式吗？数据本身不是 secret ，但我不希望它很容易对写入数据库的 API 调用进行逆向工程。

下面是我的“提交时”函数的通用版本，供引用。

function createGenericThing() {
    document.getElementById('btnDoSomething').disabled = true;
    document.getElementById('btnDoSomething').value = "Working...";
    var evt = GetJSONObjectFromUserInput();  //returns a valid JSON string
    //expected format: /MyHandler.ashx?command=dosomething&data={json string}
    var handlerurl = getHandlerURL("MyHandler.ashx");
    //grab the parameters they have entered in the user interface
    var params = "cmd=dosomething&data=" + encodeURIComponent(JSON.stringify(evt));

    //set up our request object
    if (window.XMLHttpRequest) {
        window.xmlhttp = new XMLHttpRequest();
    } else {
        window.xmlhttp = new ActiveXObject("Microsoft.XMLHTTP");
    }

    //set up to catch the result after the server replies
    window.xmlhttp.onreadystatechange = function () {
        if (window.xmlhttp.readyState === 4 && window.xmlhttp.status === 200) {
            //this code will happen after we get a reply.
            //the value in "context.Response.Write()" will come back as .responseText
            if (-1 < window.xmlhttp.responseText.indexOf("Error") || -1 < window.xmlhttp.responseText.indexOf("error")) {
                //if the call returned an error, show it to the user
                document.getElementById('lblError').innerHTML = "An error occurred.  The error was: " + window.xmlhttp.responseText;
                document.getElementById('btnDoSomething').disabled = false;
                document.getElementById('btnDoSomething').value = "Do something";
            } else {
                //if we get here, then the action completed.
                //navigate wherever we are configured to go (a URL which is in a hidden field), with a param indicating success.
                //it is up to the navigate-to-page to actually pay attention to that parameter and do anything about it (i.e,. show a confirmation message)
                var navigateto = document.getElementById('hfNavigateAfterURL').value;
                navigateto = navigateto + "?datasaved=" + window.xmlhttp.responseText;
                window.location.href = navigateto;
            }
        }
    }

    //get the results from our handler.  this line actually causes SQL to execute on the server.
    //if you watch in Fiddler, you'll see something like:
    //https://someserver/someurl.ashx?cmd=dosomething&data={properly formed JSON}
    //that's the problem.
    window.xmlhttp.open("GET", handlerurl + "?" + params, true);
    window.xmlhttp.send();
}

Answer 1

这是我为此制定的解决方案。

请记住，用户数据本身并不是 secret 。

我只想防止恶意用户监视该数据的发布并恶意发布到我的处理程序。

页面加载:

1 - 在页面加载时，服务器生成两个东西:一个 guid 和一个加密的时间戳。*

2 - guid 存储在 ASP.NET session 中。这两个值都传递到客户端中的隐藏字段。

这是相关的 Page_Load 代码:

'give this session a guid.  also encrypt a timestamp.
'when they submit their data, the HTTP request will include both pieces of data.
'we'll verify that the guid actually exists in session.
'we'll also decrypt the timestamp and decide whether they timed out or not.
'this is to mitigate the risk of malicious users posting invalid data to our ASHX handler.
'all of the verification and checking happens in the handler
Dim epochTime = (Date.UtcNow - New DateTime(1970, 1, 1)).TotalSeconds.ToString() '# of seconds since the epoch, to avoid time zone issues
Dim sessionGuid = Guid.NewGuid()
hfAuth.Value = sessionGuid.ToString() + EncryptionHelper.Encrypt(epochTime).ToString()
Session.Add("EVENTKEY", sessionGuid.ToString())

标记

只是一个新的 HiddenField，以允许上面显示的分配。

JavaScript

JS 只有一个变化:当我执行 GET 请求时，我将 guid 和加密时间戳的组合连同请求的​​其余部分附加到处理程序。

以问题的原始代码为基础，我刚刚添加了这一行:

params = params + "&guidkey=" + document.getElementById('hfAuth').value;

处理程序

处理程序现在负责验证随 GET 请求一起提供的 key 。根据我们对传入 token 的了解，这很简单。

...in the ProcessRequest method...
Dim authenticationKey = context.Request.Params(2).ToString()
If IsKeyValid(authenticationKey, context) Then
    context.Response.Write(CreateCRMEvent(eventJSON))
Else
    'if the caller didn't know the key we expected, then just quietly fail
    'by returning a guid.  no need to let malicious users know they failed.
    context.Response.Write(Guid.NewGuid())
End If

...and a new method...
Private Shared Function IsKeyValid(keyToAuthenticate As String, context As HttpContext) As Boolean
    Try
        'a key is valid if:
        '1: it begins with a guid that we have in session
        '2: it contains a timestamp that has been encrypted with our key, and is within the timeout period
        Dim sessionGuid = String.Empty
        Dim lengthOfAGuid = Guid.Empty.ToString.Length '36
        If context.Session("EVENTKEY") IsNot Nothing Then
            sessionGuid = context.Session("EVENTKEY").ToString().ToUpper()
        End If

        If String.IsNullOrEmpty(keyToAuthenticate) OrElse String.IsNullOrEmpty(sessionGuid) Then
            Return False 'invalid because they provided no key, or we have no knowledge of issuing one
        End If

        If keyToAuthenticate.Length <= lengthOfAGuid Then
            Return False 'invalid because their key does not contain a valid guid + encrypted timestamp
        End If

        Dim expectedGuid = keyToAuthenticate.Substring(0, 36).ToUpper()
        If sessionGuid <> expectedGuid Then
            Return False 'invalid because the guid they gave is not one we remember issuing
        End If

        'they knew the guid we have in session.  Check the timestamp.
        Dim iEpochSeconds = 0.0
        Try
            Dim encryptedTimeStamp = keyToAuthenticate.Substring(lengthOfAGuid, keyToAuthenticate.Length - lengthOfAGuid)
            Dim decryptedTimeStamp = EncryptionHelper.Decrypt(encryptedTimeStamp)
            If Not Double.TryParse(decryptedTimeStamp, iEpochSeconds) Then
                Return False 'invalid because the timestamp decrypted, but not to a valid # of seconds
            End If
        Catch
            Return False 'invalid because whatever timestamp they tried to give us doesn't decrypt
        End Try

        'give them 30 minutes to finish.  we can tweak this later if it'keyToAuthenticate a problem.
        Const timeoutSeconds = 1800.0
        Dim maxAllowedEpochTime = (Date.UtcNow - New DateTime(1970, 1, 1)).TotalSeconds + timeoutSeconds
        If iEpochSeconds > maxAllowedEpochTime Then
            Return False 'invalid because their timestamp expired
        End If

        'couldn't find anything wrong.  let it through.
        Return True
    Catch
        Return False 'invalid because the request was in a format we do not recognize.
    End Try
End Function

*加密是用this class完成的(当然 key 不同除外)

时间戳是自 UNIX 纪元开始以来的秒数。我选择这个是为了避免时区问题。