Preventing CSRF With Ajax
https://stackoverflow.com/a/24394578/3782855
You don't need the ValidationHttpRequestWrapper solution since MVC 4. According to this link.
- Put the token in the headers.
- Create a filter.
- Put the attribute on your method.
Here is my solution:
var token = $('input[name="__RequestVerificationToken"]').val();
var headers = {};
headers['__RequestVerificationToken'] = token;
$.ajax({
type: 'POST',
url: '/MyTestMethod',
contentType: 'application/json; charset=utf-8',
headers: headers,
data: JSON.stringify({
Test: 'test'
}),
dataType: "json",
success: function () {},
error: function (xhr) {}
});
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)]
public class ValidateJsonAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter
{
public void OnAuthorization(AuthorizationContext filterContext)
{
if (filterContext == null)
{
throw new ArgumentNullException("filterContext");
} var httpContext = filterContext.HttpContext;
var cookie = httpContext.Request.Cookies[AntiForgeryConfig.CookieName];
AntiForgery.Validate(cookie != null ? cookie.Value : null, httpContext.Request.Headers["__RequestVerificationToken"]);
}
} [HttpPost]
[AllowAnonymous]
[ValidateJsonAntiForgeryToken]
public async Task<JsonResult> MyTestMethod(string Test)
{
return Json(true);
}
Updated Anti-XSRF Validation for ASP.NET MVC 4 RC
Preventing CSRF With Ajax
You can try to apply the ValidateAntiForgeryTokenAttribute
attribute to an action method, but it will fail every time if you try to post JSON encoded data to the action method. On one hand, the most secure action possible is one that rejects every request. On the other hand, that’s a lousy user experience.
The problem lies in the fact that the under the hood, deep within the call stack, the attribute peeks into the Request.Form
collection to grab the anti-forgery token. But when you post JSON encoded data, there is no form collection to speak of. We hope to fix this at some point and with a more flexible set of anti-forgery helpers. But for the moment, we’re stuck with this.
Preventing CSRF With Ajax的更多相关文章
- Preventing CSRF in Java web apps---reference
reference from:http://ricardozuasti.com/2012/preventing-csrf-in-java-web-apps/ Cross-site request fo ...
- Bypass Preventing CSRF
CSRF在过去的n年(n>2)一直都火,在bh/defcon/owasp等会议上多次探讨CSRF的攻防[具体你可以看看以往的那些pp].前 段时间PLAYHACK.net上发表了一个总结性的pp ...
- CSRF之Ajax请求
A:Ajax提交数据是,携带的CSRF在data中: <form method="POST" action="/csrf.html"> {% csr ...
- asp.net MVC中防止跨站请求攻击(CSRF)的ajax用法
参考: Preventing Cross-Site Request Forgery (CSRF) AttacksValidating .NET MVC 4 anti forgery tokens in ...
- Django与CSRF 、AJAX
CSRF(Cross-site request forgery)跨站请求伪造,是一种常见的网络攻击手段,具体内容和含义请大家自行百度. Django为我们提供了防范CSRF攻击的机制. 一.基本使用 ...
- 六十六:CSRF攻击与防御之CSRF防御之ajax防御和ajax封装
app里面还是要绑定CSRFProtect from flask_wtf import CSRFProtect # flask_wtf 已经提供CSRF的防御手段CSRFProtect(app) # ...
- 第六章:Django 综合篇 - 17:CSRF与AJAX
CSRF(Cross-site request forgery)跨站请求伪造,是一种常见的网络攻击手段,具体内容和含义请大家自行百度. Django为我们提供了防范CSRF攻击的机制. 一.基本使用 ...
- 保护ASP.NET 应用免受 CSRF 攻击
CSRF是什么? CSRF(Cross-site request forgery),中文名称:跨站请求伪造,也被称为:one click attack/session riding,缩写为:CSRF/ ...
- 漏洞科普:对于XSS和CSRF你究竟了解多少
转自:http://www.freebuf.com/articles/web/39234.html 随着Web2.0.社交网络.微博等等一系列新型的互联网产品的诞生,基于Web环境的互联网应用越来越广 ...
随机推荐
- python使用tkinter无法获取输入框的值
如果遇到:使用tkinter无法获取输入框Entty()的值的问题,需要检查一下,是否在定义Entry()时立即进行了pack() 会出现使用entryname.get()报错 解决方法:把定义和pa ...
- 广联达C++面经(一站式西安) - 2019秋招
9月7号通知在广联达西安面试,早上在高新面完中兴一面就赶忙坐地铁倒公交去面试了. 一面(大概30-40min) 刚去签了一个到,就带我去面试了,在一个小型会议室,面试我的是一个女面试官(第一次碰见女 ...
- laravel——表操作集成操作
背景:通过判断不同的请求参数,返回不同的需要的数据 一.准备工作: 数据库新建一个表 DROP TABLE IF EXISTS `tb_category2`; CREATE TABLE IF NOT ...
- SetCurrentCellAddressCore 函数的可重入调用
绑定数据在线程中 private void dataGridView1_CellEndEdit(object sender, DataGridViewCellEventArgs e) { if (Di ...
- 批量导入数据到InnoDB表速度优化
1.使用Load data: 2. SET autocommit=0; ... SQL import statements ... COMMIT; 3. SET unique_checks=0; .. ...
- android在主线程下载文件
android在主线程下载文件 加入以下代码即可if (android.os.Build.VERSION.SDK_INT > 9) { StrictMode.ThreadPolicy polic ...
- 1216 Vue基础
目录 前端框架 Vue 1.简介 1.1 优点 2 使用 2.1 基础 2.2 文本指令 2.3 事件指令 2.4 属性指令 JS面向对象补充 前端框架 angular ---更新程度太快,且不向下兼 ...
- pdfminer批量处理PDF文件
from pdfminer.pdfparser import PDFParser, PDFDocument from pdfminer.pdfinterp import PDFResourceMana ...
- 09 webpack的介绍
webpack干嘛的?: 模块打包机,分析目录结构,找到js模块(包括浏览器不能直接识别的代码 typscript sass...),打包成合适的格式供浏览器访问 webpack是一款模块加载器兼打 ...
- 使用Optional优雅处理null
先假设一个场景.如下所示 public class Person { private String name; public Person() { } public Person(String nam ...