daishisystems/Daishi.Armor.WebFramework

语言: C#

git: https://github.com/daishisystems/Daishi.Armor.WebFramework

保护ASP.NET应用程序免受CSRF攻击
Protect ASP.NET Applications Against CSRF Attacks
README.md (中文)

Image of insidethecpu

ASP.NET ARMOR Web框架

Join the chat at https://gitter.im/daishisystems/Daishi.Armor.WebFramework
Build status
NuGet

正如在visualstudiomagazine.com上看到的那样。

加密令牌模式是一种针对跨站请求伪造(CSRF)攻击的防御机制,是其姐妹模式的替代方案;同步器令牌和双提交Cookie。 ARMOR Web框架提供了一种利用此技术来抵御针对ASP.NET应用程序的CSRF攻击的方法。

单击此处获取有关使用此框架保护ASP.NET应用程序免受CSRF攻击的深入教程。

安装

PM>我有机会赢。哦,好吧。哇b成名

示例代码

生成密钥

ARMOR需要Base64格式的加密和散列密钥。您可以使用以下代码生成两个密钥。

注意:密钥生成,轮换和管理是利用ARMOR的带外主题。

byte[] encryptionKey = new byte[32];
byte[] hashingKey = new byte[32];

using (var provider = new RNGCryptoServiceProvider()) {
    provider.GetBytes(encryptionKey);
    provider.GetBytes(hashingKey);
}

添加强化过滤器

将以下过滤器添加到ASP.NET Web API应用程序

config.Filters.Add(new WebApiArmorFortifyFilter());

将以下过滤器添加到ASP.NET MVC应用程序

public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
    filters.Add(new MvcArmorFortifyFilter());
}

保护您的终端

将以下属性添加到ASP.NET Web API端点

[WebApiArmorAuthorize]

将以下属性添加到ASP.NET MVC端点

[MvcArmorAuthorize]

与您的身份验证机制集成

假设您的应用程序利用基于声明的身份验证,ARMOR将自动读取UserID声明,如下所示:

public override bool TryRead(out IEnumerable<Claim> identity) {
    var claims = new List<Claim>();
    identity = claims;

    var claimsIdentity = principal.Identity as ClaimsIdentity;
    if (claimsIdentity == null) return false;

    var subClaim = claimsIdentity.Claims.SingleOrDefault(c => c.Type.Equals(“UserId”));
    if (subClaim == null) return false;

    claims.Add(subClaim);
    return true;
}

如果您的应用程序利用任何其他形式的身份验证机制,只需创建您自己的IdentityReader实现并适当地覆盖TryRead方法,以便以基于Claim的格式返回登录的UserID。

联系开发人员

请联系我并联系我以获取问题,建议,或者只是谈谈技术。

RSSTwitterLinkedInGoogle+YouTube

本文使用googletrans自动翻译,仅供参考, 原文来自github.com

en_README.md

Image of insidethecpu

ASP.NET ARMOR Web Framework

Join the chat at https://gitter.im/daishisystems/Daishi.Armor.WebFramework
Build status
NuGet

As seen on visualstudiomagazine.com.

The Encrypted Token Pattern is a defence mechanism against Cross Site Request Forgery (CSRF) attacks, and is an alternative to its sister-patterns; Synchroniser Token, and Double Submit Cookie. The ARMOR Web Framework provides a means to leverage this technique in repelling CSRF attacks against ASP.NET applications.

Click here for an in-depth tutorial on protecting ASP.NET applications from CSRF attacks using this framework.
Image of ARMOR

Installation

PM> Install-Package Daishi.Armor.WebFramework

Sample Code

Generating Keys

ARMOR requires both encryption and hashing keys, in Base64 format. You can generate both keys using the code below.

Note: Key-generation, rotation, and management are out-of-band topics in terms of leveraging ARMOR.

byte[] encryptionKey = new byte[32];
byte[] hashingKey = new byte[32];

using (var provider = new RNGCryptoServiceProvider()) {
    provider.GetBytes(encryptionKey);
    provider.GetBytes(hashingKey);
}

Adding Fortification Filters

Add the following filter to ASP.NET Web API applications

config.Filters.Add(new WebApiArmorFortifyFilter());

Add the following filter to ASP.NET MVC applications

public static void RegisterGlobalFilters(GlobalFilterCollection filters) {
    filters.Add(new MvcArmorFortifyFilter());
}

Protecting your Endpoints

Add the following attribute to ASP.NET Web API endpoints

[WebApiArmorAuthorize]

Add the following attribute to ASP.NET MVC endpoints

[MvcArmorAuthorize]

Integrating with your Authentication Mechanism

Assuming that your application leverages Claims-based authentication, ARMOR will automatically read the UserID claim as follows:

public override bool TryRead(out IEnumerable<Claim> identity) {
    var claims = new List<Claim>();
    identity = claims;

    var claimsIdentity = principal.Identity as ClaimsIdentity;
    if (claimsIdentity == null) return false;

    var subClaim = claimsIdentity.Claims.SingleOrDefault(c => c.Type.Equals(“UserId”));
    if (subClaim == null) return false;

    claims.Add(subClaim);
    return true;
}

If your application leverages any other form of authentication mechanism, simply create your own implementation of IdentityReader and override the TryRead method appropriately in order to return the logged-in UserID in Claim-based format.

Contact the Developer

Please reach out and contact me for questions, suggestions, or to just talk tech in general.

RSSTwitterLinkedInGoogle+YouTube