防止重放攻击_如何防止您的网站上的重放攻击

防止重放攻击

This article was originally published at Ben’s Tech Talks site.

本文最初在Ben的Tech Talks网站上发布。

Replay attacks, in which attackers intercept and resend network packets that do not belong to them, are extremely dangerous and can in some cases cause serious damage. What makes these kinds of attacks even more noisome is that they can even be staged on encrypted communication channels without gaining access to the decryption keys. Attackers only have to eavesdrop on your line and have a general knowledge of what task a specific set of packets are performing, and by resending those packets or requests, they will be able to disrupt your communications or cause more damaging effects.

重播攻击 (攻击者拦截并重新发送不属于它们的网络数据包)极为危险，在某些情况下可能会造成严重破坏。 使这类攻击更加令人讨厌的是，它们甚至可以在加密的通信通道上进行，而无需访问解密密钥。 攻击者只需窃听您的电话，并且对特定的一组数据包正在执行的任务有一个一般的了解，并且通过重新发送这些数据包或请求，他们将能够破坏您的通信或造成更大的破坏性影响。

In this article, I’ll show you a basic, easy-to-implement method that will prevent replay attacks on your website. It will also have the side benefit of preventing the annoying effects of confused users repeating their last POST request by constantly refreshing their browser at the wrong time.

在本文中，我将向您展示一种基本的，易于实现的方法，该方法可以防止对您的网站进行重放攻击。 通过在错误的时间不断刷新浏览器，还可以防止混乱的用户重复他们的上一个POST请求的烦人的副作用。

This is far from a complete solution. It has flaws and pending issues, but it gives you a general view of how tokens and simple protocols can enhance security in your websites. Sample codes and implementation are done in ASP.NET and C#, but the concept can be deployed on any other platform or programming language.

这远非一个完整的解决方案。 它具有缺陷和悬而未决的问题，但是它使您可以大致了解令牌和简单协议如何增强网站的安全性。 示例代码和实现在ASP.NET和C＃中完成，但是该概念可以部署在任何其他平台或编程语言上。

一次性代币概念 (The One-time Token Concept)

The idea behind the solution that will be offered in this post is to tie every HTTP response to a token string which will be valid only for the next post request. Here’s a simple breakdown of the steps involved:

本文将提供的解决方案背后的想法是将每个HTTP响应与一个令牌字符串相关联，该令牌字符串仅对下一个发布请求有效。 这是所涉及步骤的简单分解：

1. The client makes a GET request by typing the URL or a page or by clicking on a link.
   客户端通过键入URL或页面或单击链接来发出GET请求。
2. The server generates a random token. Subsequently, it stores a copy of the token in the session and embeds a copy of the token in the <form> tag of the response it sends to the client.
   服务器生成一个随机令牌。 随后，它将令牌的副本存储在会话中，并将令牌的副本嵌入到发送给客户端的响应的<form>标记中。
3. The client processes the content, and sends a POST request to the server, say when the user clicks on a button, which contains the randomly-generated token.
   客户端处理内容，然后向服务器发送POST请求，例如，当用户单击包含随机生成的令牌的按钮时。
4. The server receives the request and proceeds with processing it onl