2. Tech
  3. Carefully translated: Use the verification password to reject illegal access

Carefully translated: Use the verification password to reject illegal access

zhaozj2021-02-16  43

Directory: How to make Captchas operations inquiry Captcha code Draw Captcha Picture Creating a HASH Value Introduction Who is accessing your web program? If you think just log in after registration, then the result will make you big. How to distinguish is being logged in is a man or a machine, how to refuse automatic registration login requests is very important if you are developing a business logic-based client, you might want to perform a transaction on different machines, or hope User identity ends the transaction. When you run a business program that requires a reasonable user account, you may be surprised to discover some of your user accounts may belong to one person - a person in his machine is smart-in-one running a script to create different in your business logic. "Virtual" account. These accounts spend your resource, bandwidth, and other time and raw materials. The process of creating different accounts using scripts called identity spoof, for most simple sites, this operation is easily implemented. All snrolescents need to create an HTML form that needs to include the same fields as your login form, then use "http-post" to transfer data to your server, your server will perform the corresponding creation account. operating. The worse case is if your login form is "http-get". Operation execution, once successfully created an account, there is no way to prevent spoofers from performing the entire creation process repeatedly. With an automated script, spoofers can create hundreds of accounts one by one, if your server can't validate these data, you will fall into troubles that deal with a large number of useless virtual accounts, and a lot of access may take you. System resources make your application slow or crash. Other potential spoofings may also happen, such as easy to write a script, using this script to use the same user account to log in to access in different web browsers. Although this is not a problem for some sites, it will waste resources and bandwidth when the web program allows the client to download files or other resources. Some applications detect whether the user has logged in when it allows the user to create a new instance in the browser. Multi-client attacks can cause the server to perform login check operations, which will also consume the server's resources such as database connections and system memory. There are many ways to prevent creating a user account from creating spoofing. This article mainly discusses the technology called "Word-Verification Technology", as well as positive and negative roles played in your program, some popular sites such as Yahoo and MSN Hotmail use this in their applications. Technologies to reduce spam in the mail account domain. Yahoo's verbatic verification technology is a technology called "Captcha Project" developed by Mellon University, Chicago. Captcha is a method of distinguishing between people and machines. A captcha method proposes a problem, this problem is easy to solve for people, but it is impossible for the machine or difficult to solve, a universal captcha method is to provide users with a picture containing built-in text, Users must crack these texts and submitted with the user login form or user account creation form. For example, Figure 1 shows a simple CAPTCHA picture Figure 1 shows a simple exemplary example, which contains a combination of a randomized single-write mixed character combination. By increasing the difficulty of discriminating non-human machine identification text through a background and some additional lines. Humans are easy to read "PVHKF" from pictures 1, but a machine is hard to read these characters. For a machine, you must be able to translate this text, it must be able to read text using an optical character recognition engine (OCR) Although the OCR engine is increasingly accurate, it can easily distinguish the pattern and color of the background, even if the line or point is doped. You can use the person / machine to read the textual ability to provide the text that the OCR engine is difficult to identify.

This ensures that a new access or login from one person rather than the machine is the most valuable. OCR technology has more advanced evolution in corruption of Captcha technology, and simple text confusion technology is easily scanned by OCR to scan Captchas and correctly read characters in the picture to attack. In response, you can make Captchas more difficult to read, however, if you will translate the text too exaggerated, it is also a challenge to legal user identification. Fortunately, OCR-based attacks are not perfect and universal, so the word verification technology discussed here for most predetermined attackers provide sufficient protection 333 how to make Captchas operation login operations or create new user operations must be included. A logic comparison, the application draws some text into a picture, after reading these text, perform logic comparison, if these drawings and users entered after reading, you can think that this user is a person Instead of running automatically on a machine. Verify matching comparisons on the server cannot solve the kind of a robust solution by sending a large number of requests to send a large number of requests, as a robust solution, this application should include the following constraints: 1. Reduce system resources to minimize, this application should not contain any type of data storage - it should not contain write files, store information to database, etc. 2. The application does not use a session (session) to manage status. The session is an unhappy solution, not only because they are stored in the server (violating the constraints mentioned above), and they are not well used in the web form. 3. In order to ensure that the application does not request a fraud attack, the application should verify the character of the Captcha character and the user response input, not on the server to ensure that these constraints are implemented, it is clear that you should store this in the client. Randomly generated strings. This stored data must be encrypted, allowing spoofers to automatically read submit using scripts. This Sample Application provides a solution to a hash string by using SHA1 hash technology. A HASH is a value or key generated from the string content, and the application should be able to replace a raw string using shorthaash values. The hash method provides faster encoding. You can't cover the original string with the value of HASHED. There are many haveh algorithms, the SHA1 hash algorithm produces a value of HASH, such as a given string always produces the same HASH value, other Strings cannot produce the same hash value. If you have two string's HASH values, if the content of the original string is the same, you should compare the Hash value instead of the string itself for higher accuracy. You can see some more article about SHA1 Hash Algorithm Here, you can extract characters embedded on the server on the server, and then send them to the client to save in the HTTP cookie, then the user will read from the image. The text returns to the server, the server compares the text you entered and saved in the HTTP cookie. If the two hash strings are equal, it means that the user has successfully entered the characters embedded in Captcha. . Next, when you create a new page, you must correctly decide there and how to store the hash value although it is possible to create a web form that returns a picture and content (Content), you can't return them at the same time.

In order to return a picture of a JPEG format, this page must be set to "Image / JPEG,", and vice versaration If you want to return HTML content, response.contentType should be set to "Text / HTML" .. Therefore, the easiest way is to use two pages: one page returns the text of the text, and another page creates and returns a Captcha image. When the server creates a page containing text content, it will include the flag, the browser can resolve the IMG flag, and then request this image from the server as separate request. This request will generate a random string and image, but it cannot write text content to return to the browser because this browser is submitted to a photo response. Response.ContentType must be image / jpeg. ", So when you ask for a picture, you must find a way to return this generated hash value to the client, so that you can verify that the content entered by the client and the Hash value are consistent because The previously described constraints canceled the storage mechanism of the session, file, and the database, so you only have cookies, generate a HASH before putting the random character into the generated picture, generate a HASH and write a cookies containing the Hash value to http- Headers, this cookies can be sent to the client as part of the response head. Because there is no http_content does not include text, the response.conteTtype is set to "Image / JPEG" will be able to submit correctly. Now you have a solution that meets all constraints. The following is the time our drilling code. This home page (index.asp) contains some user input controls, a random picture file, a submission button, this page contains the following HTML content:

Note the flag of the picture control (ASP: image) and the standard HTML image flag is Very similar, just this picture control flag's URL points to a page that returns a picture instead of directly pointing to some picture files.

There are still two partial logic to understand that you need to generate a random string: The following generatingrandomstring function generates a character range between AZ and AZ, if you Greece would like to create a numeric string contains, you can also implement Public Shared Function GenerateRandomString (ByVal iLength As Integer) As string Dim iStartBC, iEndBC, iStartSC, iEndSC by modifying the range of characters, _ iCount, iTmpC As Integer Dim sRandomString As String Dim rRandom As New Random (_ System.DateTime.Now.Millisecond) 'Convert characters into their integer equivalents' (their ASCII values) iStartSC = Asc ( "a") iEndSC = Asc ( "z") iStartBC = Asc ( " A ") IENDBC = ASC (" Z ") 'Now loop as many Times As Necessary to build' The String Length We want While (iCount = iStartsc) and (itmpc <= IENDSC) _ or (itmpc> = iStartBC) and _ (ITMPC <= IENDBC)) "THEN SRANDOMSTRING = CHR (ITMPC ICount = 1 End if End While End Function Creating a Hash Value Next, you need to create a Hash value for random string generated for this function. However, this cannot solve all the problems, once a deceived notes all the page is sending a Hash version of the string to the client, he can easily discover the attack method. By comparing any disorder strings entered by the user, he can create a spoof: 1. He arbitrarily chooses a Hash string 2 to be sent. Clear Text Sending the string to the server to server processing logical server processing logic is: 1. Hash (HASH) 2.. The comparative hash text and the sending haveh value, so you have to think about preventing the deceived sanctic sanctions. However, Hashes is a "one-way" function. You must check the HASH must be generated from your application.

Creating a unique Hash This is a machine verification check (MAC) that is most applicable, just like the name suggests, Mac is a technology that produces a unique hash value on a special machine. You should append this unique value in your plain text before you have a whole message in hash. When you do this, only the machine knows the key to open the Hash value, no other person can know how to produce the exact same HASH, even if they know the news of this plain text,. Some steps are shown here: 1. A unique GUID key (Mac Key) is generated with the Guid.newGuid function. Save Mac Key3 in the application's web.config. Retrieve stored MAC keys and append it to your own string 4. Hash whole message 5. Save this hash result in cookie 6. To perform verification operations, ensure that your form uses HTTP-POST to send users to verify the string to server 7. When the application receives this string, add the MAC key in web.config to the end of the string 8. The whole message generated by the hash seventh step 9. Retrieve this cookie value from the HTTTP request header and compare the message generated by the eighth step and the cookie value of the fourth step. If these values ​​are not equal, you or receive a fraud or user when reading and writing captcha text If you don't know what Mac Key is, no one can be portable to produce the same Hash or even the same plain text. This is very good to prevent man-in-the-middle (mitm) attack, in fact ASP.NET's enableViewStateMac command also provides additional security to prevent Mitm attacks.

Here are some haveh code, you can find these function code in Downloadable Code: PUBLIC SHARED FUNCTION HashMacme (Byval S as String) _ as string dim b as byte Dim HashValue () AS BYTE DIM retString As String 'Create a new instance of the UnicodeEncoding' class to convert the string into an array of 'Unicode bytes Dim UE As New UnicodeEncoding' Convert the string into an array of bytes. Dim MessageBytes As Byte () = UE.GetBytes ( s & _ AppSettings ( "MACKey")) 'Create a new instance of the SHA1Managed class' to create the hash value. Dim SHhash As New SHA1Managed' Create the hash value from the array of bytes. HashValue = SHhash.ComputeHash (MessageBytes) 'Return a hexadecimal representation of the string for Each B in HashValue RetString = B.TOString ("x2") NextReturn RetString End Function These code reads Mac Key from web.config, then add more than the final output information They go to the initial string. This page sends this Hash value to draw this Hash value as a cookie. You also need to draw these strings in a picture. .NET Framework will draw the process simplified for a few lines of simple code Listing 1 shows how to draw code, which can also be found in the DRAWRANDOMIMAGE.ASPX.vb file in Downloadable Code.. The code in Listing 1 uses a string parameter (DS) and draws onto the image with a bold, and finally add some random lines to the picture to prevent OCR scanning software, and finalize the ContentType of this page is set. "Image / jpeg "and then use the response.outputStream to save the image.

Connecting these, the following is the code page_load event: Private Sub Page_Load (ByVal sender As System.Object, _ ByVal e As System.EventArgs) Handles MyBase.Load 'Conjure up some Random Characters in a String Dim b As RandomStringGenerator Dim s As String s = b.GenerateRandomString (5) 'Hash the Random String together with a SecretKey' (Machine Authentication Check) to prevent MITM spoof Dim hMACIString As String = b.HashMACMe (s) 'Store the results in a HTTPCookie Dim c As HttpCookie = New HttpCookie ( "hMACIString") c.Value = hMACIString Dim dtNow As DateTime = DateTime.Now 'Set expiration of 365 days - Change this to your requirements Dim tsYear As New TimeSpan (365, 0, 0, 0) c. Expires = DTNOW.Add (Tsyear) Response.cookies.add (c) 'Call The Above DrawstringImage Routine Call DrawstringImage (s) End Sub Check Data Now is the data submitted by the checkup button to trigger the event: Private Sub Button1_click (Byval Sender as system.Object, _ ByVal e As System.EventArgs) Handles Button1.Click Dim hMACIString As String Try Dim c As HttpCookie = Request.Cookies ( "hMACIString") hMACIString = c.Value Catch End Try Dim b As RandomStringGenerator 'Send to next page in a real application If (hmacistring = b.hashmacme (accesskey.text)) The lblresult.text = "real person" else lblResult.text = "spoofed" End If End Sub AccessKey control contains the string data entered by the user, the client Send it back to the server, add the MAC key after it, hash this string, compare the cookie value of him and the Drawrandomimage.aspx page, etc.

转载请注明原文地址:https://www.9cbs.com/read-20454.html

9cbs

New Post(0)