使用同步器令牌模式来防止CSRF安全
问题说明
我一直在阅读有关使用同步器令牌模式来防止CSRF(CSRF表示跨站点请求伪造。)的消息,我不知道它的实际安全性。
I have been reading about using a synchronizer token pattern to prevent CSRF (CSRF meaning Cross-site request forgery.), and I don't understand how it actually safe.
假设我有一个带有两个网址的假银行网站fakebank.com:
Let's say I have a fake bank site fakebank.com with two urls:
fakebank.com/ withdrawForm.html
-显示取款表格的GET请求
fakebank.com/doWithdraw
-发布到该网址以进行提取
fakebank.com/withdrawForm.html
- a GET request which displays the withdraw money formfakebank.com/doWithdraw
- POST to this url to do the withdraw
我对安全漏洞的理解是, maliciousSite.com
可以欺骗对 fakebank.com/doWithdraw
的POST请求,如果您当前登录到fakebank,则POST将成功。
My understanding of the security flaw is that maliciousSite.com
can spoof a POST request to fakebank.com/doWithdraw
, and if you're currently logged in to fakebank, the POST will be successful.
假设我们实现了一个同步器令牌模式,该模式将在 fakebank.com/withdrawForm.html
上嵌入一个秘密代码。 maliciousSite.com
不能只是欺骗该表单的GET请求,解析html结果,获取令牌,然后使用该令牌创建POST请求?
Let's say we implement a Synchronizer Token Pattern which will embed a secret code on fakebank.com/withdrawForm.html
. Can't maliciousSite.com
just spoof a GET request for that form, parse the html result, get the token, and then create the POST request with that token?
这是假设fakebank.com并未检查HTTP Referrer或Origin或 maliciousSite.com
成功欺骗了Referrer /
This is assuming fakebank.com isn't checking HTTP Referrer or Origin or maliciousSite.com
is successfully spoofing that the Referrer/Origin is fakebank.com.
正确答案
这是安全的原因,以及 maliciousSite.com
The reason why this is secure, and maliciousSite.com
cannot simply do a GET
, steal the token, and then do a POST
is that the request is done by the user's browser, not by the server at maliciousSite.com
. All data returned from fakebank.com
is returned to the user's browser, not to the server at maliciousSite.com
. If maliciousSite.com
does perform a GET to retrieve a token, it will be a different token than was issued to the user. maliciousSite.com
cannot set this cookie into the user's browser to be submitted to fakebank.com
because of same-domain restrictions.
CSRF
正文(其中包含属于攻击者的目标帐户,该目标帐户由 POST
攻击通过欺骗用户的浏览器来请求 fakebank.com/直接使用格式正确的
。 POST
请求withdrawForm.html fakebank.com
的服务器愉快地执行请求的 POST
,从而使用<$ c中提供的参数转移资金$ c> POST maliciousSite.com
放置在其中)。 maliciousSite.com
上的服务器不需要查看返回的数据,因为已经采取了措施(除非 fakebank.com
使用这些CSRF令牌, maliciousSite.com
可能无法知道这些令牌,除非以某种方式泄露了该令牌(无法要求)。如果 fakebank.com
使用CSRF令牌,则 maliciousSite.com
将提交 POST
请求缺少令牌,因此表明正在进行潜在的CSRF攻击。
The CSRF POST
attack works by tricking the user's browser into requesting fakebank.com/withdrawForm.html
directly using a properly formed POST
request. The server at fakebank.com
happily executes the requested POST
, thus transferring funds using the parameters supplied in the POST
body (which include a destination account belonging to the attacker that was put there by maliciousSite.com
). The server at maliciousSite.com
doesn't need to see the data returned, because the action has been taken (unless fakebank.com
uses these CSRF tokens, which the maliciousSite.com
can't possibly know unless it has been divulged in some way. It can't ask for it). If fakebank.com
is using CSRF tokens, then maliciousSite.com
will submit a POST
request that is missing the token, thus indicating a potential CSRF attack in progress.
此方法的漏洞包括使用CSRF令牌,该令牌没有足够机密,并且已通过某种方式泄露。另外,如果CSRF令牌不够随机,则 maliciousSite.com
可能能够猜到它。另外,如果浏览器对相同域策略的执行存在漏洞,则可以利用此漏洞。一般来说,现代浏览器不容易受到此攻击。
Vulnerabilities of this method include using a CSRF token that is not kept sufficiently secret and is divulged in some way. Also, if the CSRF token is not sufficiently random, then maliciousSite.com
might be able to guess it. Also, if there is a weakness in the browser's enforcement of same domain policy, this could be exploited. Generally speaking, modern browsers are not vulnerable to this.
请告诉我这是否不足以解释问题,我会尽力为您讲清楚。
Please let me know if this is an insufficient explanation and I'll attempt to articulate it a little better for you.
这篇好文章是转载于:学新通技术网
- 版权申明: 本站部分内容来自互联网,仅供学习及演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系,请提供相关证据及您的身份证明,我们将在收到邮件后48小时内删除。
- 本站站名: 学新通技术网
- 本文地址: /reply/detail/tanhcaebak
-
YouTube API 不能在 iOS (iPhone/iPad) 工作,但在桌面浏览器工作正常?
it1352 07-30 -
iPhone,一张图像叠加到另一张图像上以创建要保存的新图像?(水印)
it1352 07-17 -
保持在后台运行的 iPhone 应用程序完全可操作
it1352 07-25 -
使用 iPhone 进行移动设备管理
it1352 07-23 -
在android同时打开手电筒和前置摄像头
it1352 09-28 -
扫描 NFC 标签时是否可以启动应用程序?
it1352 08-02 -
检查邮件是否发送成功
it1352 07-25 -
Android微调工具-删除当前选择
it1352 06-20 -
希伯来语的空格句子标记化错误
it1352 06-22 -
Android App 和三星 Galaxy S4 不兼容
it1352 07-20