如何防止利用图片URL进行跨站请求伪造攻击?
IMG 嵌入式命令 - 这有效 当这个网页所在的时候 注入(如网页板)在后面 密码保护和该密码 保护与其他命令一起使用 在同一个域上。这个可以用 要删除用户,请添加用户(如果 访问该页面的用户是 管理员),发送凭据 其他地方等等......这是其中之一 较少使用但更有用的 XSS 向量:
或者:
重定向 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
我允许用户在论坛中发布图像。如何防范这种情况?
我正在使用 Java Struts,但欢迎任何通用答案。
From ha.ckers.org/xss.html:
IMG Embedded commands - this works
when the webpage where this is
injected (like a web-board) is behind
password protection and that password
protection works with other commands
on the same domain. This can be used
to delete users, add users (if the
user who visits the page is an
administrator), send credentials
elsewhere, etc.... This is one of the
lesser used but more useful XSS
vectors:<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">or:
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
I allow users to post images in the forum. How can this be protected against?
I'm using Java Struts but any generic answers are welcome.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(5)
如果遵循HTTP规范的规则,这种攻击将会使得没有坏处。 9.1.1 安全方法部分说:
因此,所有在服务器端更改数据的请求都只能通过 POST 来允许。即使在那里,您也应该只允许系统通过生成仅对特定表单/操作有效的令牌来验证的请求。
If you follow the rules of the HTTP specification, such a kind of attack will make no harm. The section 9.1.1 Safe Methods says:
So all requests that change data on the server side should only be allowed via POST. And even there you should only allow those requests that your system has authenticated by generating tokens that are only valid for a specific form/action.
此攻击只是向任何 URL 发出 HTTP GET 请求。您无法通过阻止某些
![]()
相反,您需要确保您的网站没有目标(响应
GET请求并更改内容的 URL)如果没有任何响应 HTTP GET(而不是 POST)的“多汁”URL并更改数据,攻击者将无处可攻击。 (
![]()
This attack is simply an HTTP GET request made to any URL. You cannot reliably block it by prevent certain
<img>tags.Instead, you need to make sure that your website has no targets (URLs that respond to
GETrequests and change things)If there aren't any "juicy" URLs that respond to HTTP GETs (not POSTs) and change data, the attacker will have nothing to attack. (
<img>tags cannot be used to create HTTP POSTs)跨站点脚本编写是您不应允许论坛用户通过链接到站点外部的图像来发布图像的原因之一。
应通过允许用户将图像文件上传到您的网站并使用内部相对 URI 来提供图像发布。
Cross-site scripting is one reason why you should not allow forum users to post images by linking to images outside your site.
Image posting should be provided by allowing users to upload the image file to your site and using internal relative URI.
通过注入
![]()
![]()
您不应该允许人们在您的页面上放置 html。在这种情况下,您应该让用户上传它们,然后在本地托管图像。如果您确实希望人们在您的网站上放置 IMG 标签,请确保 URL 没有指向您的服务器,因为这就是攻击的后果!也不要使用基于引用的 XSRF 保护,使用基于令牌的保护。
![]()
By injecting an
<img>tag someone can bypass referer based XSRF protection for a GET request. The reason why is because the referer for the GET request produced by the<img>has the same referer as the host its self. So this would bypass code checking to see if the referer and the host where different.You shouldn't allow people to put html on your page. In this case you should let users upload them and then host images locally. If you really want people to put IMG tags on your site, make sure the URL isn't pointing to your server, because this what an attack would do! Also don't use referer based XSRF protection, use token based.
<img>tag injection cannot bypass token based xsrf protection.似乎没有人提到允许人们发布图像的威胁不是针对您,而是针对其他网站。
如果您允许人们发布图像,但您的网站没有 XSRF 漏洞,那么您的网站就不会处于危险之中;其他具有 XSRF 漏洞的网站也是如此,因为您的用户在访问您的网站时会在不知情的情况下通过嵌入图像向其他网站发出请求。恶意
![]()
请注意,这不是真实的图像,但浏览器不会知道这一点,因此它无论如何都会发出请求,将 100,000 美元转移到 mandy-the-hacker 的帐户,假设用户当前登录到 my-bank-website.com。这就是 XSRF 漏洞的工作原理。
防止这种情况的唯一方法是强制用户上传图像,而不是为其提供 URL。然而,恶意用户仍然可以只提供 XSRF 漏洞的链接,因此删除提供 URL 的功能并没有真正的帮助。您允许
![]()
No one seemed to mention that the threat in allowing people to post images is not to you, it's to other sites.
If you allow people to post images but your site has no XSRF vulnerabilities, your site is not in danger; other sites with XSRF vulnerabilities are, as your users will unknowingly make requests to the other site via the embedded image when they visit your site. The malicious
<img>tag will look something like this:Note that this is not a real image, but the browser will not know that, so it will make the request anyways, transferring $100,000 to mandy-the-hacker's account, assuming the user is currently logged on to my-bank-website.com. This is how XSRF vulnerabilities work.
The only way to prevent this is to force users to upload images, rather than providing URLs for them. However, the malicious user could still just provide a link to the XSRF vulnerability, so removing the ability to provide URLs doesn't really help anything; you are not really harming the other site by allowing
<img>tags, they are harming themselves by not using user-specific tokens in forms.