为什么随机 CSRF 密钥可以防止 CSRF 攻击?
为了防止CSRF攻击,随机CSRF 秘密已生成。
以上来自 symfony: http://www.symfony-project.org/ getting-started/1_4/en/04-Project-Setup
既然最终是由用户操作的,这就是所谓的代理攻击。设置这个秘密如何起作用呢?
to prevent CSRF attacks, a random CSRF
secret has been generated.
The above is from symfony:
http://www.symfony-project.org/getting-started/1_4/en/04-Project-Setup
Since it's finally operated by users,which is so called deputy attack.how can it work by setting that secret?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(4)
OWASP(开放式 Web 应用程序安全项目)对 CSRF 有很好的解释,我鼓励您阅读它并在之后提出您的问题。
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_ (CSRF)
如果您正在寻找有关如何防止 CSRF 的示例实现,请查看 Django 及其文章。
http://docs.djangoproject.com/en/dev/ref/contrib /csrf/
OWASP (open web application security project) has very good explanation on CSRF, I encourage you to read it and post your questions afterwards.
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
If you are looking for sample implementation on how to prevent CSRF, take a look at Django and its write-up.
http://docs.djangoproject.com/en/dev/ref/contrib/csrf/
CSRF 或 XSRF 代表跨站请求伪造。这个想法是,当受害者执行黑客创建的 html 或 javascript 时,攻击者就会“伪造”HTTP 请求。下面是我针对 XAMPP 编写的 CSRF 漏洞利用示例。这个想法是这个 html/js 正在构建一个 POST 请求,该请求“骑”在已经存在的会话上。 CSRF 漏洞必须由当前登录的 XAMPP 管理员的浏览器执行。
为此,黑客必须提前了解有关请求的大量信息,最重要的是目标服务器和所有变量。黑客不需要知道会话 ID 或“basic-auth”标头,这是由浏览器自动提供的。如果您添加随机生成的秘密,则除非黑客知道该值,否则无法伪造请求。这就像您发送到服务器的每个请求都有一个密码。黑客可以使用 XSS 获取此令牌值。这是一种更复杂的攻击,但这里有一个使用 XSS 绕过基于令牌的 CSRF 保护的漏洞: http:// /www.milw0rm.com/exploits/7922
CSRF or XSRF stands for Cross Site Request Forgery. The idea is that the attacker is "forging" a HTTP request when a victim executes html or javascript created by the hacker. Here is an example CSRF exploit I wrote against XAMPP. The idea is that this html/js is building a POST request which "rides" on already existing session. The CSRF exploit must be executed by the browser of an XAMPP administrator that is currently logged in.
In order to do this the hacker must know a lot about the request ahead of time, most importantly the destination server and all of the variables. The hacker does NOT need to know the sesion id or the "basic-auth" header, this is automatically provided by the browser. If you add a randomly genearted secret then the request cannot be forged unless the hacker knows that value. Its like having a password for every request you send to the server. A hacker CAN obtain this token value using XSS. This is a more complex attack, but here is an exploit that bypass token based CSRF protection using XSS: http://www.milw0rm.com/exploits/7922
尝试阅读 cgisecurity 中的 CSRF 常见问题解答 (http://www.cgisecurity.com/csrf-faq。 html )。如果您对常见问题解答有疑问,我们很乐意予以解答。
编辑:引用前面链接的 CSRF 常见问题解答,讨论随机秘密的部分:
我可以采取什么措施来保护自己的应用程序?
防止 CSRF 的最流行的建议是向每个请求附加质询令牌。重要的是要声明此质询令牌必须与用户会话相关联,否则攻击者可能能够自行获取有效令牌并在攻击中利用它。除了与用户会话相关之外,限制令牌有效的时间段也很重要。此方法记录在多个文档中,但正如邮件列表帖子中指出的那样,攻击者可以利用现有的浏览器漏洞或 XSS 缺陷来获取此会话令牌。
Try readng the CSRF FAQ from cgisecurity ( http://www.cgisecurity.com/csrf-faq.html ). When you have questions clarifying the FAQ, we'll be happy to clarify.
EDIT:Quoting for the CSRF FAQ, linked previously,the section that discusses the random secret:
What can I do to protect my own applications?
The most popular suggestion to preventing CSRF involves appending challenge tokens to each request. It is important to state that this challenge token MUST be associated with the user session, otherwise an attacker may be able to fetch a valid token on their own and utilize it in an attack. In addition to being tied to the user session it is important to limit the time peroid to which a token is valid. This method is documented in multiple documents however as pointed out in mailing list postings an attacker can utilize an existing browser vulnerability or XSS flaw to grab this session token.
Symfony 中的 CSRF 秘密在这里得到了很好的解释: http://www.nacho- martin.com/csrf-tokens-in-symfony
The CSRF secret in Symfony is well explained here: http://www.nacho-martin.com/csrf-tokens-in-symfony