没有 CSRF 代币的表单:有什么风险
如果我不在表单中使用 csrf 令牌,我到底会面临哪些风险?我并不是在寻找简单的风险标签或名称,因为这些可能会令人困惑。我需要用简单的英语了解攻击者到底可以做什么,以及只有在什么情况下他们才能做到这一点。
What exactly are the risks I'm exposing myself to if I don't use csrf tokens in my forms? I'm not looking for simple labels or names of the risks, because these can be confusing. I need to understand what exactly an attacker can do and only under what circumstances they can do this, in plain English.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
CSRF 漏洞允许恶意用户(或网站)让毫无戒心的用户在您的网站上执行他们不希望发生的操作。
一些现实世界的例子是,如果您允许用户通过 GET 而不是 POST 删除帐户,有人可以在您的网站上发布以下评论(假设该网站有某种方式来发布评论或其他输入等)
现在,只要登录用户加载该页面,他们的帐户就会被删除。如果是通过 POST 而不是 GET 完成的,那么有人可以制作一个表单并诱骗用户提交它,并且会发生相同的结果,而如果您使用 CSRF 令牌,则
另一个示例是外部站点可以制作一个 POST 到您的站点的表单,并执行不良操作 假设您的网站有一个不使用 CSRF 令牌的购物车,恶意网站可能会创建一个带有“单击此处注册”按钮的表单,但实际上从您的网站订购了 1000 个商品。如果您网站上的登录用户访问此恶意网站并单击该按钮,他们会在邮件中收到一个惊喜,
显然还有其他情况,这些只是一些示例,Google 搜索应该会显示很多。文章和教程,其中许多可能还有一些其他示例。维基百科页面 还有一些您可能会感兴趣的示例。
这些示例的主要思想是,有人可以欺骗您的网站执行某项操作,就像该操作来自用户一样,而实际上用户并不知道该操作正在发生或不希望它发生。如果您的网站上有任何破坏性的操作(即可以从用户帐户中删除内容、注销用户等)或关键的操作(即涉及金钱),您可能应该使用 CSRF 令牌。如果您的网站只是朋友的相册等,那么您可能不需要担心 CSRF 令牌(尽管当您确实构建需要它们的网站时进行练习总是好的)。
除非您添加令牌来确保请求来自您的网站有意向用户呈现的表单,否则您实际上无法知道用户是否打算执行该操作。
因此,您始终希望在生成 POST 的每个表单上使用唯一的令牌,并验证 POST 到您网站的任何请求是否具有当前用户的有效令牌。还要确保令牌在一段时间后过期,这样它们就不会永远持续下去。
A CSRF vulnerability is one which allows a malicious user (or website) to make an unsuspecting user perform an action on your site which they didn't want to happen.
Some real world examples would be things like if you allowed a user to delete an account over GET instead of POST, someone could post the following comment on your site (assuming the site has some way to post comments or other input, etc.)
And now any time a logged in user loads that page, their account would be deleted. If it was done over POST instead of GET, someone could craft a form and trick users into submitting it and the same result would happen. Whereas if you used a CSRF token, this wouldn't be possible.
Another example would be that an external site could craft a form which POSTs to your site, and perform an undesirable action. So let's say your site has a shopping cart which doesn't use CSRF tokens. A malicious site could create a form with a button that says "Click here to register", but actually orders 1000 of something from your site. If a logged in user from your site visits this malicious site and clicks the button, they'll get a nice surprise in the mail.
Obviously there are other cases, these are just a few examples. A Google search should show up plenty of articles and tutorials, many of which will probably have some other examples. The Wikipedia page also has some examples which you might find interesting.
The main idea of the examples is that someone can trick your site into performing an action as if it came from a user, when really the user wasn't aware it was happening or didn't want it to happen. If you have any sort of action on your site which is destructive (i.e. can delete things from a user account, logout a user, etc.) or critical (i.e. deals with money) you should probably use CSRF tokens. If your site is just a photo album for friends, etc. then you probably don't need to bother with CSRF tokens (although it's always good to practice for when you do build a site that needs them).
Unless you add a token to ensure that a request came from a form your site presented to the user intentionally, you don't really have a way of knowing if the user intended to perform the action.
So you always want to use a unique token on every form you generate that POSTs and validate any requests that are POSTed to your site have a valid token for the current user. Also make sure to expire the tokens after some amount of time so that they don't last forever.
我建议您阅读这篇优秀的文章,解释什么是 CSRF 以及如何使用最好保护自己免受它的侵害。
I would advise you to read this excellent article explaining what CSRF is and how you could best protect yourself against it.