这对于 CSRF 保护来说足够了吗?

发布于 2024-10-15 02:43:06 字数 305 浏览 3 评论 0 原文

这对于 CSRF 保护来说是否足够:

  • 生成一个随机字符串,$_SESSION['hash'] 将其存储在
  • 一个隐藏值(在 $_POST['thing'] 中)表单包含随机字符串
  • 提交表单时,它会检查 $_SESSION['hash'] 是否等于 $_POST['thing'],如果匹配则继续

我网站的一位用户不断告诉我,我的网站容易受到攻击,但我无法判断他是否只是在恶搞我。我还有什么可以做的吗?

Is this enough for CSRF protection:

  • A random string is generated, $_SESSION['hash'] stores it
  • A hidden value (in $_POST['thing']) in a form contains the random string
  • When the form is submitted, it checks if $_SESSION['hash'] equals $_POST['thing'], and continues if they match

One of my site's users keeps telling me that my site is vulnerable, but I can't tell if he's just trolling me. Is there anything else that I can do?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

烟花易冷人易散 2024-10-22 02:43:06

我认为您缺少的是将令牌限制在很小的时间范围内。

您应该看看Chris 的 CRSF 文章。快速总结:

  • CSRF 攻击必须包含有效令牌(反 CSRF 令牌)才能完美模仿表单提交。
  • 令牌的有效性也可以限制在一个很小的时间窗口内,例如五分钟。
  • 如果您按照我的建议在所有表单中使用令牌,则可以从您的关注列表中消除 CSRF。虽然没有任何保护措施可以被认为是绝对的(攻击者理论上可以猜测有效的令牌),但这种方法减轻了大部分风险。直到下个月,注意安全。

What I think you are missing is limiting token to small window of time.

You should have a look at Chris's CRSF-article. A quick summary:

  • a CSRF attack must include a valid token (anti-CSRF token) in order to perfectly mimic the form submission.
  • The validity of the token can also be limited to a small window of time, such as five minutes
  • If you use a token in all of your forms as I have suggested, you can eliminate CSRF from your list of concerns. While no safeguard can be considered absolute (an attacker can theoretically guess a valid token), this approach mitigates the majority of the risk. Until next month, be safe.
十级心震 2024-10-22 02:43:06

如果它对每个用户来说都是唯一的,那么就足够了。即使用户会话持续时间相同,它仍然可以,但我建议定期重新生成它。
此外,您可能希望每个表单使用不同的令牌。例如,如果您有登录表单和评论表单,最好为它们使用不同的令牌,但这并不是 100% 必要的。

为什么您认为仅仅因为有人说您的网站容易受到攻击,就与 CSRF 附加有关?它们还有很多其他可能的漏洞。

也许您的 Web 服务器已经过时且容易受到攻击,也许 php 版本不是最新的。也许用户能够通过 ssh 或 telnet 登录到您的服务器。也许用户能够猜测管理员密码。

也许是为了让人们通过 cookie 登录并在 cookie 中存储登录凭据。

除了 CSRF 之外,还有太多可以被利用的东西。也有可能用户是错误的,或者不知道他在谈论什么,或者他只是想让你紧张。

If it's unique to every user, then it should be enough. Even if it's the same for duration of user session, it's still OK, but I would suggest to re-generate it periodically.
Also you may want to use different tokens per each form. For example, if you have login form and comments form, it's better to use different tokens for them, but it's not 100% necessary.

Why do you assume that just because someone says your site is vulnerable, it has to do with CSRF attach? They are so many other possible vulnerabilities.

Maybe your web server outdated and vulnerable, maybe the php version is not the most recent one. Maybe the user was able to login to your server via ssh or telnet. Maybe the user was able to guess admin password.

Maybe to let people login by cookie and store login credentials in cookies.

There are just too many things other than CSRF that could be exploited. There is also a possibility that the user is wrong or does not know that he is talking about or maybe he just wants to make your nervous.

美胚控场 2024-10-22 02:43:06

每次加载页面时,如果尚未设置,页面都会发生变化。

好吧,这就是你的问题。一旦检索到令牌,所有操作都可以轻松地进一步执行。我通常将令牌实现为对单个请求有效,然后重新生成它。

Each time they load the page, it changes IF it's not already set.

Well there is your problem. Once a token is retrieved all the actions can be easily performed further one. I usually implement the token to be valid for one single request and afterwards regenerate it.

亚希 2024-10-22 02:43:06

来自:http://en.wikipedia.org/wiki/Cross-site_request_forgery

  • 你可以额外减少 cookie 的生命周期,
  • 检查 HTTP Referer 标头
  • 和验证码 - 但并非每个用户都喜欢它

,但是您使用密钥的操作仍然比没有好......

from : http://en.wikipedia.org/wiki/Cross-site_request_forgery

  • you can additional decrease time of life of cookie
  • check the HTTP Referer header
  • and captcha - but not every user like it

however your acion with secret key is still better than nothing...

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文