远程图像嵌入:如何处理需要身份验证的图像?
我管理着一个大型且活跃的论坛,但我们正受到一个非常严重的问题的困扰。我们允许用户嵌入远程图像,就像 stackoverflow 处理图像 (imgur) 的方式一样,但是我们没有一组特定的主机,可以使用以下代码从任何主机嵌入图像:
[img]http://randomsource.org/image.png[/img]
这工作得很好,很花哨......除了用户可以嵌入需要身份验证的图像外,该图像会导致出现弹出窗口,并且由于可以编辑身份验证弹出窗口,因此他们会输入类似“请在此处输入您的 [站点名称] 用户名和密码”之类的内容,不幸的是,我们的用户已为之倾倒。
对此,正确的反应是什么?我一直在考虑以下内容:
每个页面加载都有一段 Javascript 执行,用于检查页面上的每个图像及其状态
拥有图像主机的授权列表
完全禁用远程嵌入
问题是我从未在其他地方看到过这种情况发生,但我们却被它所困扰,我们该如何预防呢?
I manage a large and active forum and we're being plagued by a very serious problem. We allow users to embed remote images, much like how stackoverflow handles image (imgur) however we don't have a specific set of hosts, images can be embedded from any host with the following code:
[img]http://randomsource.org/image.png[/img]
and this works fine and dandy... except users can embed an image that require authentication, the image causes a pop-up to appear and because authentication pop-ups can be edited they put something like "please enter your [sitename] username and password here" and unfortunately our users have been falling for it.
What is the correct response to this? I have been considering the following:
Each page load has a piece of Javascript execute that checks each image on the page and its status
Have an authorised list of image hosts
Disable remote embedding completely
The problem is I've NEVER seen this happen anywhere else, yet we're plagued with it, how do we prevent this?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
这不仅仅是密码问题。您还允许某些用户对其他用户进行 CSRF 攻击。例如,用户可以将其个人资料图像设置为
[img]http://my-active-forum.com/some-dangerous-operation?with-some-parameters[/img]。最好的解决方案是 -
免受此类恶意活动的影响。
如果您无法在服务器端下载图像,请在服务器端创建允许的 url 模式(不仅仅是域)的白名单。丢弃任何与此 URL 模式不匹配的 URL。
您不得在 javascript 中执行任何检查。在 JS 中执行检查可以解决您眼前的问题,但不能保护您免受 CSRF 的影响。您仍在从用户浏览器向攻击者控制的 URL 发出请求,这是有风险的。此外,该方法对性能的影响是令人望而却步的。
Its more than the password problem. You are also allowing some of your users to carry out CSRF attacks against other users. For example, a user can set up his profile image as
[img]http://my-active-forum.com/some-dangerous-operation?with-some-parameters[/img].The best solution is to -
from such malicious activity.
If you cannot download the images on the server side, create a white list of allowed url patterns (not just domains) on the server side. Discard any urls that don't match this URL pattern.
You MUST NOT perform any checks in javascript. Performing checks in JS solves your immediate problems, but does not protect your from CSRF. You are still making a request to an attacker-controlled url from your users browser, and that is risky. Besides, the performance impact of that approach is prohibitive.
我认为你主要回答了你自己的问题。就我个人而言,我会选择选项 1 和选项 2 的混合:即创建一个客户端 Javascript,它首先针对一组白名单主机检查图像嵌入 URL。对于不在该列表中的每个嵌入 URL,请按照这些行执行操作,同时检查服务器是否没有返回401状态码。
这样就可以在延迟(我们尝试通过 HEAD 方法和域白名单最小化重复请求)和安全性之间取得平衡。
话虽如此,如果您的用户可以接受,选项 2 是最安全的。
I think you mostly answered your own question. Personally I would have gone for a mix between option 1 and option 2: i.e. create a client-side Javascript which first checks image embed URLs against a set of white-listed hosts. For each embedded URL which is not in that list, do something along these lines, while checking that the server does not return the 401 status code.
This way there is a balance between latency (we attempt to minimize duplicate requests via the HEAD method and domain whitelists) and security.
Having said that, option 2 is the safest one, if your users can accept it.