基本 cookie 和CSRF问题

发布于 2024-11-02 22:46:00 字数 623 浏览 2 评论 0原文

我目前正在了解有关 CSRF 的更多信息,并且我有一个关于 cookie 的基本问题。来自 Jeff Atwood 关于 CSRF 的文章

“当 POST 请求发送到 站点,请求只能是 如果表单值和则被视为有效 cookie 值是相同的。当 攻击者代表提交表单 用户,他只能修改 形式。攻击者无法读取任何内容 从服务器发送的数据或修改 cookie 值,每个同源 政策。这意味着虽然 攻击者可以发送他想要的任何值 有了表格,他将无法 修改或读取存储在 饼干。”

如果 cookie 是存储在用户计算机上的一段文本如何他们不会修改/读取 cookie 的值

他们是否拥有执行攻击所需的一切?

如果他们知道 cookie 的值并且可以看到隐藏在表单中的伪随机值,那么

I'm currently learning more about CSRF and I have a basic question about cookies. From Jeff Atwood's article on CSRF:

"When a POST request is sent to the
site, the request should only be
considered valid if the form value and
the cookie value are the same. When an
attacker submits a form on behalf of a
user, he can only modify the values of
the form. An attacker cannot read any
data sent from the server or modify
cookie values, per the same-origin
policy. This means that while an
attacker can send any value he wants
with the form, he will be unable to
modify or read the value stored in the
cookie."

If cookies are a piece of text stored on a users computer, how can they not modify/read the value of a cookie?

If they knew the value of the cookie and can see a pseudorandom value hidden in a form, wouldnt they have all they need to perform an attack?

Thanks,

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

泪之魂 2024-11-09 22:46:00

同源策略意味着攻击网站无法读取来自其他域的 cookie。请参阅 http://code.google.com/p/browsersec/wiki/ Part2#Same-origin_policy_for_cookies

我们不是在谈论在用户计算机上拥有 Rootkit 或类似内容的攻击者,CSRF 所保护的是恶意服务器让用户通过 POST 请求向其提交表单恶意服务器想要攻击的域。由于恶意服务器无法从目标域读取 cookie,因此它们无法正确填写其发出的 POST 请求的 CSRF 字段。

Same origin policy means that an attacking website is unable to read the cookies from another domain. See http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies

We're not talking about an attacker who has a rootkit or something of the sort on a user's computer, what CSRF protects from is a malicious server having a user submit a form via a POST request to a domain that the malicious server wants to attack. Because the malicious server can't read the cookie from the target domain, they can't properly fill out the CSRF field for the POST request they're making.

翻了热茶 2024-11-09 22:46:00

这指的是同步器令牌模式。它通常意味着表单包含一个隐藏字段,其值对于该用户的会话是唯一的。相同的值存储在用户计算机的 cookie 中。提交表单后,将检查两个值是否匹配。

这种方法的优点是,如果恶意网站尝试构建对合法网站的发布请求,它不会知道隐藏的表单值。获得这一点是一个更加复杂的过程。

攻击站点无法读取或操纵 cookie 值,因为它是从另一个域发出的。有关此内容的更多信息(包括工作示例),请访问:面向 .NET 开发人员的 OWASP Top 10 第 5 部分:跨站请求伪造 (CSRF)

What this is referring to is the synchroniser token pattern. What it usually means is that a form contains a hidden field with a value that is unique to that user's session. The same value is stored in a cookie in the user's machine. When the form is submitted, both values are checked for a match.

The advantage of this approach is that if a malicious website attempts to construct a post request to the legitimate website it won't know that hidden form value. It's an altogether more complex process to obtain this.

The attacking site can't read or manipulate the cookie value because it was issued from another domain. More on this (including a worked example) here: OWASP Top 10 for .NET developers part 5: Cross-Site Request Forgery (CSRF)

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文