看来我对CSRF的理解有误?
读了很多关于CSRF的文档后,我还是有点困惑。所以我希望有人可以向我解释一下:
假设我有一个仅适用于经过身份验证的用户的个人资料页面,例如 abc.com/profile,它显示了我所有的私人信息。如果我登录,然后转到“坏”网站,该网站是否可以以某种方式获取并解析我的个人资料页面? (我做了一些经验,通过在不同的站点上打开firebug控制台,然后请求我的个人资料页面,看起来至少我可以在“Net”选项卡的“response”中看到全部内容,还没想到但也许这是可能的?) 假设
- 现在假设我的个人资料页面上有一个表单,其中当然有 csrf 令牌。现在,如果攻击者可以获取我的 profule 页面,他可以解析该内容,获取令牌,然后提交伪造的表单?
现在假设1和2是正确的,我应该怎样做才能防止这种情况发生?
After reading many documents regarding CSRF, I'm still a little bit confused. So I hope someone can please explain it to me:
Lets say if I have a profile page which is for authenticated users only, say abc.com/profile which shows me all my private info. If I logged in, then go to a "bad" site, can this site somehow get and parse my profile page?
(I did a little experience by opening up the firebug console on a different site, then request my profile page, and it seems like at least I can see the whole content in "response" of the "Net" tab, haven't figured out how to get this content and parse it yet though. But perhaps it's possible?)Now assume that I have on my profile page a form, which of course has csrf token. Now if an attacker could get my profule page, he could just parse that content, get the token then submit a fake form?
Now assume that 1 and 2 are correct, what should I do to prevent such cases from happening?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
你的观点不太正确......但是考虑这个场景。
示例攻击
假设用户登录到假国家官方银行 - GoodBank.com,并拥有 1,000,000 金币的余额。
在
MaliciousSite.com上,有一个![]()
GoodBank.com发出请求。![]()
src为http://www.goodbank.com/account/transfer.php?amount=10000&sentTo=malicioususer< /代码>。现在,该网站已在您的用户帐户下发出了请求,并导致您调用了一个原本不会有的页面。
现在,您可能认为仅使用 POST 即可防止这种情况的发生,但这些也不安全。
正确的方法是在表单中使用 CSRF 令牌,提交表单时,您应该检查收到的 CSRF 令牌是否与发出的相同。
请勿使用这些措施来保护自己:
而是使用这样的令牌:
查看此处以获得详细说明:CSRF 备忘单
Your points aren't quite right... But take this scenario.
Example Attack
Imagine that a user is logged into The Official Bank of Fake Country - GoodBank.com and has a balance of 1,000,000 gold.
On
MaliciousSite.com, there is an<img>or some other generic JavaScript that causes you to make a request toGoodBank.com.The
<img>has asrcofhttp://www.goodbank.com/account/transfer.php?amount=10000&sentTo=malicioususer.Now this site has made a request under your user account and has caused you to invoke a page which you would not have otherwise.
Now, you might be thinking that you can protect against this by using only POST, but these are not secure either.
The correct way is to use CSRF tokens in your forms, and when a form is submitted, you should check that the CSRF token that you receive is the same as with what was issued.
Do not use these measures to protect yourself:
Instead use a token like this:
View here for great explaination: CSRF Cheat Sheet
你的第一点不正确。
您无法在客户端上读取来自不同域的内容。
因此,恶意站点无法读取 CSRF 令牌。
您可以将请求发送到不同的域(这就是 CSRF 攻击的作用),但您无法读取响应。
Your first point is not correct.
You cannot read content from a different domain on the client.
Therefore, a hostile site cannot read the CSRF token.
You can send requests to a different domain (which is what CSRF attacks do), but you can't read the responses.
这可能与所提出的问题没有直接关系,但需要指出跨站点脚本攻击可以为 CSRF 打开大门。即使用于防止 CSRF 的基于令牌的解决方案也可能受到 XSS 的损害。
采取以下场景。
用于更新用户信息的表单。
假设用户ID是唯一的并且不容易被猜到,我们可以在没有令牌的情况下阻止CRSF。(攻击者请求将无法获得正确的用户ID)。
但是,如果攻击者可以使用 XSS 攻击读取
userID的值,那么他就可以制作伪造的请求以包含正确的用户 ID。虽然 CSRF 攻击不需要 XSS,但它会让攻击变得更容易。
检查以下资源。
跨站请求伪造 (CSRF)-OWASP
跨站脚本 (XSS)-OWASP
This may not be directly related to the question asked but need to point out that cross site scripting attacks can open doors for CSRF. Even token based solutions used to prevent CSRF can be compromised by XSS.
Take the following scenario.
Form used to update user info.
Assuming that the user Id is unique and can not be guessed easily, we can prevent CRSF without a token.(Attacker request will not be able to have the right user ID).
But if the attacker can read the value of
userIDusing XSS attack, he can then craft the forged request to include the correct user ID.Although XSS is not needed for CSRF attacks, it will make it easier.
Check the following resources.
Cross-Site Request Forgery (CSRF)-OWASP
Cross-site Scripting (XSS)-OWASP