如何防止代币替换攻击? [英] How to prevent token substitution attack?

问题描述

假设我们有两个用户在进行以下操作-

Suppose we have two users doing following operation -

1. User1向身份验证服务器请求访问令牌，并且也被授予.
2. 现在，user1将令牌保存到localstorage/cookie中，以供将来的api访问.
3. 现在User2向User1进行浏览，并获得有关access_token的一些信息.
4. 现在User2使用user1的access_token调用api，并且无需登录即可获取访问权限.

现在我们可以通过任何方式验证令牌吗?

Now Can we validate the token anyhow?

推荐答案

您无法避免这种情况的发生.但是，令牌应具有到期时间，因此攻击者只能在该时间内访问.另外，如果您知道令牌已被盗，可以将其撤消，使其不再有效.

You can't avoid that happening. However, the token should have an expiration time, so the attacker will only have access during that time. Also, if you know that a token has been stolen, you can revoke it so it's no longer valid.

您可以采用更多的安全措施，例如将令牌与特定的IP地址相关联，或者甚至使用机器学习来检测异常行为的一些高级服务.

You could apply more security measures such as associating the token with a specific IP address, or some advanced services that even use machine learning to detect unusual behaviours.

这篇关于如何防止代币替换攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！