为什么恶意站点在攻击之前无法通过GET获得CSRF令牌? [英] Why can't a malicious site obtain a CSRF token via GET before attacking?
问题描述
如果我正确理解,则在CSRF攻击中,恶意网站 A 告诉我的浏览器向站点 B 发送请求。我的浏览器将自动在该请求中包含我的 B Cookie。尽管 A 无法看到这些cookie,但是如果我已经在 B 中进行了身份验证,则该请求将显得合法,并且可以成功执行任何要求的操作。为避免这种情况,每次我访问包含表单的 B 页面时,都会收到CSRF令牌。该令牌与我的会话相关,因此如果我对 B 进行POST,则必须包含此类令牌;否则 B 拒绝了我的请求。该方案的好处是 A 将无法访问该令牌。
If I understand correctly, in a CSRF attack a malicious website A tells my browser to send a request to site B. My browser will automatically include my B cookies in that request. Although A cannot see those cookies, if I'm already authenticated in B the request will look legit, and whatever action was asked will be successfully performed. To avoid this, every time that I visit a page of B containing a form, I receive a CSRF token. This token is associated to my session, so if I make a POST to B I MUST include such token; otherwise B rejects my request. The benefit of this scheme is that A will not have access to that token.
我有两个问题:
- 上面的描述正确吗?
- 如果是这样,为什么站点 A 不能首先说明?我的浏览器将GET发送到 B ,从响应中获取CSRF令牌,然后使用该令牌现在将POST发送到 B ?请注意,令牌将是有效的并与我的会话相关联,因为GET还包含我的所有 B cookie。
- Is the above description correct?
- If so, why can't site A first tell my browser to send a GET to B, obtain the CSRF token from the response, and then use the token to send now a POST to B? Notice that the token will be valid and associated to my session, as the GET also contains all my B cookies.
谢谢!
推荐答案
您的描述正确。
如果站点A告诉您的浏览器转到B并获取令牌,那很好,但是由于它是跨域请求,因此A将无法访问Java语言中的令牌(这是浏览器功能)。因此,当A告诉您的浏览器返回B并实际执行某项操作时,它仍然不能在请求中包含令牌。
If site A tells your browser to go to B and get the token, that's fine, but as it is a cross-domain request, A will not have access to the token in Javascript (this is a browser feature). So when A tells your browser to go back to B and actually do something, it still cannot include the token in the request.
也就是说,除非B将令牌设置为一块饼干。显然,这将是有缺陷的,因为令牌cookie也将被发送,从而抵消了任何保护。因此,在这种情况下,令牌必须作为表单值或请求标头(或其他不会像Cookie一样自动发送的东西)发送。
That is, unless B set the token as a cookie. Evidently, that would be flawed, because the token cookie would also be sent, thus negating any protection. So the token in this case must be sent as either a form value or a request header (or something else that is not sent automatically like a cookie).
如果B容易受到跨站点脚本的攻击,那么它也容易受到CSRF的攻击,因为令牌可能随后被盗,但CSRF则是较小的问题。 :)
This also means that if B is vulnerable to cross-site scripting, it is also vulnerable to CSRF, because the token can then be stolen, but CSRF is the smaller problem then. :)
这篇关于为什么恶意站点在攻击之前无法通过GET获得CSRF令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
