PHP在反CSRF令牌上进一步提高了安全性 [英] PHP further security on anti-CSRF token
问题描述
我正在学习如何使用反CSRF令牌防止CSRF。本质上,这个想法是:-
I am learning about how to prevent CSRF using anti-CSRF tokens. Essentially, the idea is to:-
1)生成令牌,例如Md5或Sha1,然后将此值存储在会话变量中:-
1) generate a token eg Md5 or Sha1 then store this value in a session variable:-
$token = md5(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;
2)所有表单都将该标记值包含在POST隐藏字段中
2) All forms include this token value in a POST hidden field
<input type='hidden' name='token' value='$nonce_token' />
例如在源代码中用户的外观:-
Eg what it would look like to user in source code:-
<input type='hidden' name='token' value='9ee66e4e63a06ee4b83a3edde4ecd587' />
3)表单发送后,检查POST隐藏字段令牌值与会话值中存储的令牌是否匹配
3) Once form sent check POST hidden field token value matches token stored in session value
if($_POST['token']==$_SESSION['token']){...ok...}
但是,此过程似乎有点缺陷,因为通过将令牌值包含在隐藏的POST字段中,攻击可以简单地只需查看网站源代码以查看令牌,然后将其包含在恶意生成的POST表单中即可,一旦收到令牌值,我的应用程序便会成功,因为发送的令牌值将与会话变量中的令牌值匹配,因为我实质上显示了令牌
However, this process seems a little flawed since by including the token value in a hidden POST field an attack can simply just look at the website source code to see the token and then just include this in a malicious generated POST form which my application would thus succeed once received as token value sent would match the token value in my session variable, since I essentially show the token value in my hidden field to the attacker.
因此,我的问题是解决此问题的最佳方法是什么,因为我的一些想法似乎仍然没有什么缺陷:-
Thus, my question is what is the best way around this, as a few ideas I had still seem little flawed:-
1)改用_GET,但这仍然存在诸如_POST
1) Using _GET instead but this still has flaws like _POST
2之类的缺陷。2)在x分钟后更改令牌值或每个请求,但返回时会导致可用性问题浏览器或失败,当用户填写表单和令牌值与更新的会话令牌值相比已经过时时,因为在用户填写表单时隐藏的令牌值将不会更新。
2) Changing the token value after x minutes or each request but causes usability issues when going back in browser or fail when user filling in form and token value would become outdated compared to updated session token value as hidden token value would not have updated whilst user filling in a form.
3)尝试对隐藏的POST形式的令牌值进行加密,然后在发送POST时解密,但是对已散列的值进行加密/解密似乎很复杂,尤其是一种加密的值具有MD5等值的方式?
3) Try encrypting hidden POST form token value then decrypting on sending POST but encrypting/decrypting an already hashed value seems complicated especially one way encrypted has values like MD5 etc?
任何
推荐答案
但是,此过程似乎有些缺陷,因为将
不,他们不能。
爱丽丝经营着一个网站。鲍勃访问该网站。 Mallory正在攻击Bob的帐户。
Alice runs a website. Bob visits the website. Mallory is attacking Bob's account.
Bob在访问Alice的网站时会获得一个随机数令牌。
Bob gets a nonce token when he visits Alice's website.
如果Mallory访问了在网站上,Mallory将获得一个不同随机数(因为Mallory的会话将有所不同)。
If Mallory visited the site, Mallory would get a different nonce (because Mallory would have a different session).
如果Mallory生成了一个包含恶意数据的表单, (在她的网站上)并欺骗了鲍勃提交它,然后表格中的现时Mallory与鲍勃会议中的现时不匹配,提交将被拒绝。
If Mallory generated a form with malicious data in it (on her website) and tricked Bob into submitting it, then the nonce Mallory put in the form would not match the nonce in Bob's session and the submission would be rejected.
这篇关于PHP在反CSRF令牌上进一步提高了安全性的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
