如何使用图像URL防止跨站点请求伪造攻击? [英] How to prevent a cross site request forgery attack using an image URL?
问题描述
IMG嵌入式命令-当注入
的网页(如网页)在
后面时,此命令有效
密码保护和密码
保护与同一域上的其他命令
一起使用。这可以用于
删除用户,添加用户(如果访问页面的
用户是
管理员),向其他位置发送凭据
等。
较少使用但更有用的XSS
向量之一:
IMG Embedded commands - this works when the webpage where this is injected (like a web-board) is behind password protection and that password protection works with other commands on the same domain. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc.... This is one of the lesser used but more useful XSS vectors:
<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">
或:
重定向302 / a .jpg http://victimsite.com/admin.asp&deleteuser
Redirect 302 /a.jpg http://victimsite.com/admin.asp&deleteuser
我允许用户在论坛中发布图像。如何防止这种情况发生?
I allow users to post images in the forum. How can this be protected against?
我正在使用Java Struts,但欢迎使用任何通用答案。
I'm using Java Struts but any generic answers are welcome.
推荐答案
如果您遵循 HTTP规范的规则,这种攻击不会造成任何伤害。 9.1.1安全方法部分说:
If you follow the rules of the HTTP specification, such a kind of attack will make no harm. The section 9.1.1 Safe Methods says:
[…] GET和HEAD方法不应该具有检索之外的其他作用。这些方法应该被认为是安全的。这样,用户代理就可以以特殊方式表示其他方法,例如POST,PUT和DELETE,以便使用户知道请求了可能不安全的操作这一事实。
[…] GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.
自然地,不可能确保服务器不会由于执行GET请求而产生副作用;实际上,一些动态资源认为该功能。这里的重要区别是用户没有要求副作用,因此不能追究其责任。
Naturally, it is not possible to ensure that the server does not generate side-effects as a result of performing a GET request; in fact, some dynamic resources consider that a feature. The important distinction here is that the user did not request the side-effects, so therefore cannot be held accountable for them.
仅可通过POST允许在服务器端更改数据的请求。而且即使在那儿,您也应该只通过生成仅对特定表单/操作有效的令牌来允许系统已通过身份验证的那些请求。
So all requests that change data on the server side should only be allowed via POST. And even there you should only allow those requests that your system has authenticated by generating tokens that are only valid for a specific form/action.
这篇关于如何使用图像URL防止跨站点请求伪造攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
