通过“ Referer”标头防止跨站点请求伪造 [英] Cross Site Request Forgery prevention via 'Referer' header

问题描述

我们最近收到了来自IBM AppScan DAST的结果，其中一些结果没有多大意义。

We recently received result from IBM AppScan DAST and some of the result don't make much senses.

2。中-跨站点请求伪造

风险：可能会窃取或操纵客户会话和Cookie，这可能会被用于冒充合法的
用户，允许黑客查看或更改用户记录，并以该用户
的身份执行交易修复：验证 Referer标头的值，并使用一次对于每个提交的表单

Risk(s): It may be possible to steal or manipulate customer session and cookies, which might be used to impersonate a legitimate user, allowing the hacker to view or alter user records, and to perform transactions as that user Fix: Validate the value of the "Referer" header, and use a one-time-nonce for each submitted form

以下更改已应用于原始请求：

The following changes were applied to the original request:

将标题设置为 http://bogus.referer.ibm.com '

原因：

测试结果似乎表明存在漏洞，因为测试响应与
原始回复，在指出跨站点请求伪造尝试是成功的，即使
包含虚构的 Referer标头也是如此。

The test result seems to indicate a vulnerability because the Test Response is identical to the Original Response, indicating that the Cross-Site Request Forgery attempt was successful, even though it included a fictive 'Referer' header.

请求/响应：

POST /**/main.xhtml HTTP/1.1 -- **This xhtml only opens a default menu on page load**
User-Agent: Mozilla/4.0 (compatible; MS

推荐解决方法

验证 Referer标头的值，并对每个提交的表单使用一次一次性。

Validate the value of the "Referer" header, and use a one-time-nonce for each submitted form.

javax.faces.ViewState具有隐式CSRF保护。

javax.faces.ViewState has an implicit CSRF protection.

https://www.beyondjava.net/jsf-viewstate-and-csrf-hacker-attacks

我也可以使用保护视图来进行显式CSRF保护。这种显式的CSRF保护为所有情况添加了令牌，并另外添加了对引荐来源和原始 HTTP标头的检查。 （参考Bauke& Arjan书的权威指南）

I could also do explicit CSRF protection using protected-views. This explicit CSRF protection adds a token for all cases, and additionally adds checks for the "referer" and "origin" HTTP headers. (Reference Bauke & Arjan Book Definitive Guide)

该报告还标记了/javax.faces.resource/，例如CSS，JS，我认为在字体中为假阳性的字体。报告。

The report also marks /javax.faces.resource/ like CSS , JS , fonts which i believe are false positive in the report.

需要反馈和一些见识。

推荐答案

这确实是在JSF中不需要。只有在已经有一个开放的远程代码执行孔（例如XSS）（并且黑客可以访问会话cookie并因此可以通过网络钓鱼站点复制它们）时，才可以在JSF中进行这种攻击。 ），或者通过< f：view瞬变= true> 使视图无状态时（因为您丢失了 javax.faces.ViewState 隐藏的输入字段作为正常情况下的隐式CSRF保护，当没有远程执行代码漏洞时，或者当您使用HTTP而不是HTTPS时（因为中间人攻击者可以清楚地看到所有传输的位并从中提取会话cookie。）

This is indeed needless in JSF. This kind of attack is in JSF only possible when there's already an open remote code execution hole such as XSS (and thus the hacker has access to among others the session cookies and can therefore copy them via the phishing site), or when the view is stateless via <f:view transient="true"> (because you lose the javax.faces.ViewState hidden input field as implicit CSRF protection for the "normal" case when there's no remote code execution hole), or when you use HTTP instead of HTTPS (because a man-in-middle attacker can then plainly see all transferred bits and extract the session cookies from them).

您需要确定的是，最终用户的会话cookie绝不会暴露于世界。建议的修复程序对此毫无帮助。当您迟早引入远程代码执行漏洞时，这只会使攻击者更难进行成功的CSRF攻击。但是，那么您遇到的问题确实比仅CSRF大得多。此工具建议的所有这些努力仅对减少黑客执行成功攻击的时间以及使自己有更多时间修复远程代码执行漏洞有用。

All you need to make sure is that the enduser's session cookies are never in some way exposed to the world. The advised fix is not at all helpful in that. It only makes it the attacker more difficult to perform a successful CSRF attack when you sooner or later accidentally introduce a remote code execution hole. But then you have really way much bigger problems than only CSRF. All these efforts advised by this tool are only useful to give the hacker slightly less time to perform a successful attack, and to give yourself slightly more time to fix the remote code execution hole.

如果只想禁止此警告，则创建一个 Filter 即可完成所需的工作。这是一个启动示例，将其映射到 / * 。

If all you want is to "suppress" this warning, then create a Filter which does the desired job. Here's a kickoff example, map it on /*.

if (!"GET".equals(request.getMethod())) {
    String referrer = request.getHeader("referer"); // Yes, with the legendary typo.

    if (referrer != null) {
        String referrerHost = new URL(referrer).getHost();
        String expectedHost = new URL(request.getRequestURL().toString()).getHost();

        if (!referrerHost.equals(expectedHost)) {
            response.sendError(403);
            return;
        }
    }
    else {
        // You could also send 403 here. But this is more likely to affect real users.
    }
}

chain.doFilter(request, response);

另请参见：

• JSF中的CSRF，XSS和SQL注入攻击预防



see also:

• CSRF, XSS and SQL Injection attack prevention in JSF

这篇关于通过“ Referer”标头防止跨站点请求伪造的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！