JSON Web 服务是否容易受到 CSRF 攻击? [英] Are JSON web services vulnerable to CSRF attacks?

问题描述

我正在构建一个专门使用 JSON 来处理其请求和响应内容的网络服务(即，没有表单编码的有效负载).

I am building a web service that exclusively uses JSON for its request and response content (i.e., no form encoded payloads).

如果以下情况属实，Web 服务是否容易受到 CSRF 攻击?

1. 任何没有顶级 JSON 对象的 POST 请求，例如 {"foo":"bar"}，都将被拒绝并返回 400.例如，内容为 42 的 POST 请求将因此被拒绝.

1. Any POST request without a top-level JSON object, e.g., {"foo":"bar"}, will be rejected with a 400. For example, a POST request with the content 42 would be thus rejected.

任何内容类型不是 application/json 的 POST 请求都将被拒绝并返回 400.例如，一个 POSTcode> 内容类型为 application/x-www-form-urlencoded 的请求将因此被拒绝.

Any POST request with a content-type other than application/json will be rejected with a 400. For example, a POST request with content-type application/x-www-form-urlencoded would be thus rejected.

所有 GET 请求都是安全，因此不修改任何服务器端数据.

All GET requests will be Safe, and thus not modify any server-side data.

客户端通过会话 cookie 进行身份验证，Web 服务在他们通过带有 JSON 数据的 POST 提供正确的用户名/密码对后提供给他们，例如{"username":"user@example.com", "password":"my password"}.

Clients are authenticated via a session cookie, which the web service gives them after they provide a correct username/password pair via a POST with JSON data, e.g. {"username":"user@example.com", "password":"my password"}.

辅助问题:PUT 和 DELETE 请求是否容易受到 CSRF 的攻击?我问是因为似乎大多数(所有?)浏览器都不允许在 HTML 表单中使用这些方法.

Ancillary question: Are PUT and DELETE requests ever vulnerable to CSRF? I ask because it seems that most (all?) browsers disallow these methods in HTML forms.

添加了第 4 项.

到目前为止，有很多很好的评论和答案，但没有人提供此 Web 服务易受攻击的特定 CSRF 攻击.

Lots of good comments and answers so far, but no one has offered a specific CSRF attack to which this web service is vulnerable.

推荐答案

伪造具有任意媒体类型的任意 CSRF 请求实际上只有使用 XHR 才有可能，因为 form 的方法仅限于 GET 和 POST 和一个 表单的 POST 消息体也仅限于三种格式 application/x-www-form-urlencoded、multipart/form-data 和 text/plain.但是，使用表单数据编码 text/plain 仍然可以伪造包含有效 JSON 数据的请求.

Forging arbitrary CSRF requests with arbitrary media types is effectively only possible with XHR, because a form’s method is limited to GET and POST and a form’s POST message body is also limited to the three formats application/x-www-form-urlencoded, multipart/form-data, and text/plain. However, with the form data encoding text/plain it is still possible to forge requests containing valid JSON data.

所以唯一的威胁来自基于 XHR 的 CSRF 攻击.并且只有在它们来自同一来源时才会成功，所以基本上来自您自己的站点(例如 XSS).注意不要误将禁用 CORS(即未设置 Access-Control-Allow-Origin: *)作为保护.CORS 只是阻止客户端读取响应.整个请求仍然由服务器发送和处理.

So the only threat comes from XHR-based CSRF attacks. And those will only be successful if they are from the same origin, so basically from your own site somehow (e. g. XSS). Be careful not to mistake disabling CORS (i.e. not setting Access-Control-Allow-Origin: *) as a protection. CORS simply prevents clients from reading the response. The whole request is still sent and processed by the server.

这篇关于JSON Web 服务是否容易受到 CSRF 攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！