如何prevent CSRF在RESTful应用程序? [英] How to prevent CSRF in a RESTful application?
问题描述
跨站请求伪造(CSRF)通常为prevent使用下列方法之一:
- 检查引用者 - RESTful的,但不可靠
- 插入到令牌形式存储在服务器会话令牌 - 没有真正的RESTful
- 神秘一次的URI - 不是基于REST出于同样的原因作为标记
- 手动发送密码,此请求(不与HTTP认证所使用的密码缓存) - REST风格,但不方便
我的想法是使用用户的秘密,一个神秘而静态形式ID和JavaScript来生成令牌。
<形式方法=POSTACTION =/ someresourceID =7099879082361234103>
<输入类型=隐藏的名字=令牌值=的generateToken(......)>
...
< /表及GT;
-
GET / usersecret / john_doe即由JavaScript从身份验证的用户获取。 - 响应:
确定89070135420357234586534346这个秘密是概念上静态的,但可以改变每一天/小时......以提高安全性。这是唯一机密的事情。 - 阅读使用JavaScript的神秘(但静态为所有用户!)形式的ID,处理一起与用户的秘密:
的generateToken(7099879082361234103,89070135420357234586534346) - 发送的形式与生成的令牌服务器一起。
- 由于服务器知道用户的秘密和形式的id,也可以作为客户端发送之前那样运行相同的generateToken函数和两个比较结果。只有当这两个值相等的动作将被授权。
什么不对的这种做法,尽管它不没有JavaScript的工作吗?
附录:
有这里有很多答案,并与不少人的问题。
事情你不应该这样做:
-
如果你需要阅读从JavaScript会话令牌,你正在做一些可怕的错误。您的会话标识符的cookie应该总是中HTTPOnly设置它所以它不是提供给脚本。
这一个保护使得它使XSS的影响大大减少,因为攻击者将不再能够得到用户的会话令牌,这对于所有意图和目的是在应用程序凭据相当于一个记录。你不想有一个错误给钥匙王国。
-
的会话标识符不应该被写入的页面的内容。这是为您设置中HTTPOnly同样的原因。这意味着,您的会话令牌不能成为你的会话ID。他们需要的是不同的值。
事情你应该做的:
-
按照 OWASP的指导
-
特别是,如果这是一个REST应用可以需要双提交CSRF的令牌:
只需创建加密的东西是随机的,它存储在ASCII十六进制或Base64 EN code,它在服务器返回的页面添加为一个cookie和表单。在服务器端,确保该cookie值的形式值相匹配。瞧,你杀了CSRF,避免额外的提示,为您的用户,而不是自己开到更多的漏洞。
Cross Site Request Forgery (CSRF) is typically prevent with one of the following methods:
- Check referer - RESTful but unreliable
- insert token into form and store the token in the server session - not really RESTful
- cryptic one time URIs - not RESTful for the same reason as tokens
- send password manually for this request (not the cached password used with HTTP auth) - RESTful but not convenient
My idea is to use a user secret, a cryptic but static form id and JavaScript to generate tokens.
<form method="POST" action="/someresource" id="7099879082361234103">
<input type="hidden" name="token" value="generateToken(...)">
...
</form>
GET /usersecret/john_doefetched by the JavaScript from the authenticated user.- Response:
OK 89070135420357234586534346This secret is conceptionally static, but can be changed every day/hour ... to improve security. This is the only confidential thing. - Read the cryptic (but static for all users!) form id with JavaScript, process it together with the user secret:
generateToken(7099879082361234103, 89070135420357234586534346) - Send the form along with the generated token to the server.
- Since the server knows the user secret and the form id, it is possible to run the same generateToken function as the client did before sending and compare both results. Only when both values are equal the action will be authorized.
Is something wrong with this approach, despite the fact that it doesn't work without JavaScript?
Addendum:
There are a lot of answers here, and problems with quite a few of them.
Things you should NOT do:
If you need to read the session token from JavaScript, you're doing something horribly wrong. Your session identifier cookie should ALWAYS have HTTPOnly set on it so its not available to scripts.
This one protection makes it so that the impact of XSS is considerably reduced, since an attacker will no longer be able to get a logged in users session token, which for all intents and purposes are the equivalent of credentials in the application. You don't want one error to give keys to the kingdom.
The session identifier should not be written to the contents of the page. This is for the same reasons you set HTTPOnly. This means that that your session token can not be your session id. They need to be different values.
Things you should do:
Follow OWASP's guidance:
Specifically, if this is a REST application you can require double-submission of CSRF tokens:
Simply create something cryptographically random, store it in ASCII Hex or Base64 encode, and add it as a cookie and to your forms when the server returns the page. On the server side make sure that the cookie value matches the form value. Voila, you've killed CSRF, avoided extra prompts for your users, and not opened yourself up to more vulnerabilities.
这篇关于如何prevent CSRF在RESTful应用程序?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
