Django CSRF cookie可以通过javascript访问 [英] Django CSRF cookie accessible by javascript?
问题描述
在django网站上, https://docs.djangoproject.com/en / dev / ref / contrib / csrf / 它指出:
On django website, https://docs.djangoproject.com/en/dev/ref/contrib/csrf/ it states:
The CSRF protection is based on the following things:
1. A CSRF cookie that is set to a random value (a session independent nonce, as it is called), which other sites will not have access to.
2. ...
然后,它还声明csrf令牌可以从javascript:
Then, it also states the csrf token can be obtained from cookie by javascript:
var csrftoken = $.cookie('csrftoken');
这两个语句是否不冲突?假设有一个十进制攻击,那么攻击者只能从cookie获取CSRF令牌,然后在头文件中使用CSRF令牌进行POST请求?有人可以解释一下吗?
Aren't these two statements conflicting? Say there is a Cross Origin attack, then the attacker can just obtain the CSRF token from cookie, and then make a POST request with the CSRF token in the header? Can someone explain this please?
现在我意识到,只有来自同一起源的javascript允许访问cookie。一个后续的问题是:
I realize now that, only the javascript from the same origin is allowed to access the cookie. A follow-up question is:
如果POST请求自动添加cookie作为请求的一部分,django的csrf cookie值与csrf令牌相同,那么a恶意交叉源请求仍然会有正确的CSRF令牌? (in cookie)
If a POST request automatically adds the cookie as part of the request, and django's csrf cookie value is the same as csrf token, then a malicious cross source request will still have the correct CSRF token anyways? (in cookie)
推荐答案
我相信这篇文章回答您更新的问题:
I believe that this post answers your updated question:
由于同源策略,攻击者确实无法访问该cookie。但是,如您所说,浏览器会将Cookie添加到POST请求中。因此,必须从代码中发布CSRF令牌(例如在隐藏的字段中)。在这种情况下,攻击者必须知道在创建恶意表单时存储在受害者cookie中的CSRF令牌的值。因为她无法访问cookie,所以她无法在恶意代码中复制该令牌,并且攻击失败。
Because of the same-origin policy, the attacker cannot access the cookie indeed. But the browser will add the cookie to the POST request anyway, as you mentioned. For this reason, one must post the CSRF token from the code as well (e.g. in a hidden field). In this case, the attacker must know the value of the CSRF token as stored in the victim's cookie at the time she creates the malicious form. Since she cannot access the cookie, then she cannot replicate the token in her malicious code, and the attack fails.
现在,可以想像存储令牌的其他方式比在cookie中。关键是攻击者一定不能得到它。服务器必须有一种验证方法。您可以想像将服务器端的会话保存在一起,并将客户端的安全方式存储在安全中,这意味着攻击者无法访问它。
Now, one might imagine other ways of storing the token than in the cookie. The point is that the attacker must not be able to get it. And the server must have a way to verify it. You could imagine saving the token together with the session on the server-side, and storing the token in some "safe" way on the client side ("safe" meaning that the attacker cannot access it).
这是OWASP的报价:
Here is a quote from OWASP:
一般来说,开发人员只需要为当前的会话。在初始生成此令牌之后,该值存储在会话中,并用于每个后续请求,直到会话过期为止。当最终用户发出请求时,服务器端组件必须在请求中验证令牌的存在和有效性,与会话中找到的令牌相比较。如果在请求中没有找到令牌,或者提供的值与会话中的值不匹配,则应该中止请求,令牌应该被重置,事件记录为潜在的CSRF攻击。
In general, developers need only generate this token once for the current session. After initial generation of this token, the value is stored in the session and is utilized for each subsequent request until the session expires. When a request is issued by the end-user, the server-side component must verify the existence and validity of the token in the request as compared to the token found in the session. If the token was not found within the request or the value provided does not match the value within the session, then the request should be aborted, token should be reset and the event logged as a potential CSRF attack in progress.
最后,安全性需要两件事:
In the end, the security needs two things:
- CSRF令牌必须从代码发送,这意味着恶意代码必须知道。
- CSRF令牌必须存储在一些安全的位置进行比较(对于这个,cookie很方便)
- The CSRF token must be sent from the code, which means that the malicious code must know it.
- The CSRF token must be stored in some "safe" place for comparison (the cookie is convenient for this).
我不是专家,但这是我对这个问题的理解。希望有帮助。
I am not a specialist, but this is my understanding of the problem. Hope it helps.
这篇关于Django CSRF cookie可以通过javascript访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
