在什么情况下可以免除CSRF危险？ [英] In what case can CSRF-exempt be dangerous?

问题描述

这个问题比一个直接关于如何编码的再保险更重要。作为一个autodidact我没有很多的可能性要求专业人士这样的事情，所以我尝试这里。

This question is more a re-insurance than one directly about how to code. As an autodidact i did not have a lot of possibilities to ask professionals such things, so i try here.

我已经阅读django-docs文件（ https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/ ）和该页面上的一些信息： http://cwe.mitre.org/ top25 /＃CWE-352

I have read the documents in the django-docs ( https://docs.djangoproject.com/en/1.3/ref/contrib/csrf/ ) and some info on that page: http://cwe.mitre.org/top25/#CWE-352

据我所知，django向用户提供了一个令牌（某种针脚代码）。为了验证它是否真的是他，他必须在下一次请求时退回。谷歌的一些人发现，这甚至可能与ajax请求，这就是为什么我们有自己的1.2.6保护它的新政策。而CSRF是关于某人给我的东西（坏的，危险的代码，损坏的文件或类似的东西）假装是别人。

As far as i have understood, django delivers a token (some kind of pin-code) to a user. And to verify it really is him, he has to return it the next time he does a request. And some guys at Google found out that this is even possible with ajax-requests, which is why we have the new policy of protecting them too since 1.2.6. And CSRF is about someone giving me something (bad, dangerous code, corrupt files or something like that) pretending to be someone else.

所以如果我有一些这样的代码：

So if i have some code like this:

@csrf_exempt    
def grab(request):
    """
    view to download an item
    POST because it stores that a user has downloaded this item
    """
    item_id = request.POST.get('item', None)
    if not loop: return HttpResponseBadRequest('no item id provided')
    item = Item.objects.get(pk=int(item_id))

应该保存，因为在尝试将给定值转换为整数之前，我没有访问数据库或应用程序的任何部分。如果我对某人下载文件做错了记录（在这种情况下几乎没有），那么损坏也不会太大。假设我会根据这个观点写票据，那么CSRF的豁免会有所不同的想法（这是对的吗？）。

that should be save, as i'm not giving access to the database or any part of my application before trying to convert the given value to an integer. And there is not too much damage if i do a wrong record of someone downloading a file (in this case it is almost none). Assuming i would write bills relying on this view, the CSRF-exempt would be vary bad idea (Is that right?).

我也不明白为什么有人可以'从用户窃取CSRF令牌并使用它仍然会欺骗我（或用户）。所以我有一些关于这个话题的问题：

I also do not understand why somebody can't steal the CSRF-token from a user and use it to still trick me (or the user). So i have some questions about this topic:

1）是从上面的假设吗？

1) are my assumptions from above right?

2）有人可以告诉我，有些不太好的人可以使用上面的观点去做肮脏的伎俩，他们会是什么（或者可能是怎么样的）？

2) can somebody tell me, what (and probably how) some not so nice guy could use the view above to do dirty tricks, and what would they be?

3）一个CSRF是一个中间人攻击的例子，它只是与它相关，还是完全不同？

3) is a CSRF an example of a man-in-the-middle attack, is it just related to it, or is it something entirely different?

4）任何有价值的链接进一步阅读这样的危险？

4) Any valuable links to do further reading on such dangers?

也许有些这些问题听起来没有太好的知情，但我想要解决。如果有人可以帮助我，我会很高兴。

Maybe some of these questions sound no too well informed, but i'm trying to get over that. I would be very glad if someone could help me.

推荐答案

CSRF攻击是强制受害者浏览器发送伪造的请求。一个简单的< img> 或自动提交< form> 足以为GET和POST方法执行此操作。并且，当请求由浏览器发送时，它会发送任何身份验证凭据，从而使服务器的角度看起来非常合法，因为它们基本上与用户操作发起的不同。

CSRF attacks are about forcing a victims browser to send forged requests. A simple <img> or automatically submitted <form> suffice to do this for both GET and POST method. And as the requests are send by the browser, it sends any authentication credentials along and thus making the requests seem authentic and legitimate from the server’s point of view as they basically don’t differ from those initiated by the user’s actions.

这正是CSRF令牌用于：建立用户启动的请求与第三方网站伪造的请求之间的区别。为此，CSRF令牌充当仅为服务器和用户所知的秘密。服务器将文档中的秘密放在响应中，并希望在下一个请求中发送回来。

And that’s exactly what the CSRF token is used for: establish a difference between requests that were initiated by the user and those that were forged by a third party site. For this purpose the CSRF token acts as a secret that is only known to the server and the user. The server puts the secret in the document in a response and expects it to be send back in the next request.

由于秘密嵌入到响应的文档中分配给这个特定用户，攻击者将需要以某种其他方式窃听该特定响应或访问该文档。肯定有攻击获得CSRF令牌（例如窃听， MITM ， XSS 等）。但是如果您受到这些攻击的保护，攻击者将无法伪造真实的请求。

And as the secret is embedded in the response’s document that is assigned for this specific user, an attacker would need to eavesdrop that specific response or access the document in some other way. There certainly are attacks get the CSRF token (e. g. eavesdropping, MITM, XSS, etc.). But if you are protected against those attacks, an attacker won’t be able to forge an authentic request.

这篇关于在什么情况下可以免除CSRF危险？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！