是否阻止在nodejs中打开重定向攻击? [英] Is preventing open redirects attack in nodejs secure?
问题描述
var = require('url');
// http://example.com/login?redirect=http://example.com/dashboard
app.route('/ login',function(req,res,接下来){
var redirect = req.query.redirect,
paths = url.parse(redirect);
if(paths.host!== req.headers.host ){
return next(new Error('Open redirect attack detected'));
}
return res.redirect(redirect);
});
是否足以防止打开重定向攻击,还是应该添加其他内容?
CWE- 601:URL重定向到不受信任的网站('打开重定向')
Open Redirect 的描述:
http参数可能包含一个URL值,可能导致Web应用程序将请求重定向到指定的URL。通过将URL值修改为恶意站点,攻击者可能会成功启动网络钓鱼欺诈并窃取用户凭据。由于修改后的链接中的服务器名称与原始站点相同,因此网络钓鱼尝试的外观更可靠。
code>输入验证防止打开重定向攻击的策略:
假设所有输入都是恶意的。使用接受已知的输入验证策略,即使用严格符合规范的可接受输入的白名单。拒绝任何不严格符合规范的输入,或将其转换为某种功能。
不要仅依赖于寻找恶意或格式错误的输入(即不依赖于黑名单)。黑名单可能会错过至少一个不需要的输入,特别是如果代码的环境发生变化。这可以给攻击者足够的空间绕过预期的验证。然而,黑名单可以用于检测潜在的攻击或确定哪些输入如此畸形,以至于被彻底地拒绝。
使用批准的网址或域名的白名单用于重定向。
使用 req。 header.host , req.host 或 req.hostname 是不安全的,因为<$可以伪造c $ c> req.headers (例如,HTTP请求具有自定义主机头来访问以下代码编写的快速应用程序)
var url = require('url');
app.get('/ login',function(req,res,next){
var redirect = req.query.redirect,
targetUrl = url.parse(redirect );
console.log('req.headers.host:[%s]',req.headers.host);
console.log('req.host:[%s]',req .host);
console.log('req.hostname:[%s]',req.hostname);
if(targetUrl.host!= req.headers.host){
return new(new Error('Open redirect attack detected'));
}
return res.redirect(redirect);
});
使用 curl 提出请求: / p>
$ curl -H'主机:malicious.example.com''http:// localhost:3012 / login?redirect = http ://malicious.example.com'-i
HTTP / 1.1 302找到
X-Powered by:Express
位置:http://malicious.example.com
Vary:Accept
Content-Type:text / plain; charset = utf-8
内容长度:54
日期:2016年6月13日(星期一)06:30:55 GMT
连接:keep-alive
$#服务器输出
req.headers.host:[malicious.example.com]
req.host:[malicious.example.com]
req.hostname:[malicious.example.com]
我建议您使用白名单来验证输入,下面是一个示例代码:
const WHITELIST_TO_REDIRECT = new Set([localhost:3012,www.realdomain.com]);
app.get('/ login',function(req,res,next){
var redirect = req.query.redirect,
targetUrl = url.parse(redirect );
console.log(req.hostname:[%s],req.hostname);
console.log(url.host:[%s],targetUrl.host);
if(!WHITELIST_TO_REDIRECT.has(targetUrl.host)){
return next(new Error('Open redirect attack detected'));
}
return res.redirect(redirect);
});
I'm trying to prevent open redirect attack. Please look at the code below and check for security:
var = require('url');
// http://example.com/login?redirect=http://example.com/dashboard
app.route('/login', function (req, res, next) {
var redirect = req.query.redirect,
paths = url.parse(redirect);
if (paths.host !== req.headers.host) {
return next(new Error('Open redirect attack detected'));
}
return res.redirect(redirect);
});
Is it enough for preventing open redirect attack or should I add anything else?
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
Description of Open Redirect:
An http parameter may contain a URL value and could cause the web application to redirect the request to the specified URL. By modifying the URL value to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Because the server name in the modified link is identical to the original site, phishing attempts have a more trustworthy appearance.
The suggestion of input validation strategy to prevent open redirect attack:
Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a whitelist of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does. Do not rely exclusively on looking for malicious or malformed inputs (i.e., do not rely on a blacklist). A blacklist is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, blacklists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright. Use a whitelist of approved URLs or domains to be used for redirection.
Use req.headers.host, req.host or req.hostname is insecure, because req.headers can be forged (eg. a HTTP request have a custom Host header to access a express app written in code below)
var url = require('url');
app.get('/login', function (req, res, next) {
var redirect = req.query.redirect,
targetUrl = url.parse(redirect);
console.log('req.headers.host: [%s]', req.headers.host);
console.log('req.host: [%s]', req.host);
console.log('req.hostname: [%s]', req.hostname);
if (targetUrl.host != req.headers.host) {
return next(new Error('Open redirect attack detected'));
}
return res.redirect(redirect);
});
Use curl to make a request:
$ curl -H 'Host: malicious.example.com' 'http://localhost:3012/login?redirect=http://malicious.example.com' -i
HTTP/1.1 302 Found
X-Powered-By: Express
Location: http://malicious.example.com
Vary: Accept
Content-Type: text/plain; charset=utf-8
Content-Length: 54
Date: Mon, 13 Jun 2016 06:30:55 GMT
Connection: keep-alive
$ #server output
req.headers.host: [malicious.example.com]
req.host: [malicious.example.com]
req.hostname: [malicious.example.com]
I suggest you use whitelist to validate input, a example code below:
const WHITELIST_TO_REDIRECT = new Set(["localhost:3012", "www.realdomain.com"]);
app.get('/login', function (req, res, next) {
var redirect = req.query.redirect,
targetUrl = url.parse(redirect);
console.log("req.hostname: [%s]", req.hostname);
console.log("url.host: [%s]", targetUrl.host);
if (!WHITELIST_TO_REDIRECT.has(targetUrl.host)) {
return next(new Error('Open redirect attack detected'));
}
return res.redirect(redirect);
});
这篇关于是否阻止在nodejs中打开重定向攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
