JSON Web服务是否容易受到CSRF攻击? [英] Are JSON web services vulnerable to CSRF attacks?
问题描述
我正在构建一个专门为其请求和响应内容使用JSON的Web服务(即,没有表单编码的有效负载)。
I am building a web service that exclusively uses JSON for its request and response content (i.e., no form encoded payloads).
是一项Web服务如果以下情况属实,则容易受到CSRF攻击?
-
任何
POST没有顶级JSON对象的请求,例如{foo:bar},将被400拒绝。例如,POST内容42的请求将因此被拒绝。
Any
POSTrequest without a top-level JSON object, e.g.,{"foo":"bar"}, will be rejected with a 400. For example, aPOSTrequest with the content42would be thus rejected.
任何带有 application / json 以外的内容类型的 POST 请求将被拒绝400。例如,具有内容类型 application / x-www-form-urlencoded 的 POST 请求将因此被拒绝。
Any POST request with a content-type other than application/json will be rejected with a 400. For example, a POST request with content-type application/x-www-form-urlencoded would be thus rejected.
所有GET请求都是安全,因此不会修改任何服务器端数据。
All GET requests will be Safe, and thus not modify any server-side data.
客户端通过会话进行身份验证cookie,Web服务在通过带有JSON数据的POST提供正确的用户名/密码对后提供给他们的cookie,例如 {username:user@example.com,password:我的密码} 。
Clients are authenticated via a session cookie, which the web service gives them after they provide a correct username/password pair via a POST with JSON data, e.g. {"username":"user@example.com", "password":"my password"}.
辅助问题: PUT 和 DELETE 请求是否容易受到攻击CSRF?我问,因为似乎大多数(所有?)浏览器都不允许HTML表单中的这些方法。
Ancillary question: Are PUT and DELETE requests ever vulnerable to CSRF? I ask because it seems that most (all?) browsers disallow these methods in HTML forms.
编辑:添加了第4项。
编辑:到目前为止有很多好的评论和答案,但没有人提供过这种Web服务容易受到攻击的特定CSRF攻击。
Lots of good comments and answers so far, but no one has offered a specific CSRF attack to which this web service is vulnerable.
推荐答案
使用XHR实际上只能使用任意媒体类型伪造任意CSRF请求,因为表单的方法仅限于GET和POST 和表单的POST消息正文也限于三种格式 application / x-www-form -urlencoded , multipart / form-data 和 text / plain 。但是,表格数据编码 text / plain 仍然可以伪造请求包含有效的JSON数据。
Forging arbitrary CSRF requests with arbitrary media types is effectively only possible with XHR, because a form’s method is limited to GET and POST and a form’s POST message body is also limited to the three formats application/x-www-form-urlencoded, multipart/form-data, and text/plain. However, with the form data encoding text/plain it is still possible to forge requests containing valid JSON data.
所以唯一的威胁来自基于XHR的CSRF攻击。那些只有成功才会成功
So the only threat comes from XHR-based CSRF attacks. And those will only be successful if they are either
- 从同一个原点运行,所以基本上来自你自己的网站(例如XSS),或者
- 从不同的来源和服务器允许此类跨域请求。
- run from the same origin, so basically from your own site somehow (e. g. XSS), or
- run from a different origin and your server allows such cross-origin requests.
如果可以消除这两者,则您的Web服务不容易受到CSRF的攻击。至少不是通过网络浏览器进行的那些。
If you can eliminate both, your web service is not vulnerable to CSRF. At least not those carried out via a web browser.
这篇关于JSON Web服务是否容易受到CSRF攻击?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
