Php - 阻止从虚假接入点访问网页? [英] Php - prevent access to a web page from a faked access point?
问题描述
您好,欢迎,最近我注意到一个很大的安全漏洞,我可以说这是一个问题,所有现有的Web应用程序通过要求他们输入用户名和密码来验证用户。
我的意思是,攻击者只需几分钟就可以伪造一个访问点(网页,例如:登录)到你的网站,并强迫你的用户去那个伪造的访问点,我将举一个例子,以便更加理解:
假设我的网站位于:www.realwebsite.com。现有用户需要通过登录页面连接到网站,我的登录页面如下所示:
//登录。 php
<?php
if(isset($ _ POST ['go'])){
$ username = $ _POST ['username'];
$ password = $ _POST ['password'];
}
//我的服务器逻辑就在这里。
?>
和我的Html,(www.realwebsite.com/login.php):
<!DOCTYPE html>
< html xmlns =http://www.w3.org/1999/xhtml>
< head>
< title>登录< / title>
< / head>
< body>
< form method =postaction =login.php>
< input type =textname =username/>
< input type =passwordname =password/>
< botton name =go> Go< / button>
< / form>
< / body>
< / html>
假设有恶意的人想要窃取用户凭据,他会在我的登录页面创建一个与我的相同的表单并且只需更改'form'标签上的'action'属性,它看起来像这样:
伪造的访问点页面:
< !DOCTYPE html>
< html xmlns =http://www.w3.org/1999/xhtml>
< head>
< title>登录< / title>
< / head>
< body>
< form method =post action =malicious_faked_accesspoint.php>
< input type =textname =username/>
< input type =passwordname =password/>
< botton name =go> Go< / button>
< / form>
< / body>
< / html>
骗子可以强制现有用户通过电子邮件发送链接进入恶意登录页面,或者只是创建一个一旦用户进入恶意页面(用户认为它是真实的网页,因为它具有相同的外观),并在用户名和密码中键入并点击转到按钮 - 输入的用户名和密码将转到恶意接入点服务器,该服务器可以使用 $ _ POST 数组在 malicious_faked_accesspoint.php 页面中获取它们。
结束:攻击者成功获得了用户的用户名和密码。
如果这仍然是很难执行,有些程序可以在不到一毫秒的时间内伪造任何Web应用程序的访问点。
这种攻击非常容易执行,并且我想知道谷歌,Facebook这样的大型组织正在做些什么呢。
我在网上搜索了很多,发现很多文章描述了这个问题,但他们并没有谈论可能的解决方案。
伪造的登录页面位于另一个域上,因此伪造的网页和真实网页之间存在差异的是网址,但并非所有用户都了解网址上的内容以及原因。
我认为几乎不可能克服这种类型的攻击,因为我的真实网络服务器肯定无法控制伪造的接入点,并且我将在真实网页上做的所有事情 - 假网页将与真实网页具有相同的外观。
所以我把这个问题放在这里,所以其他观众可以阅读和思考,如果有人不知道 - 现在就知道这一点很好,特别是如果你是一个网络开发者。
我尝试了什么:
也许我可以告诉用户检查每个网址他们去我网站上的每个页面的时间,好吧,我明白了。但钢铁,他们将如何记住我的建议,看看真实页面和伪造页面之间有什么区别? (不了解网址的用户)。也许一些更实用的建议?
_POST ['go'])){
username =
_POST [ '用户名'];
Hello and welcome, Recently i noticed to a big security hole that i can say is a problem for all the existing web applications that authenticate their users by asking them to type in their username and password.
I mean, It only takes a few minutes for an attacker to fake an access point (web page, ex: login) to your web site, and force your users to go to that faked access point, I will give an example so it will be more understandabe:
Say i have my web site at: www.realwebsite.com. Existing users need to go through the login page to connect to the web site, and my login page looks like this:
// login.php
<?php
if (isset($_POST['go'])) {
$username = $_POST['username'];
$password = $_POST['password'];
}
// my server logic goes here.
?>
And my Html, (in www.realwebsite.com/login.php):
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login</title>
</head>
<body>
<form method="post" action="login.php">
<input type="text" name="username"/>
<input type="password" name="password"/>
<botton name="go">Go</button>
</form>
</body>
</html>
And lets say a malicious person want to steal users credentials, he will create a form, identical to my from in my login page and just change the 'action' property on the 'form' tag, it looks like this:
The faked access point page:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login</title>
</head>
<body>
<form method="post" action="malicious_faked_accesspoint.php">
<input type="text" name="username"/>
<input type="password" name="password"/>
<botton name="go">Go</button>
</form>
</body>
</html>
The attaker can force an existing user to go to the malicious login page by sending the link in email, or just by creating a blog and put a link to this malicious page inside the blog, once a user go to the malicious page (the user think it is the real web page since it has the same look) and type in the username and the password and click on the 'Go' button - the entered username and password go to the malicious access point server that can get them in the malicious_faked_accesspoint.php page using the $_POST array.
The end: The attacker successfully got the username and the password of my users.
And if this is still hard to perform, there are programs that can fake an access point to any web application in less than a millisecond.
This kind of attack is very easy to perform, and i wonder what huge organizations like Google, Facebook are doing against it.
I searched a lot online and found a lot of articles describing the problem, but they are not talking about a possible solution.
The faked login page is on another domain, so the thing that makes the difference between the faked web page and the real web page is the url, but not all the users are understand what goes on the url and why.
I think it is almost impossible to overcome this type of attacks, because my real web server definitely has no control over the faked access point, and all I will do on the real web page - the fake web page will be with the same appearance as the real web page.
So i put this question here, so other viewers can read and think about that, and if someone didn't know about it - it is good to know this now, especially if you are a web developer.
What I have tried:
Maybe i can tell the users to check the url every time they go to each page on my web site, Ok, i get it. but steel, how they will remember my suggestions and see any difference between the real page and the faked one? (users that doesn't understand urls). Maybe some more practical suggestions?
_POST['go'])) {
username =
_POST['username'];
这篇关于Php - 阻止从虚假接入点访问网页?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
