如何防止自动AJAX攻击 [英] How to prevent automated AJAX attacks
问题描述
如何防止USER执行自动发帖/垃圾邮件?
How to prevent USER from doing automated posts/spam?
这是我的方式,每个页面请求都有新的php会话,它有其自身的局限性,没有多表操作.
Here is my way of doing it, new php session for each page request, which has its own limitations, no multitabing.
我为每个页面使用了新的会话来防御CSRF和自动攻击.可以说,我们有一个使用AJAX发布线程的论坛,并已通过PHP SESSION进行了验证.
I used new session for each page as defense against both CSRF and automated attacks. Lets say we have forum that uses AJAX to post threads and its validated by PHP SESSION.
add_answer.php?id = 123
add_answer.php?id=123
<?php
if(!is_ajax()){// function that determines whether the request is from ajax (http header stuff)
$_SESSION['token'] = md5(rand());
}
//some ajax request to ajax.php?id=123
?>
ajax.php?id = 123
ajax.php?id=123
<?php
if($_SESSION['token'] == $_GET['token']){
echo 'MYSQL INSERT stuff';
}else{
echo 'Invalid Request';
}
?>
一切正常,直到用户在另一个选项卡上打开page.php?id = 456为止,ajax在ajax.php?id = 123上返回无效请求"
Every thing works fine until the user opens page.php?id=456 on another tab, the ajax returns 'invalid request' on ajax.php?id=123 This is related to another question I asked. They suggested to use only one session hash all the time, until he/she logs out - only then the session is regenerated. If the token is the same USER could simply bypass it and do the automated attacks. Any ideas on that?
如何防止自动AJAX攻击 您的方式 ?
Anyhow whats your way of preventing Automated AJAX attacks?
PS:
- 不要用验证码来折磨用户.
- Google没给我看一些有用的东西.
- 以此为挑战.
- 或者至少对您认为是实现此目标的绝妙方式的专家的答案进行投票
推荐答案
听起来像您反对只要打开浏览器就保持会话打开是自动攻击的问题.不幸的是,刷新每个页面上的令牌只会阻止大多数业余攻击者.
It sounds like your objection to letting the session stay open as long as the browser is open is the issue of automated attacks. Unfortunately, refreshing the token on each page load only deters the most amateur attackers.
首先,我想我们在谈论的是专门针对您网站的攻击. (如果我们谈论的是漫游并提交各种形式的漫游器,这不仅不会阻止它们,而且还有很多更好,更轻松的方法来阻止它们.)如果是这样,那么我的目标就是网站,这是我的机器人要执行的操作:
First, I assume we're talking about attacks specifically targeted at your site. (If we're talking about the bots that just roam around and submit various forms, not only would this not stop them, but there are far better and easier ways to do so.) If that's the case, and I'm targeting my site, here's what my bot would do:
- 加载表单页面.
- 在表单页面上读取令牌.
- 使用该令牌提交自动请求.
- 转到步骤1.
(或者,如果我对您的系统进行了足够的研究,我会意识到,如果在每个请求中都包含"this is AJAX"标头,则可以永久保留一个令牌.或者,我会意识到该令牌是我的会话ID,然后发送我自己的PHPSESSID cookie.)
(Or, if I investigated your system enough, I'd realize that if I included the "this is AJAX" header on each request, I could keep one token forever. Or I'd realize that the token is my session ID, and send my own PHPSESSID cookie.)
这种在每次页面加载时更改令牌的方法绝对不会阻止实际上想要严重攻击您的人.因此,由于令牌对自动化没有影响,因此请重点关注其对CSRF的影响.
This method of changing the token on each page load would do absolutely nothing to stop someone who actually wanted to attack you all that badly. Therefore, since the token has no effect on automation, focus on its effects on CSRF.
从阻止CSRF的角度来看,创建一个令牌并对其进行维护直到用户关闭浏览器似乎可以完成所有目标.简单的CSRF攻击被击败,用户可以打开多个选项卡.
From the perspective of blocking CSRF, creating one token and maintaining it until the user closes the browser seems to accomplish all goals. Simple CSRF attacks are defeated, and the user is able to open multiple tabs.
TL; DR:在每个请求上刷新一次令牌不会提高安全性.增强可用性,并在每个会话中执行一次令牌.
但是!如果您非常担心重复或意外提交表单,则可以轻松解决此问题.答案很简单:对两个不同的作业使用两个令牌.
However! If you're extremely concerned about duplicate form submissions, accidental or otherwise, this issue can still easily be resolved. The answer is simple: use two tokens for two different jobs.
第一个令牌将保持不变,直到浏览器会话结束.存在此令牌是为了防止CSRF攻击.该用户使用此令牌提交的任何内容都将被接受.
The first token will stay the same until the browser session ends. This token exists to prevent CSRF attacks. Any submission from this user with this token will be accepted.
第二个令牌将为加载的每个表单唯一生成,并将存储在用户会话中打开表单令牌的数据列表中.该令牌是唯一的,使用后将失效.此用户使用此令牌提交的内容将被接受一次,并且只能接受一次.
The second token will be uniquely generated for each form loaded, and will be stored in a list in the user's session data of open form tokens. This token is unique and is invalidated once it is used. Submissions from this user with this token will be accepted once and only once.
这样,如果我打开表单A的选项卡,并打开表单B的选项卡,则每个人都有我的个人反CSRF令牌(已处理CSRF)和一次性表单令牌(已重新提交表单已处理) ).这两个问题都得到解决,对用户体验没有任何不良影响.
This way, if I open a tab to Form A and a tab to Form B, each one has my personal anti-CSRF token (CSRF taken care of), and my one-time form token (form resubmission taken care of). Both issues are resolved without any ill effect on the user experience.
当然,对于这样一个简单的功能,您可能会认为实在太多了.无论如何,我认为是这样.无论如何,如果您愿意的话,可以找到一个可靠的解决方案.
Of course, you may decide that that's too much to implement for such a simple feature. I think it is, anyway. Regardless, a solid solution exists if you want it.
这篇关于如何防止自动AJAX攻击的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
