PHP中的CSRF(跨站请求伪造)攻击示例和预防 [英] CSRF (Cross-site request forgery) attack example and prevention in PHP
问题描述
我有一个网站,人们可以像这样投票:
http://mysite.com/vote/25
这将对项目25进行投票.我只想让已注册的用户可以使用它,并且仅在他们想要这样做时才可以使用.现在我知道有人在网站上忙碌时,有人给他们这样的链接:
http://mysite.com/vote/30
然后投票将在他不希望这样做的地方进行.
我已经在OWASP网站上阅读了说明,但是我不太了解
这是CSRF的示例,如何防止这种情况发生?我能想到的最好的事情就是在链接中添加一些内容,例如哈希.但是,在所有链接的末尾放置一些内容会很令人讨厌.没有其他方法可以做到这一点.
也许有人可以给我另一个例子,因为这个网站对我来说似乎很赋格.
如果:
,这可能成为CSRF的示例.- 获取链接(例如,通过
<img>标记):伪造 - 从另一个站点:跨站点
例如,如果我可以将此<img>标记注入stackoverflow 的HTML源代码中(并且我可以,因为stackoverflow允许一个人在他的帖子中使用<img>标记):
<img src="http://mysite.com/vote/30" />
您只需为该项目投票;-)
通常使用的解决方案是将寿命有限的令牌放置在URL中,并在提取URL时检查此令牌是否仍然有效.
基本思想是:
- 生成页面时:
- 生成唯一令牌
- 将其存储在用户会话中
- 并将其放在页面的链接中-如下所示:
http://mysite.com/vote/30?token=AZERTYUHQNWGST
- 调用投票页面时:
- 检查令牌是否存在于网址中
- 检查它是否存在于用户会话中
- 如果不是=>不要注册投票
这里的想法是:
- 代币寿命不长,很难猜测
- 这意味着您的攻击者:
- 只有几分钟的时间,他的注射将有效
- 必须善于猜测^^
- 必须为每个用户生成一个不同的页面.
另外,请注意,用户离开您的网站后,其会话保持活动状态的时间越短,访问该不良网站时该会话仍然有效的风险就越小.
但是在这里,您必须在安全性和用户友好性之间进行选择...
(不是很安全,但是对那些不知道如何强制POST请求的人有帮助)的另一个想法是,仅当人们投票时才接受POST请求:
- 浏览器正在发送针对已注入标签的GET请求
- 由于该URL正在修改某些数据,因此,它不应与GET一起使用,而只能与POST一起使用
但是请注意,这并不是绝对安全的:使用一些Java脚本强制/伪造POST请求是(可能是?).
I have an website where people can place a vote like this:
http://mysite.com/vote/25
This will place a vote on item 25. I want to only make this available for registered users, and only if they want to do this. Now I know when someone is busy on the website, and someone gives them a link like this:
http://mysite.com/vote/30
then the vote will be places for him on the item without him wanting to do this.
I have read the explanation on the OWASP website, but i don't really understand it
Is this an example of CSRF, and how can I prevent this. The best thing i can think off is adding something to the link like a hash. But this will be quite irritating to put something on the end of all the links. Is there no other way of doing this.
Another thing can someone maybe give me some other example of this, because the website seems fairly fugue to me.
This could become an example of CSRF if :
- that link is fetched (via an
<img>tag, for example) : forgery - from another site : cross-site
For example, if I could inject this <img> tag in the HTML source-code of stackoverflow (and I can, as stackoverflow allows one to use <img> tags in his posts) :
<img src="http://mysite.com/vote/30" />
You would just have voted for that item ;-)
The solution that is generally used is to place a token, that has a limited life-time, in the URL, and, when the URL is fetched, check that this token is still valid.
The basic idea would be :
- When generating the page :
- generate a unique token
- store it in the user's session
- and place it in the links of the page -- which would look like this :
http://mysite.com/vote/30?token=AZERTYUHQNWGST
- When the voting page is called :
- Check if the token is present in the URL
- Check if it's present in the user's session
- If not => do not register the vote
The idea there is :
- Tokens don't have a long life-time, and are hard to guess
- Which means your attacker :
- has only a window of a few minutes during which his injection will be valid
- will have to be good at guessing ^^
- will have to generate a different page for each user.
Also, note that the shorter the user's session remains active after he has left your site, the less risks there are that it's still valid when he visits the bad website.
But here, you have to choose between security and user-friendly...
Another idea (that's not perfectly secure, but helps against guys would don't know how to force a POST request), would be to only accept POST requests when people are voting :
- The browser is sending GET requests for injected tags
- As this URL is modifying some data, anyway, it should not work with GET, but only with POST
But note that this is not perfectly safe : it's (probably ? ) possible to force/forge a POST request, with some bit of Javascript.
这篇关于PHP中的CSRF(跨站请求伪造)攻击示例和预防的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
