登录表单是否需要针对CSRF攻击的令牌? [英] Do login forms need tokens against CSRF attacks?
问题描述
根据我到目前为止的了解,令牌的目的是防止攻击者伪造表单提交.
例如,如果一个网站具有一个将添加的项目输入到您的购物车中的表单,并且攻击者可能向您的购物车中发送垃圾邮件,这些垃圾邮件是您不需要的.
这是有道理的,因为购物车表单可能有多个有效输入,攻击者所要做的就是知道网站正在出售的商品.
在这种情况下,我了解令牌的工作原理并增加安全性,因为它们可确保用户实际上已填写并为添加到购物车中的每个商品按下了表单的提交"按钮.
但是,令牌是否可以在需要用户名和密码的用户登录表单中添加任何安全性?
由于用户名和密码非常独特,攻击者必须知道两者才能使登录伪造正常工作(即使您没有设置令牌),并且如果攻击者已经知道,那么他就可以签名到自己的网站上.更不用说,使用户登录自己的CSRF攻击也没有任何实际用途.
我对CSRF攻击和令牌的理解正确吗?而且我怀疑它们对用户登录表单没有用吗?
是.通常,您需要像其他任何一样保护登录表单不受CSRF攻击.
否则,您的站点容易受到信任域网络钓鱼"攻击的攻击.简而言之,CSRF漏洞登录页面使攻击者可以与受害者共享用户帐户.
漏洞显示如下:
- 攻击者在受信任的域上创建一个主机帐户
- 攻击者使用此主机帐户的凭据在受害者的浏览器中伪造登录请求
- 攻击者诱使受害者使用受信任的站点,他们可能不会在此处注意到他们通过主机帐户登录
- 攻击者现在可以使用主机帐户登录浏览器时(有意或无意)访问受害者创建"的任何数据或元数据
作为一个相关示例,请考虑 YouTube . YouTube允许用户查看他们自己的"观看历史记录,并且他们的登录表单容易受到CSRF的攻击!因此,攻击者可以使用知道的密码建立一个帐户,并使用那个帐户将受害者登录到YouTube,从而跟踪受害者正在观看的视频. /p>
在此注释线程中有一些讨论这意味着它可以仅"用于此类侵犯隐私的行为.也许可以,但是引用维基百科的CSRF文章:
登录CSRF使各种新颖的攻击成为可能;例如, 攻击者以后可以使用其合法凭据登录该站点 并查看已保存的私人信息,例如活动历史记录 在帐户中.
强调新型攻击".想象一下网络钓鱼攻击对用户的影响,然后想象一下,网络钓鱼攻击是通过用户自己的可信任书签到达您的站点的!前面提到的评论主题中链接的论文提供了一些简单的隐私攻击之外的示例.
From what I've learned so far, the purpose of tokens is to prevent an attacker from forging a form submission.
For example, if a website had a form that input added items to your shopping cart, and an attacker could spam your shopping cart with items you don't want.
This makes sense because there could be multiple valid inputs for the shopping cart form, all the attacker would have to do is know an item that the website is selling.
I understand how tokens work and add security in this case, because they ensure the user has actually filled in and pressed the "Submit" button of the form for each item added to the cart.
However, do tokens add any security to a user login form, which requires a username and password?
Since the username and password are very unique the attacker would have to know both in order for the login forgery to work (even if you didn't have tokens setup), and if an attacker already knew that, he could just sign onto the website himself. Not to mention, a CSRF attack that makes the user log himself in wouldn't have any practical purpose anyway.
Is my understanding of CSRF attacks and tokens correct? And are they useless for user login forms as I suspect?
Yes. In general, you need to secure your login forms from CSRF attacks just as any other.
Otherwise your site is vulnerable to a sort of "trusted domain phishing" attack. In short, a CSRF-vulnerable login page enables an attacker to share a user account with the victim.
The vulnerability plays out like this:
- The attacker creates a host account on the trusted domain
- The attacker forges a login request in the victim's browser with this host account's credentials
- The attacker tricks the victim into using the trusted site, where they may not notice they are logged in via the host account
- The attacker now has access to any data or metadata the victim "created" (intentionally or unintentionally) while their browser was logged in with the host account
As a pertinent example, consider YouTube. YouTube allowed users to see a record of "their own" viewing history, and their login form was CSRF-vulnerable! So as a result, an attacker could set up an account with a password they knew, log the victim into YouTube using that account — stalking what videos the victim was watching.
There's some discussion in this comment thread that implies it could "only" be used for privacy violations like that. Perhaps, but to quote the section in Wikipedia's CSRF article:
Login CSRF makes various novel attacks possible; for instance, an attacker can later log in to the site with his legitimate credentials and view private information like activity history that has been saved in the account.
Emphasis on "novel attacks". Imagine the impact of a phishing attack against your users, and then imagine said phishing attack working via the user's own trusted bookmark to your site! The paper linked in the aforementioned comment thread gives several examples that go beyond simple privacy attacks.
这篇关于登录表单是否需要针对CSRF攻击的令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
