X-Requested-With标头服务器检查是否足以保护Ajax驱动的应用程序免受CSRF的侵害? [英] Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?

问题描述

我正在开发一个完全由ajax驱动的应用程序，其中所有请求都通过一个基本上等于一个主控制器的主控制器，该主控制器看起来像这样:

I'm working on a completely ajax-driven application where all requests pass through what basically amounts to a main controller which, at its bare bones, looks something like this:

if(strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
    fetch($page);
}

这通常足以防止跨站点请求伪造吗?

Is this generally sufficient to protect against cross-site request forgeries?

当每次请求都没有刷新整个页面时，使用旋转令牌是很不方便的.

It's rather inconvenient to have a rotating token when the entire page isn't refreshed with each request.

我想我可以在每次请求时都将唯一令牌作为全局javascript变量进行传递和更新-但无论如何，这感觉很笨拙，而且似乎天生就不安全.

I suppose I could pass and update unique token as a global javascript variable with every request -- but somehow that feels clumsy and seems inherently unsafe anyway.

编辑-也许像用户的UUID这样的静态令牌总比没有好?

EDIT - Perhaps a static token, like the user's UUID, would be better than nothing?

编辑#2-正如 The Rook 指出的那样，这可能是一个令人毛骨悚然的问题.我已经阅读了两种方式的猜测，并且听到了关于旧版本Flash可用于这种恶作剧的遥远的耳语.由于我对此一无所知，因此我向所有可以解释这是CSRF风险的人提供悬赏.否则，我会将其发送给 Artefacto .谢谢.

EDIT #2 - As The Rook pointed out, this might be a hair-splitting question. I've read speculation both ways and heard distant whispers about older versions of flash being exploitable for this kind of shenanigans. Since I know nothing about that, I'm putting up a bounty for anyone who can explain how this is a CSRF risk. Otherwise, I'm giving it to Artefacto. Thanks.

推荐答案

我会说就足够了.如果允许跨域请求，那么您将注定要失败，因为攻击者可能会使用Javascript来获取CSRF令牌并将其用于伪造的请求中.

I'd say it's enough. If cross-domain requests were permitted, you'd be doomed anyway because the attacker could use Javascript to fetch the CSRF token and use it in the forged request.

静态令牌不是一个好主意.每个会话至少应生成一次令牌.

A static token is not a great idea. The token should be generated at least once per session.

EDIT2 麦克毕竟不对，对不起.我没有正确阅读链接到的页面.它说:

EDIT2 Mike is not right after all, sorry. I hadn't read the page I linked to properly. It says:

一个简单的跨站点请求是这样的:[...] 不使用HTTP请求设置自定义标头(例如X-Modified等)

A simple cross-site request is one that: [...] Does not set custom headers with the HTTP Request (such as X-Modified, etc.)

因此，如果您设置了X-Requested-With，则该请求必须是预执行的，除非您响应飞行前OPTIONS的请求以授权跨站点请求，否则该请求将无法通过.

Therefore, if you set X-Requested-With, the request has to be pre-flown, and unless you respond to pre-flight OPTIONS request authorizing the cross-site request, it won't get through.

编辑 Mike是正确的，从Firefox 3.5开始，跨站点XMLHttpRequests是允许.因此，您还必须检查Origin标头(如果存在)是否与您的网站匹配.

EDIT Mike is right, as of Firefox 3.5, cross-site XMLHttpRequests are permitted. Consequently, you also have to check if the Origin header, when it exists, matches your site.

if (array_key_exists('HTTP_ORIGIN', $_SERVER)) {
    if (preg_match('#^https?://myserver.com$#', $_SERVER['HTTP_ORIGIN'])
        doStuff();
}
elseif (array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) &&
        (strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'))
    doStuff(); 

这篇关于X-Requested-With标头服务器检查是否足以保护Ajax驱动的应用程序免受CSRF的侵害?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！