X-Requested-With标头服务器检查是否足以保护Ajax驱动的应用程序免受CSRF的侵害? [英] Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?
问题描述
我正在开发一个完全由ajax驱动的应用程序,其中所有请求都通过一个基本上等于一个主控制器的主控制器,该主控制器看起来像这样:
I'm working on a completely ajax-driven application where all requests pass through what basically amounts to a main controller which, at its bare bones, looks something like this:
if(strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest') {
fetch($page);
}
这通常足以防止跨站点请求伪造吗?
Is this generally sufficient to protect against cross-site request forgeries?
当每次请求都没有刷新整个页面时,使用旋转令牌是很不方便的.
It's rather inconvenient to have a rotating token when the entire page isn't refreshed with each request.
我想我可以在每次请求时都将唯一令牌作为全局javascript变量进行传递和更新-但无论如何,这感觉很笨拙,而且似乎天生就不安全.
I suppose I could pass and update unique token as a global javascript variable with every request -- but somehow that feels clumsy and seems inherently unsafe anyway.
编辑-也许像用户的UUID这样的静态令牌总比没有好?
EDIT - Perhaps a static token, like the user's UUID, would be better than nothing?
编辑#2-正如 The Rook 指出的那样,这可能是一个令人毛骨悚然的问题.我已经阅读了两种方式的猜测,并且听到了关于旧版本Flash可用于这种恶作剧的遥远的耳语.由于我对此一无所知,因此我向所有可以解释这是CSRF风险的人提供悬赏.否则,我会将其发送给 Artefacto .谢谢.
EDIT #2 - As The Rook pointed out, this might be a hair-splitting question. I've read speculation both ways and heard distant whispers about older versions of flash being exploitable for this kind of shenanigans. Since I know nothing about that, I'm putting up a bounty for anyone who can explain how this is a CSRF risk. Otherwise, I'm giving it to Artefacto. Thanks.
推荐答案
我会说就足够了.如果允许跨域请求,那么您将注定要失败,因为攻击者可能会使用Javascript来获取CSRF令牌并将其用于伪造的请求中.
I'd say it's enough. If cross-domain requests were permitted, you'd be doomed anyway because the attacker could use Javascript to fetch the CSRF token and use it in the forged request.
静态令牌不是一个好主意.每个会话至少应生成一次令牌.
A static token is not a great idea. The token should be generated at least once per session.
EDIT2 麦克毕竟不对,对不起.我没有正确阅读链接到的页面.它说:
EDIT2 Mike is not right after all, sorry. I hadn't read the page I linked to properly. It says:
一个简单的跨站点请求是这样的:[...] 不使用HTTP请求设置自定义标头(例如X-Modified等)
A simple cross-site request is one that: [...] Does not set custom headers with the HTTP Request (such as X-Modified, etc.)
因此,如果您设置了X-Requested-With
,则该请求必须是预执行的,除非您响应飞行前OPTIONS
的请求以授权跨站点请求,否则该请求将无法通过.
Therefore, if you set X-Requested-With
, the request has to be pre-flown, and unless you respond to pre-flight OPTIONS
request authorizing the cross-site request, it won't get through.
编辑 Mike是正确的,从Firefox 3.5开始,跨站点XMLHttpRequests是允许.因此,您还必须检查Origin
标头(如果存在)是否与您的网站匹配.
EDIT Mike is right, as of Firefox 3.5, cross-site XMLHttpRequests are permitted. Consequently, you also have to check if the Origin
header, when it exists, matches your site.
if (array_key_exists('HTTP_ORIGIN', $_SERVER)) {
if (preg_match('#^https?://myserver.com$#', $_SERVER['HTTP_ORIGIN'])
doStuff();
}
elseif (array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) &&
(strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'))
doStuff();
这篇关于X-Requested-With标头服务器检查是否足以保护Ajax驱动的应用程序免受CSRF的侵害?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!