带引用的PHP表单安全性 [英] PHP Form Security With Referer

问题描述

我正在整理一个网站，以供用户输入.我想知道是否编写像这样的函数:

I'm putting together a site that will make itself available for user input. I was wondering if writing a function like:

if(getenv("HTTP_REFERER") != 'http://www.myURL.com/submitArea'){
        die('don\'t be an jerk, ruin your own site');   
    }else{
        // continue with form processing    
    }

足以阻止跨站点表单提交.

is enough to prevent cross site form submissions.

如果没有，防止从其他主机提交表单的最佳实践是什么?

And if not, what is the best practice for preventing forms from being submitted from other hosts?

推荐答案

实际上是的，根据 OWASP CSRF预防备忘单.尽管在您的 OWN BROWSER 上欺骗引用者是微不足道的不可能将其欺骗(通过CSRF)在另一个浏览器上，因为它

Actually yes, according to the OWASP CSRF Prevention Cheat Sheet in most cases checking the referer is enough to patch a CSRF vulnerability. Although it is trivial to spoof the referer on your OWN BROWSER it is impossible to spoof it on another browser (via CSRF) because it breaks the rules.

实际上，检查引荐来源在内存稀缺的嵌入式网络硬件上很常见.摩托罗拉为其Surfboard Cable Modem执行此操作.我是第一手知道的，因为我用csrf入侵了他们，然后对其进行了修补使用引荐检查.此漏洞的严重性指标为13.5，根据国土安全部的说法，这是有史以来最危险的CSRF漏洞，也是有史以来最严重的1000个最危险的软件漏洞.

In fact checking the referer is very common to see on embedded network hardware where Memory is scarce. Motorola does this for their Surfboard Cable Modems. I know this first hand, because I hacked them with csrf and then they patched it using a referer check. This vulnerability received a severity metric of 13.5 and according to the Department of Homeland Security this is the most dangerous CSRF vulnerability ever discovered and in the top 1,000 most dangerous software flaws of all time.

这篇关于带引用的PHP表单安全性的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！