如何使用Postman Rest Client获取和重用CSRF令牌 [英] How to fetch and reuse the CSRF token using Postman Rest Client
问题描述
我正在使用Postman Rest客户端访问其余服务。尝试从Postman客户端执行其余服务时出现以下错误。
HTTP状态403-跨站点请求伪造验证失败。请求中止。
其他服务似乎通过CSRF令牌的实现得到保护。有人对如何获取CSRF令牌并将其重新用于以后的请求有任何想法吗?
有几种保护方法在应用程序中针对CSRF。根据您的服务所提供的保护类型,您将不得不做一些略有不同的事情,这可能会相对困难。
可能最著名的保护是<在这种情况下,href = https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Synchronizer_.28CSRF.29_Tokens rel = nofollow noreferrer>使用同步器令牌您将必须首先下载页面,读取令牌并将其在后续请求中传递回去,基本上是在模拟真实用户。由于同步器令牌是有状态的(以用户会话的形式要求服务器状态),并且您的用例是RESTful服务,因此我认为这不是已实现的方法。
I am using Postman Rest client for hitting the rest services. I am getting the following error when I try to execute the rest service from Postman client.
HTTP Status 403 - Cross-site request forgery verification failed. Request aborted.
It appears that the rest services are secured by the implementation of CSRF token. Does anybody has any idea about how to fetch the CSRF token and reuse it for future requests?
There are several ways to protect against CSRF in an application. Depending on which type of protection your services have, you will have to do slightly different things, and it may be relatively difficult.
Probably the most well-known protection is using synchronizer tokens, in which case you will have to download the page first, read the token and pass it back in the subsequent request, basically emulating a real user. As synchronizer tokens are stateful (require server state in the form of a user session), and your usecase is a RESTful service, I suppose this is not the implemented method.
Another protection, more suitable for services can be some variation of double posting. In this case, depending on implementation, you will probably have to send back the same token value as a cookie and a request header, most probably.
Another method the services use may be encrypted tokens, which from your perspective is similar to synchronizer tokens (but stateless).
Yet another (btw much less secure) method may simply be checking the referer and/or the origin header in requests. In this case you just have to add the appropriate request headers.
I recommend you observe with a proxy like Fiddler on Windows or something like ZAP Proxy on Linux (or Windows) what method the service normally uses, what header values and cookie names it requires, etc. You can then make your own requests the right way, sending CSRF tokens as your services expect them.
The easiest way is to hit a GET service first so that we can get the response along with the CSRF token. We can use that CSRF token while sending the POST request again. The CSRF token can be found under the Body of the response in the POSTMAN client.
这篇关于如何使用Postman Rest Client获取和重用CSRF令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
