是访问控制允许来源足以preventing XSRF攻击？ [英] Is Access-Control-Allow-Origin sufficient in preventing XSRF attacks?

问题描述

我们正在构建与JBoss中运行的Java春/休眠后端的应用程序。前端是AngularJS。

We're building an app with a Java Spring/Hibernate backend running in JBoss. The frontend is AngularJS.

我们还没有做任何事情来在服务器端设置XSRF令牌。我们还没有（尚未反正）有一个条件，允许其他域访问我们的网络资源。

We haven't yet done anything to setup XSRF tokens on the server end. We also don't (not yet anyway) have a requirement to allow other domains access to our web resources.

我想我会尝试看看，如果我们的网站是容易受到攻击XSRF，所以我成立了一个恶意web应用程序采用了棱角分明的$ http.post（）张贴到我们的真正的应用程序的网址之一。我登录到真正的应用程序，然后我试图从恶意应用程序发布。

I figured I'd try to see if our site was vulnerable to an XSRF attack so I set up a malicious webapp to post to one of our real app's urls using Angular's $http.post(). I logged in to the real app, then I tried posting from the malicious app.

在浏览器中我得到了一个401响应，只见错误：

In the browser I got a 401 response and saw the error:

XMLHttpRequest cannot load http://localhost:8080/user/delete. No
'Access-Control-Allow-Origin' header is present on the requested resource.
Origin 'http://localhost:6543' is therefore not allowed access. The response
had HTTP status code 401.

服务器端是不是设置设置访问控制允许来源的响应从而出现上述错误。

The server side isn't setup to set Access-Control-Allow-Origin on the response thus the above error.

我的问题是，仅仅是从响应头足以prevent XSRF攻击忽略访问控制允许来源？

So my question is, is simply omitting Access-Control-Allow-Origin from the response header adequate to prevent XSRF attacks?

有没有一种方法，我仍然可以做，即使访问控制允许来源未设置我的网站的攻击XSRF？如果是的话怎么样？我想演示这种攻击。

Is there a way I could still do an XSRF attack on my site even though Access-Control-Allow-Origin is not set? If so how? I'd like to demo this attack.

感谢。

推荐答案

没有，这是不够的。尽管浏览器给人的访问控制允许来源错误，请求仍然是由浏览器发出。

No, this is not sufficient. Even though the browser gives the 'Access-Control-Allow-Origin' error, the request has still been made by the browser. If withCredentials is specified by the attacking page:

$http.post(url, {withCredentials: true, ...})

那么这个请求将被发送到与受害人的身份验证Cookie您的域名，这意味着要求 http://www.example.com:8080/user/delete 会成功。

此外，该请求也可以不使用XHR标准的HTML表单制作：

Also, this request could also be made without XHR using a standard HTML form:

<form method="post" action="http://www.example.com:8080/user/delete">

和JavaScript将只被用来提交表单而不是使请求本身。

and JavaScript would just be used to submit the form rather than making the request itself.

要保护您的系统CSRF一个简单的方法是检查一个自定义标题，如 X-请求 - 随着 或<一个href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_$p$pvention_Cheat_Sheet#Checking_The_Origin_Header\"相对=nofollow> 原产地 头。 X-请求，以不能被发送跨域而不启用CORS服务器端。但是，<一个href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_$p$pvention_Cheat_Sheet#General_Recommendation:_Synchronizer_Token_Pattern\"相对=nofollow>同步标记模式仍然CSRF prevention最强的方法，因为这不受浏览器插件漏洞，如的在Flash previous漏洞，允许标头中发送人通常不太可能从浏览器

An easy way to protect your system against CSRF is to check for a custom header such as X-Requested-With or the Origin header. X-Requested-With cannot be sent cross domain without enabling CORS server-side. However, the Synchronizer Token Pattern is still the strongest method of CSRF prevention as this is not subject to flaws in browser plug-ins such as a previous flaw in Flash that allowed headers to be sent that weren't normally possible from a browser.

这篇关于是访问控制允许来源足以preventing XSRF攻击？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！