对预防CSRF的怀疑 [英] Doubt on prevention of CSRF

问题描述

我对CSRF的预防有疑问。很多网站都说可以通过使用标记来防止CSRF，因为标记是每个会话随机生成的。

I had one doubt about CSRF prevention. A lot of sites say that CSRF can be prevented by using 'tokens' which are randomly generated per session.

现在我的疑问是，
假设我有一个像这样的函数：

Now my doubt is, suppose i have a function like :

$.post("abcd.php",{'fbuid':userid,'code':'<?php echo  md5($_SESSION['randcode']); ?>'}

现在显然，任何hacker都可以通过源代码看到此md5哈希值。他可以简单地打开此页面，生成令牌，并使页面保持打开状态，以使会话不会被破坏，并使用其他选项卡或其他任何方式开始黑客攻击，

now this md5 hash would obviously be visible to any hacker through the source code.He could simply open this page, generate a token, and keep the page open, so that the session doesn't get destroyed, and useanother tab or anything else , to start hacking,

否？

还是我的令牌概念不正确？

Or is my idea of tokens incorrect ?

谢谢您的帮助：D

推荐答案

我认为您误解了需要做的事情。

I think you are misunderstanding what needs to be done. To protect against CSRF you need to create a token and save it for that session. Then you need to append all your submits and AJAX calls with that token.

要获得另一个权限，为了防止CSRF，您需要创建一个令牌并将其保存在该会话中。 n要将您发送到您网站上的页面，他们需要具有相同会话中的访问权限。确实可以解析HTML并查找令牌。但是，当他们尝试在您的网站上请求http呼叫时，将创建一个新会话。新会话将具有一个新令牌，该令牌与传递的令牌不匹配。

For another person to send you to a page on your website they would need to have access to the request with in the same session. It is true that one could parse the HTML and look for the token. But when they try to request a http call on your website they will have a new session created. The new session will have a new token which will not match the token that was passed.

接下来，您将询问是否可以复制cookie和会话ID。这不是受保护的东西。我可以简单地坐在任何人的计算机上并复制他们的所有cookie，然后以他们的身份登录。

Next you will ask what if you can copy the cookies and the session id as a result. This is not something that is protected. I can simply sit anybody's computer and copy all their cookies and I will then be logged in as them.

这篇关于对预防CSRF的怀疑的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！