为什么还要在POST请求上要求CSRF令牌呢？ [英] Why bother requiring CSRF token on POST requests?

问题描述

我的理解是CSRF阻止了攻击者使用< img> 标签来使受害者的浏览器发送使用会话cookie进行身份验证的请求。既然< img> 总是使用GET请求而不是POST提交，那么为什么在POST请求中需要CSRF令牌？

My understanding is that CSRF prevents an attacker using an <img> tag to get the victim's browser to send a request that would be authenticated using the session cookie. Given that <img>s are always submitted using a GET request, not POST, then why is it necessary to require a CSRF token in a POST request?

此外，攻击者如果无法运行代码（即XSS攻击）就无法在网页中提交表单，在这种情况下，攻击者可能会规避您对CSRF的保护无论如何。

Also, the attacker wouldn't be able to submit a form in the webpage without being able to run code (ie. an XSS attack), in which case they can circumvent your CSRF protections anyway.

推荐答案

攻击者可以在自己的网站上托管表单，但不需要用户提交表单。他们可以使用JavaScript来做到这一点：

The attacker can host a form on their own site, but it does not require the form to be submitted by the user. They can use JavaScript to do this:

<form method="post" action="http://www.example.com/executeAction">
    <input type="hidden" name="action" value="deleteAllUsers">
</form>

<script>document.forms[0].submit()</script>

IFrame注入更像是 XSS 漏洞。 XSS漏洞比CSRF漏洞更为严重，因为它可以造成更大的损害，并且始终会覆盖您拥有的所有CSRF保护。确保始终为输出所在的上下文正确编码输出（例如，对HTML或JavaScript进行适当编码）。

IFrame injection is more of a XSS vulnerability. A XSS vulnerability is more serious than a CSRF one because more damage can be done and it will always override any CSRF protection you have. Make sure you are always correctly encoding output for the context that the output is in (e.g. encode for HTML or for JavaScript as appropriate).

查看跨站请求伪造（CSRF）预防作弊表-他们的最佳建议是使用同步器令牌模式 ，它与您的答案中的链接相似，但可以与Cookie结合使用。

Check out the Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet - their best recommendation is to use the Synchronizer Token Pattern which seems similar to the link in your answer but can work in combination with cookies.

此外，这是的链接XSS（跨站点脚本）预防速查表。

这篇关于为什么还要在POST请求上要求CSRF令牌呢？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！