关于CSRF的问题 [英] Questions about CSRF

问题描述

在cookie中使用信号身份验证令牌进行身份验证是否安全（通过ajax仅发布和请求json）？

Is it safe to use a signal auth-token in cookie for auth (post and requst only json via ajax)?

为什么攻击者无法获得表单令牌

Why attacker can not get the form token in hidden field?

攻击者如何通过POST请求进行CSRF攻击？

How an attacker do a CSRF attack with a POST request?

推荐答案

在cookie中使用单个令牌进行身份验证是否安全？

Is it safe to use a single token in a cookie for authentication?

某种程度上，如果该cookie仅是HTTP（有助于防止XSS）和SSL，那么您网站之外的任何人都无法读取该cookie。

Sort of, if that cookie is HTTP-only (which helps protect against XSS) and SSL then there's no way anyone outside your site can read that cookie.

但是，用户的浏览器可以保留该cookie，并在他们的浏览器再次从您的应用程序请求页面时自动发送该cookie。当用户导航您的站点时，这是理想的，但也可能是CSRF攻击的可能。

However, the user's browser can retain that cookie, and will automatically send it whenever their browser requests a page from your application again. This is desired when the user is navigating your site, but also how a CSRF attack is possible.

为什么攻击者无法获得

Why can't the attacker get the form token in a hidden field?

在CSRF攻击中，黑客无法真正读取您的网站或Cookie，因为它应该是受SSL / HTTPS保护。 CSRF的工作方式是欺骗您的浏览器，将其数据和安全数据一起发送到您的站点。

In a CSRF attack the hacker can't actually read your site or the cookie because it should be protected by SSL/HTTPS. CSRF works by fooling your browser into sending their data along with your secure data to your site.

因此，隐藏字段中的值是CSRF默认防御措施的一部分-它们在Cookie中具有秘密值（黑客可以使浏览器欺骗其重新发送，但无法查看或编辑），并且在加密页面的隐藏输入字段中具有相同的值（黑客无法访问） ）。如果Cookie和隐藏值不匹配，则说明您遭受了CSRF攻击。

So a value in a hidden field is part of the default defence against CSRF - they have a secret value in a cookie (which the hacker can fool the browser into re-sending but can't see or edit) and the same value in a hidden input field in the encrypted page (which the hacker can't get to). If the cookie and the hidden value don't match then you have a CSRF attack.

攻击者如何利用POST请求？

How does an attacker carry out a CSRF attack with a POST request?

确定，所以假设您有一个安全的网站。您可以使用SSL登录该站点，并且会获得仅HTTP的SSL身份验证cookie，让您保持登录状态。

Ok, so suppose you have a secure website. You can log into this site using SSL and you'll get an HTTP-only SSL authentication cookie back that keeps you logged in.

现在，我有了一个新页面，一个完全不同的网站。如果我从我的网站链接到您的网站，则当您单击该链接时，它将通过您的cookie离开我的网站并转到您的网站。

Now I have a new page, on a completely different site. If I link to your site from mine then when you click on that link it will leave my site and go to yours, passing your cookie.

如果我添加HTML < form> 到我的页面，该页面将回发到您的站点，发生同样的事情：浏览器返回您的站点，并发送表单中的任何数据以及cookie。

If I add an HTML <form> to my page that POSTs back to your site the same thing happens: the browser goes back to your site and sends any data in the form, along with your cookie.

请注意，我没有读取您的cookie或您网站上的任何页面，因为两者均受SSL加密保护。

Note that I haven't read either your cookie or any pages on your site, as both are protected by SSL encryption.

为获得完整效果，我可以在页面上隐藏该表单，以便用户甚至不知道他们正在回发到您的网站。

For the full effect I can hide that form on the page so that the user doesn't even realise that they're posting back to your site.

一个简单的例子是Facebook上的赞功能-我认为他们已经对此进行了修补，但是有一段时间我可能会愚弄您的浏览器（无需访问您的详细信息）发送给您的身份验证Cookie到Facebook行动中，说您喜欢我想要的东西。

A trivial example of this is the 'Like' functionality on Facebook - they've patched this now I think, but for a while I could fool your browser (without accessing your details) into sending your authentication cookie to the Facebook action that says you like something I want you to.

这篇关于关于CSRF的问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！