GET链接的CSRF保护 [英] CSRF protection of GET links
问题描述
我需要向Web应用程序添加CSRF保护。
I need to add CSRF protection to a web application.
问题在于该应用程序严重依赖于链接(即GET请求)进行更改在数据库中。
Problem is in the fact that the app relies heavily on links (GET requests that is) to make changes in the database.
链接是使用类生成的,因此我可以轻松地为每个链接添加CSRF令牌的额外参数。
Links are generated using a class, so I could easily add an extra parameter for CSRF token to each link.
但是,我了解GET请求中的CSRF令牌可能不足以提供足够的保护。
However, I understand that CSRF token in a GET request might not be a good enough protection.
注意该应用只能通过HTTPS使用,因此GET参数无法在客户端/服务器通信期间暴露/被盗(但是历史窃取问题仍然存在)。
Note that app is only available over HTTPS, so GET params can not be exposed/stolen during client/server communication (but history stealing issue remains).
可以获取CSRF令牌参数
Could GET CSRF token param be considered "safe enough" in this setting?
如果不是,那么解决此问题的最佳方法是什么?我唯一想到的就是将我的每个链接包装成一个表单(显式地醚化,或使用JavaScript创建表单onSubmit)。
If not, what is the best way to solve this problem? Only thing that comes to my mind is to wrap each of my links into a form (ether explicitly, or creating form onSubmit using JavaScript).
推荐答案
为了能够读取对CSRF攻击请求的响应,攻击者需要让受害者执行他的JavaScript代码。因此,对于 GET请求的CSRF几乎没有用。假设您已遵循 GET请求不应修改任何数据且仅需使用 POST进行任何修改的标准
To be able to read the response to a CSRF attack’s request, an attacker would need to get the victim to execute his JavaScript code. So, CSRF for a "GET" request is almost not useful. This is assuming you have followed the standards that "GET" requests should not modify any data and any modifications need to be done only using "POST"
- 使用基于cookie的身份验证和SSL应该使您远离试图更改参数的人
- 您可能希望基于时间戳引入一些签名,以避免重播攻击 >
- Using cookie based authentication and SSL should keep you away from a guy who is trying to change the parameters
- You may want to introduce some signing based on timestamp to avoid replay attacks
也就是说,如果您有任何POST请求,则应考虑CSRF保护。
That said, if you have any POST requests, you should consider the CSRF protection.
这篇关于GET链接的CSRF保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
