好像我对CSRF的理解不正确? [英] It seems like I understand CSRF incorrectly?
问题描述
阅读了许多有关CSRF的文档后,我仍然有些困惑。所以我希望有人可以向我解释一下:
After reading many documents regarding CSRF, I'm still a little bit confused. So I hope someone can please explain it to me:
-
让我们说一下我是否有一个仅用于经过身份验证的用户的个人资料页面,例如abc.com/profile,它会向我显示我的所有私人信息。如果我登录,然后转到不良网站,该网站可以某种方式获取并解析我的个人资料页面吗?
(我通过在其他站点上打开Firebug控制台,然后请求我的个人资料页面做了一点经验,看来至少我可以在网络标签的响应中看到全部内容,
Lets say if I have a profile page which is for authenticated users only, say abc.com/profile which shows me all my private info. If I logged in, then go to a "bad" site, can this site somehow get and parse my profile page? (I did a little experience by opening up the firebug console on a different site, then request my profile page, and it seems like at least I can see the whole content in "response" of the "Net" tab, haven't figured out how to get this content and parse it yet though. But perhaps it's possible?)
现在假设我的个人资料页面上有一个形式,当然具有csrf令牌。现在,如果攻击者可以获取我的熟练页面,他可以解析该内容,获取令牌,然后提交伪造的表单?
Now assume that I have on my profile page a form, which of course has csrf token. Now if an attacker could get my profule page, he could just parse that content, get the token then submit a fake form?
现在假设1和2是正确的,我应该怎么做才能防止此类情况的发生?
Now assume that 1 and 2 are correct, what should I do to prevent such cases from happening?
推荐答案
您的第一点是不正确的。
您无法从客户端上的其他域读取内容。
Your first point is not correct.
You cannot read content from a different domain on the client.
因此,一个敌对站点无法读取CSRF令牌。
Therefore, a hostile site cannot read the CSRF token.
您可以将请求发送到另一个域(CSRF攻击就是这样做的),但是您无法读取响应。
You can send requests to a different domain (which is what CSRF attacks do), but you can't read the responses.
这篇关于好像我对CSRF的理解不正确?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!