什么是CSRF令牌?它的重要性是什么?它是如何工作的? [英] What is a CSRF token? What is its importance and how does it work?
问题描述
我正在编写一个应用程序(Django,它确实发生了),我只想知道实际上是什么"CSRF令牌"?是以及它如何保护数据.
I am writing an application (Django, it so happens) and I just want an idea of what actually a "CSRF token" is and how it protects the data.
如果您不使用CSRF令牌,发布数据是否不安全?
Is the post data not safe if you do not use CSRF tokens?
推荐答案
简单的跨站请求伪造(CSRF)
- 假设您当前正在
www.mybank.com登录到网上银行 - 假设从
mybank.com进行转帐,将会(在概念上)请求http://www.mybank.com/transfer?to=<SomeAccountnumber>; amount =< SomeAmount>.(因为您的登录名隐含了您的帐号,所以不需要.) - 您访问
www.cute-cat-pictures.org,却不知道这是一个恶意网站. - 如果该网站的所有者知道上述请求的形式(简单!),并且正确地猜测您已登录
mybank.com(需要运气!),则可以将其包含在其页面上像http://www.mybank.com/transfer?to=123456;amount=10000之类的请求(其中123456是开曼群岛帐户的号码和10000是您以前认为自己高兴拥有的金额). - 您检索了
www.cute-cat-pictures.org页面,因此您的浏览器将发出该请求. - 您的银行无法识别请求的来源:您的网络浏览器将发送请求以及您的
www.mybank.comCookie,并且看起来完全合法.你的钱去了! - Assume you are currently logged into your online banking at
www.mybank.com - Assume a money transfer from
mybank.comwill result in a request of (conceptually) the formhttp://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>. (Your account number is not needed, because it is implied by your login.) - You visit
www.cute-cat-pictures.org, not knowing that it is a malicious site. - If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into
mybank.com(requires some luck!), they could include on their page a request likehttp://www.mybank.com/transfer?to=123456;amount=10000(where123456is the number of their Cayman Islands account and10000is an amount that you previously thought you were glad to possess). - You retrieved that
www.cute-cat-pictures.orgpage, so your browser will make that request. - Your bank cannot recognize this origin of the request: Your web browser will send the request along with your
www.mybank.comcookie and it will look perfectly legitimate. There goes your money! - 转移请求使用第三个参数扩展:
http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971. - 该令牌是一个巨大的,无法猜测的随机数,当
mybank.com提供给您时,该随机数将包含在他们自己的网页上.每次他们向任何人提供任何页面时,它们都是不同的. - 攻击者无法猜测令牌,无法说服您的网络浏览器将其交出(如果浏览器正常工作...),因此攻击者将不能之所以创建一个有效的请求,是因为
www.mybank.com会拒绝具有错误令牌(或没有令牌)的请求. - The transfer request is extended with a third argument:
http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971. - That token is a huge, impossible-to-guess random number that
mybank.comwill include on their own web page when they serve it to you. It is different each time they serve any page to anybody. - The attacker is not able to guess the token, is not able to convince your web browser to surrender it (if the browser works correctly...), and so the attacker will not be able to create a valid request, because requests with the wrong token (or no token) will be refused by
www.mybank.com.
Cross-Site Request Forgery (CSRF) in simple words
这是没有CSRF令牌的世界.
现在更好的 CSRF令牌:
Now for the better one with CSRF tokens:
结果:您保留了 10000 货币单位.我建议您将其中一些捐献给Wikipedia.
Result: You keep your 10000 monetary units. I suggest you donate some of that to Wikipedia.
(您的里程可能会有所不同.)
(Your mileage may vary.)
评论中的编辑值得阅读:
值得注意的是, www.cute-cat-pictures.org 中的脚本通常无法访问 www.mybank.com中的反CSRF令牌,因为HTTP访问控制.对于某些人,他们不了解每个网站的响应而无意中发送了每个网站响应的标头 Access-Control-Allow-Origin:* ,对于某些人来说很重要,因为他们不能使用另一个API网站.
It would be worthy to note that script from www.cute-cat-pictures.org normally does not have access to your anti-CSRF token from www.mybank.com because of HTTP access control. This note is important for some people who unreasonably send a header Access-Control-Allow-Origin: * for every website response without knowing what it is for, just because they can't use the API from another website.
这篇关于什么是CSRF令牌?它的重要性是什么?它是如何工作的?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
