CSRF保护技术 [英] CSRF protection techniques

问题描述

有人可以向我指出有关如何保护应用程序免受CSRF影响的信息吗?

Can someone point me to information on how to protect applications from CSRF?

与此相关的任何代码.

我正在将extjs用于UI，后端和tomcat服务器上的Java.

I am using extjs for the UI, Java on the backend and tomcat server.

谢谢.

推荐答案

以dan_waterworth建议的方式使用会话ID(虽然很容易)，但保护却很差.攻击者只需捕获会话ID cookie，然后就可以在会话生命周期内规避保护.

Use of the session id in the way the dan_waterworth suggests, while easy, is very poor protection. The attacker only needs to capture the session id cookie and then can circumvent the protection for the life of the session.

会话ID是一个Cookie，因此可以随任何请求一起提交.因此，攻击者要捕获会话ID所需要做的就是使您的应用程序在攻击者的控制下向服务器提交请求.这可以通过跨站点脚本攻击来完成，也可以通过对应用程序进行构架并提交iFrame的表单来完成(还有其他方法可以实现).

The session id is a cookie so it's submitted with any request. So all an attacker needs to do to capture the sessionid is to cause your application submit a request to a server under the attacker's control. This could be done by a cross-site scripting attack but can also be done by framing the app and submitting the iFrame's forms (there are other ways to do this).

需要从CSRF保护的交互应该包括攻击者可能无法事先知道的信息(CSRF令牌)，该信息在每个会话，每个页面和每个表单中都是唯一的，因此理想情况下仅使用一次.CSRF令牌应以表单的形式提交，而不应以Cookie的形式提交(出于上述原因).请参见 OWASP CSRF保护速查表中的实施示例"有关详细信息和示例实现.某些Web应用程序引擎(例如Tomcat 8)和框架(例如Spring，JSF)具有可以通过打开配置来应用的保护.

The interaction that needs to be protected from CSRF should include information that the attacker cannot possibly know in advance (a CSRF Token) that is unique per session, per page and per form then ideally used only once. The CSRF token should be submitted in the form, and not in a cookie (for the reason mentioned above). See the 'implementation example' in the OWASP CSRF protection cheatsheet for details and a sample implementation. Some web application engines (e.g. Tomcat 8) and frameworks (e.g Spring, JSF) have protections that you can apply by turning on a configuration.

这篇关于CSRF保护技术的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！