使用 CORS Origin 标头与 CSRF 令牌的 CSRF 保护 [英] CSRF protection with CORS Origin header vs. CSRF token
问题描述
这个问题仅是关于防止跨站点请求伪造攻击.
This question is about protecting against Cross Site Request Forgery attacks only.
具体是关于:通过 Origin 标头 (CORS) 进行的保护是否与通过 CSRF 令牌进行的保护一样好?
It is specifically about: Is protection via the Origin header (CORS) as good as the protection via a CSRF token?
示例:
- Alice 使用她的浏览器登录(使用 cookie)到https://example.com".我假设她使用的是现代浏览器.
- Alice 访问https://evil.com",evil.com 的客户端代码执行某种请求到https://example.com"(经典的 CSRF 场景).
- Alice is logged in (using a cookie) with her browser to "https://example.com". I assume, that she uses a modern browser.
- Alice visits "https://evil.com", and evil.com's client side code performs some kind of request to "https://example.com" (classic CSRF scenario).
所以:
- 如果我们不检查 Origin 标头(服务器端),并且没有 CSRF 令牌,我们就有一个 CSRF 安全漏洞.
- 如果我们检查 CSRF 令牌,我们就很安全(但有点乏味).
- 如果我们确实检查了 Origin 标头,来自 evil.com 的客户端代码的请求应该像使用 CSRF 令牌时一样被阻止 - 除非,如果 evil.com 的代码有可能以某种方式设置源头.
我知道,这对于 XHR 来说是不可能的(参见例如 跨域安全-来源资源共享),至少不是,如果我们相信 W3C 规范在所有现代浏览器中都能正确实现(我们可以吗?)
I know, that this should not be possible with XHR (see e.g. Security for cross-origin resource sharing), at least not, if we trust the W3C spec to be implemented correctly in all modern browsers (can we?)
但是其他类型的请求呢 - 例如表单提交?加载 script/img/... 标签?或者页面可以用来(合法地)创建请求的任何其他方式?或者也许是一些已知的 JS hack?
But what about other kinds of requests - e.g. form submit? Loading a script/img/... tag? Or any other way a page can use to (legally) create a request? Or maybe some known JS hack?
注意:我不是在谈论
- 本地应用程序,
- 操纵浏览器,
- example.com 页面中的跨站点脚本错误,
- ...
推荐答案
知道,这在 XHR 中是不可能的(参见例如跨域资源共享的安全性),至少不会,如果我们相信 W3C 规范在所有现代浏览器中都能正确实现(我们可以吗?)
know, that this should not be possible with XHR (see e.g. Security for cross-origin resource sharing), at least not, if we trust the W3C spec to be implemented correctly in all modern browsers (can we?)
归根结底,您必须信任"客户端浏览器安全地存储用户数据并保护会话的客户端.如果您不信任客户端浏览器,那么您应该完全停止使用 Web 来获取静态内容以外的任何内容.即使使用 CSRF 令牌,您也相信客户端浏览器会正确遵守 同源政策.
At the end of the day you have to "trust" the client browser to safely store user's data and protect the client-side of the session. If you don't trust the client browser, then you should stop using the web at all for anything other than static content. Even with using CSRF tokens, you are trusting the client browser to correctly obey the Same Origin Policy.
虽然以前存在过浏览器漏洞,例如 IE 5.5/6.0 中的漏洞,其中攻击者有可能绕过同源策略并执行攻击,您通常可以期望这些会在发现后立即修补,并且大多数浏览器会自动更新,这种风险将在很大程度上得到缓解.
While there have been previous browser vulnerabilities such as those in IE 5.5/6.0 where it has been possible for attackers to bypass the Same Origin Policy and execute attacks, you can typically expect these to be patched as soon as discovered and with most browsers automatically updating, this risk will be mostly mitigated.
但是其他类型的请求呢 - 例如表单提交?加载 script/img/... 标签?或者页面可以用来(合法地)创建请求的任何其他方式?或者也许是一些已知的 JS hack?
But what about other kinds of requests - e.g. form submit? Loading a script/img/... tag? Or any other way a page can use to (legally) create a request? Or maybe some known JS hack?
Origin 标头通常仅针对 XHR 跨域请求发送.图片请求不包含标题.
The Origin header is normally only sent for XHR cross-domain requests. Image requests do not contain the header.
注意:我不是在谈论
本地应用程序,
native applications,
被操纵的浏览器,
example.com 页面中的跨站点脚本错误,
cross site scripting bugs in example.com's page,
我不确定这是否属于受操纵的浏览器,但是 旧版本的 Flash 允许设置任意标头,这将使攻击者能够从受害者的机器发送带有欺骗性 referer 标头的请求,以执行攻击.
I'm not sure whether this falls under manipulated browsers or not, but old versions of Flash allowed arbitrary headers to be set which would enable an attacker to send a request with a spoofed referer header from the victim's machine in order to execute an attack.
这篇关于使用 CORS Origin 标头与 CSRF 令牌的 CSRF 保护的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
