基本Cookie& CSRF问题 [英] Basic cookie & CSRF question
问题描述
我目前正在进一步了解CSRF,我有一个关于Cookie的基本问题。从 Jeff Atwood的关于CSRF的文章:
I'm currently learning more about CSRF and I have a basic question about cookies. From Jeff Atwood's article on CSRF:
当POST请求被发送到
网站时,请求只能是
表单值和
的cookie值是相同的当一个
攻击者代表一个
用户提交一个表单时,他只能修改
表单的值攻击者不能读取从服务器发送的任何
数据或修改
cookie值,根据同源的
策略。这意味着,
攻击者可以发送任何值他想要
的形式,他将无法
修改或读取存储在
cookie中的值。
"When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same. When an attacker submits a form on behalf of a user, he can only modify the values of the form. An attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can send any value he wants with the form, he will be unable to modify or read the value stored in the cookie."
如果Cookie是存储在用户计算机上的一段文字,如何
If cookies are a piece of text stored on a users computer, how can they not modify/read the value of a cookie?
如果他们知道cookie的值,并且可以看到一个隐藏在表单中的伪随机值,那么它就不会修改/读取cookie的值
If they knew the value of the cookie and can see a pseudorandom value hidden in a form, wouldnt they have all they need to perform an attack?
感谢,
推荐答案
p>同源策略表示攻击性网站无法从其他网域读取Cookie。请参见 http://code.google.com/p/browsersec/wiki/ Part2#Same-origin_policy_for_cookies
Same origin policy means that an attacking website is unable to read the cookies from another domain. See http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_cookies
我们不是指在用户计算机上有rootkit或排序的攻击者,CSRF保护什么是恶意服务器,其具有用户通过POST请求向恶意服务器想要攻击的域提交表单。由于恶意服务器无法从目标域读取Cookie,因此他们无法正确填写他们所做的POST请求的CSRF字段。
We're not talking about an attacker who has a rootkit or something of the sort on a user's computer, what CSRF protects from is a malicious server having a user submit a form via a POST request to a domain that the malicious server wants to attack. Because the malicious server can't read the cookie from the target domain, they can't properly fill out the CSRF field for the POST request they're making.
这篇关于基本Cookie& CSRF问题的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
