没有Cookie，CSRF是否可能？ [英] Is CSRF possible without Cookies?

问题描述

我一直在调查这一段时间，但我没有找到任何东西来满足我的好奇心。作为用户，如果禁用Cookie，可能会成为CSRF攻击的受害者。显然CSRF依赖于用户浏览器将用户的凭证与伪造的请求一起发送到合法服务器。除了IP地址，浏览器不会自动发送任何其他会话值吗？在这种情况下，只要用户可以使用Cookie禁用登录，即使在易受攻击的网站上，他们也可以安全地访问CSRF。

I have been investigating this for some time, but I haven't found anything to satisfy my curiosity. Is it possible, as a user, to be the victim of a CSRF attack if cookies are disabled. Obviously CSRF depends on the users browser to send the user's credentials with the forged request to the legitimate server. Besides IP addresses, browsers don't automatically send in any other session values do they? In that case, as long as a user can login with cookies disabled, they would be safe from CSRF even on vulnerable websites.

推荐答案

所以，你必须问自己服务器如何知道另一个客户端？在大多数情况下，它是会话cookie，但也有其他方法。

So, you have to ask yourself how does the server know one client from another? In majority of cases, it is the session cookie, but there are other ways as well.

请考虑一个管理应用程序，该应用程序配置为仅当从本地主机访问时才工作。这里，服务器信任浏览器的IP地址。现在，如果攻击者创建了一个页面，例如< img src =http：// localhost / do / something / harmful/> ，并以某种方式让管理员访问他的页面，你有一个CSRF。

Consider an admin application, that is configured to work only if accessed from localhost. Here, the server is trusting the IP Address of the browser. Now, if an attacker creates a page like <img src="http://localhost/do/something/harmful"/>, and somehow gets the administrator to visit his page, you have a CSRF.

其他例子包括滥用Http基本和摘要认证，正如Bruno已经指出的。

Other examples include abusing Http basic and digest authentication, as Bruno already pointed out.

这篇关于没有Cookie，CSRF是否可能？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！