为什么要在JWT令牌中插入CSRF令牌? [英] Why should I put a CSRF token in a JWT token?
问题描述
我想从 Stormpath post ,解释了在localStorage或cookie中存储JWT的优点和缺点。
I want to bring a doubt about JWT tokens and CSRF from the Stormpath post that explain the advantages and disadvantages of storing the JWT either in localStorage or cookies.
[...]如果你正在使用JS从一个cookie读取值,这意味着
不能设置Httponly标志的cookie,所以现在你的网站上的任何JS
可以读取它,因此使它与存储
在localStorage中的东西完全相同的安全级别。
[...] if you are reading values out of a cookie using JS, that means you can't set the Httponly flag on the cookie, so now any JS on your site can read it, thus making it the exact same security-level as storing something in localStorage.
我试图理解他们为什么建议将xsrfToken添加到
JWT。不把你的JWT存储在cookie中,然后提取它
出来,将JWT放在HTTP头,并根据HTTP头验证
请求完成同样的事情
Angular's X -XSRF-TOKEN?如果您根据标题
中的JWT进行身份验证,则其他域无法代表
用户发出请求,因为其他域无法从Cookie中提取JWT。我不会
理解xsrfToken在JWT的目的 - 也许它只是
一个额外的防御层 - 意味着攻击者必须
有一个妥协的脚本在您的网站和CSRF一个用户当时。因此,
他们必须以两种方式击中你,以便能够攻击。
I'm trying to understand why they recommend adding the xsrfToken to the JWT. Doesn't storing your JWT in the cookie and then extracting it out and placing the JWT in the HTTP header and authenticating the request based on the HTTP header accomplish the same thing as Angular's X-XSRF-TOKEN? No other domain could make requests on a user's behalf if you authenticate based on the JWT in the header, since other domains cannot extract the JWT from the cookie. I don't understand the purpose of the xsrfToken in the JWT - perhaps its just an additional layer of defense - meaning that attackers would have to have a compromised script on your site and CSRF a user at the time. So they'd have to hit you in both ways to be able to pull of an attack.
链接到此答案,其中说:
最后一件事是确保您对每个
HTTP请求都具有CSRF保护,以确保向您的网站
发起请求的外部域无法正常工作。
The last thing is to ensure that you have CSRF protection on every HTTP request to ensure that external domains initiating requests to your site cannot function.
[...]然后,在您的服务器的每个请求,确保您自己的
JavaScript代码读取cookie值并设置在自定义
头中,例如X-CSRF-Token并在
服务器中的每个请求上验证该值。 外部域客户端无法为您的域设置
请求的自定义标头,除非外部客户端通过HTTP选项请求获得授权
,因此任何企图进行CSRF攻击(例如在$
[...] Then, on every request into your server, ensure that your own JavaScript code reads the cookie value and sets this in a custom header, e.g. X-CSRF-Token and verify that value on every request in the server. External domain clients cannot set custom headers for requests to your domain unless the external client gets authorization via an HTTP Options request, so any attempt at a CSRF attack (e.g. in an IFrame, whatever) will fail for them.
即使他们可以设置自定义标题,他们也无法访问cookie存储JWT令牌,因为只有在同一个域上运行的JavaScript才能读取cookie。
Even if they could set custom headers, they couldn't access the cookie where the JWT token is stored because only JavaScript that runs on the same domain can read the cookie.
唯一的方法是通过XSS,但有一个xsrfToken如果存在XSS漏洞,则JWT也会受到攻击,因为在受信任的客户端域中运行的恶意脚本可以访问Cookie中的JWT,并在带有xsrfToken的请求中包含标头。
The only way they could is via XSS, but having an xsrfToken in the JWT is compromised too if exists XSS vulnerabilities because a malicious script running in the trusted client domain could access the JWT in the cookie and include a header in the request with the xsrfToken.
所以公式应该是:
- TLS + JWT存储在安全cookie + JWT请求头+没有XSS漏洞。 >
- TLS + JWT stored in secure cookie + JWT in request header + No XSS vulnerabilities.
如果客户端和服务器在不同的域中运行,则服务器应发送JWT,客户端应使用JWT创建cookie。
我认为这个方程对于这种情况仍然有效。
If the client and server are running in different domains, the server should send the JWT and the client should create the cookie with the JWT. I think that the equation is still valid for this situation.
UPDATE: MvdD与我同意:
由于浏览器不自动添加标题对您的请求,
它不容易受到CSRF攻击
As the browser does not automatically add the header to your request, it is not vulnerable to a CSRF attack
推荐答案
I我是Stormpath博客的作者。在JWT中存储XSRF令牌不是关于它在JWT中,它是在一个cookie。该cookie应该是httpOnly,所以你不能从Javascript中读取它。
I am the author of the Stormpath Blog Post. Storing XSRF token in the JWT isn't about that it is in the JWT, it is about that it is in a cookie. The cookie should be httpOnly, so you can not read it from Javascript.
现在,我认为引起一点混乱的点是我谈论角度。 Angular设置它只有XSRF cookie(它不是httpOnly)把它放入标题在请求时(这只能通过在同一个域的javascript完成)。这些不是同一个cookie。
Now, I think the point that caused a little confusion is where I talk about angular. Angular sets it's only XSRF cookie as well (which is not httpOnly) to put it into the header at request time (which can only be done by javascript on same domain). These are not the same cookie.
如果您考虑在您的应用程序中实现XSRF支持,可以通过存储服务器端状态和存储XSRF的点来完成。将它存储在httpOnly cookie中是关于使用XSRF是无状态的。在这里,您将验证JWT签名,从索赔中获取XSRF,并将其与标题进行比较。
If you think about implementing XSRF support in your application, this has been done with storing server side state and the point of storing the XSRF. Storing it in the httpOnly cookie is about being stateless with XSRF. Here, you would validate the JWT signature, get the XSRF out of the claims, and compare it to the header.
您的问题的答案是,需要在您的服务器上存储状态。
The answer to your question is so that you do not need to store state on your server.
这篇关于为什么要在JWT令牌中插入CSRF令牌?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
