将CSRF令牌发送到javascript
[英]Send CSRF token to javascript
问题描述
Suppose I maintain a anti CSRF token at server side in a session 
假设我在会话的服务器端维护一个反CSRF令牌
How am I supposed to pass the token to client side application if my form generation is going to be dynamic(ie form will be created after some action has been performed by javascript) 如果我的表单生成将是动态的,我应该如何将令牌传递给客户端应用程序(即,表单将由javascript执行某些操作后创建)
Is there a way to pass the token to javascript so that I can inject the token in the form. 有没有一种方法可以将令牌传递给javascript,以便我可以将令牌注入表单中。
One working way that I found is send a cookie to the browser containing the token which will be then extracted by javascript. 我发现的一种有效的方法是将包含令牌的cookie发送到浏览器,然后将其用javascript提取。
Any suggestions? 有什么建议么?
2 个解决方案
解决方案1
1 2015-01-26 21:09:57
I would suggest starting out from a secure token, and then improving it through JavaScript according to dynamic form Creation. 我建议从安全令牌开始,然后根据动态表单创建通过JavaScript对其进行改进。
Eg, like: 例如,例如:
<input type="hidden" name="csrftoken" value="hgdillksdbgjksdbkvbskb">
Where the "value" parameter is generated on server-side when page loads. 页面加载时在服务器端生成“ value”参数的位置。
And then you have a script like: 然后,您将获得一个脚本,例如:
csrftoken = document.mainform.csrftoken.value;
# Do something with the CSRF token, like add dynamic values, like sha256(csrftoken + "dynamicvalue");
document.mainform.csrftoken.value = csrftoken;
The main idea of this, is to prevent, that even if they manage to get a exploit that would allow a adverisary to read the JavaScript code, they still cannot make up a valid CSRF token, since they cannot read the original "csrftoken" value that was inside the form at page load. 这样做的主要思想是防止即使他们设法获得允许广告商读取JavaScript代码的漏洞利用,也仍然不能组成有效的CSRF令牌,因为它们无法读取原始的“ csrftoken”值页面加载时位于表单内部。 This can also be used to "chain" AJAX requests, like that you start out with the token X during page load. 这也可以用来“链接” AJAX请求,就像您在页面加载期间以令牌X开头一样。 Then you transform it to Y using JavaScript, send it in a AJAX request. 然后,使用JavaScript将其转换为Y,并在AJAX请求中发送。 In the next AJAX request, you can use Y as base in the algoritm, to create Z, and send to the server. 在下一个AJAX请求中,您可以将Y用作算法的基础,以创建Z并将其发送到服务器。 A attacker cannot gain access to X, thus they cannot either get access to Y neither Z, even if they would in some way be able to exploit running JavaScript code to reveal itself. 攻击者无法获得X的访问权,因此即使他们以某种方式能够利用运行中的JavaScript代码来揭示自身,他们也无法访问Y或Z。
Note that page contents cannot be read by a adversiary due to Same origin policy. 请注意,由于“同源起点”政策,对手无法读取页面内容。 But Javascript can contain exploits that would make it possible to read the actual running JavaScript code. 但是Javascript可能包含一些漏洞,这些漏洞将使读取实际运行的JavaScript代码成为可能。 Theres no such exploits currently, but better be safe than sorry. 目前尚无此类漏洞利用,但总比后悔安全。
解决方案2
0 2015-01-26 20:26:52
Sure. 当然。 If you're dynamically generating the form on the client side then you're doing it from some kind of template. 如果要在客户端动态生成表单,则可以通过某种模板来完成。 The token should be an argument to that creation function. 令牌应该是该创建函数的参数。
Pass the token along to the client at request/render time and then inject it into the form as a hidden element at form generation time. 在请求/呈现时将令牌传递给客户端,然后在表单生成时将其作为隐藏元素注入表单。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.