使用随机头的HTTP(S)请求安全性
[英]HTTP(S) request security using random headers
问题描述
I understand that CSRF is a major security concern for HTTP(S)-based applications. 
我知道CSRF是基于HTTP(S)的应用程序的主要安全问题。
From the looks of it, most frameworks send the CSRF token as part of the request body. 从它的外观来看,大多数框架都将CSRF令牌作为请求体的一部分发送。 However, in my case that is somewhat inelegant for several reasons; 然而,在我的情况下,由于几个原因,这有点不优雅; most importantly I don't want to mess with the transport layer which might send POST requests in many different formats, not necessarily all are JSON or x-www-form-urlencoded . 最重要的是,我不想弄乱可能以多种不同格式发送POST请求的传输层,不一定都是JSON或x-www-form-urlencoded 。
As a solution, I was thinking of a much less intrusive alternative; 作为一种解决方案,我正在考虑一种不那么具有侵入性的替代方案; particularly, I am generating a random header: A randomized header name (common prefix), containing a random CSRF token. 特别是,我正在生成一个随机头:一个随机头标题(公共前缀),包含一个随机的CSRF令牌。
Is there any security (or other kind of) risk to that? 是否存在任何安全(或其他类型)风险?
2 个解决方案
解决方案1
2 2015-05-01 09:47:33
You could just set the X-Requested-With header and then check for this server side. 您可以设置X-Requested-With标头,然后检查此服务器端。 Many frameworks, like JQuery, add this automatically to AJAX requests. 许多框架(如JQuery)会自动将此添加到AJAX请求中。
X-Requested-With is a de-facto standard for indicating that the request is made via AJAX. X-Requested-With是一个事实上的标准,用于指示请求是通过AJAX进行的。
You do not need a random token as it is not possible for this header to be sent cross domain without the server opting in via CORS. 您不需要随机令牌,因为如果没有服务器选择通过CORS,则无法跨域发送此标头。
Therefore, setting and checking a non-standard header is a valid way to protect against CSRF. 因此,设置和检查非标准头是防止CSRF的有效方法。
The OWASP CSRF Prevention Cheat Sheet does not mention it, however it does mention checking the Origin header. OWASP CSRF预防备忘单没有提及它,但确实提到了检查Origin标题。 However, the logic for this is not straightforward as many browsers do not send Origin for same origin requests. 但是, 这种逻辑并不简单,因为许多浏览器不会为相同的原始请求发送Origin 。
Also this only works for AJAX requests. 此外,这仅适用于AJAX请求。 With a normal form POST it is not possible to add extra headers. 使用普通表单POST时,无法添加额外的标头。 Also, in the past there have been bugs with plugins like Flash that allowed any header to be set enabling an attacker to use Flash to make a cross-domain request. 此外,过去出现过像Flash这样的插件漏洞,允许设置任何标头,使攻击者能够使用Flash来发出跨域请求。 However, issues like these have long since been patched. 但是,像这样的问题早已被修补。
If you want a token as well as part of a defence in depth strategy, you could adapt X-Requested-With to include a random token that you then check. 如果您需要令牌以及深度防御策略的一部分,您可以调整X-Requested-With以包含随后的令牌然后检查。 eg X-Requested-With: XMLHttpRequest;0123456789ABCDEF . 例如X-Requested-With: XMLHttpRequest;0123456789ABCDEF 。
Then token could simply be a cookie value created just for CSRF prevention purposes (generated with a cryptographically secure algorithm and entropy source of course). 然后,令牌可能只是为了CSRF预防目的而创建的cookie值(当然使用加密安全算法和熵源生成)。
解决方案2
1 2015-04-30 08:44:27
Is there any security (or other kind of) risk to that?
There is no: as soon as you can pass it from the client and check on the server - you're fine 没有:只要你能从客户端传递它并检查服务器 - 你没事
Also, how often should I refresh the CSRF token?
Generally you should not refresh it at all. 通常你不应该刷新它。 If it's generated using cryptographically strong random number generator - you can have one per session. 如果它是使用加密强大的随机数生成器生成的 - 每个会话可以有一个。 What important is that it was not possible to guess it, so it should not derive from any known data. 重要的是它无法猜测它,因此它不应该来自任何已知数据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.