对Ajax呼叫禁用CSRF保护-有多严重?
[英]Disable CSRF protection for Ajax Calls - How bad is it?
问题描述
Guys I'm running into a lot of trouble with CSRF and ajax calls in Laravel 5. 
伙计们,我在Laravel 5中使用CSRF和ajax调用遇到了很多麻烦。
I am sending the X-CSRF token with every ajax call in the header, as explained here: http://laravel.com/docs/master/routing#csrf-x-csrf-token 我将在标头中的每个ajax调用中发送X-CSRF令牌,如此处所述: http : //laravel.com/docs/master/routing#csrf-x-csrf-token
The problem is, randomly, the token cannot be verified, and I end up with the following error: 问题是,随机地,令牌无法验证,并且我最终遇到以下错误:
TokenMismatchException in VerifyCsrfToken.php line 46:
It happens eventually, in 1 out of 10 calls, but still makes my application behave badly, since it's very dependant on these ajax calls. 它最终发生在十分之一的调用中,但由于它非常依赖于这些ajax调用,因此仍然使我的应用程序表现不佳。
So I posted here about the problem, but the best response I got was to "disable CSRF". 因此,我在此处发布了有关该问题的信息,但我得到的最佳答复是“禁用CSRF”。
I have 2 questions about it: 我对此有2个问题:
1) Will disable CSRF for ajax calls make my website vulnerable? 1)禁用CSRF进行ajax调用会使我的网站容易受到攻击吗?
and 和
2) Is there another way I can protect, if I find no other way but disable CSRF? 2)如果我除禁用CSRF外别无其他方法,还有其他可以保护的方法吗?
1 个解决方案
解决方案1
3 2015-07-16 17:37:09
The idea behind XSS attacks is that other sites trick your users into performing actions on your application using their session. XSS攻击背后的想法是,其他站点会诱骗用户使用他们的会话对您的应用程序执行操作。
There are many types of XSS attacks out there. 有很多类型的XSS攻击。 The following is just a simple example of one type that may happen. 以下只是可能发生的一种类型的简单示例。
So, imagine you have an admin route for deleting your website: /self-destruct . 因此,假设您有一个删除网站的管理途径: /self-destruct 。 Now, imagine that you are logged into your website as admin. 现在,假设您以管理员身份登录到您的网站。 You have access to the route, but you would never go to it by accident. 您可以访问这条路线,但绝不会偶然进入该路线。
Now, the idea is that as your browsing the web, you come along a malicious site that, for some reason or another, redirects your browser to your /self-destruct route on your application. 现在的想法是,当您浏览Web时,您遇到一个恶意站点,该站点出于某种原因将浏览器重定向到应用程序上的/self-destruct路由。
With CSRF protection: the malicious site doesn't have a proper CSRF token to give to you to pass along to your route. 具有CSRF保护:恶意站点没有适当的CSRF令牌可提供给您以传递到您的路由。 Since your route requires a proper CSRF token, you'll get a TokenMismatchException error and your website is fine. 由于您的路线需要正确的CSRF令牌,因此您会收到TokenMismatchException错误,并且您的网站很好。
Without CSRF protection: the malicious site doesn't need anything extra. 没有CSRF保护:恶意站点不需要任何额外的东西。 They have redirected you, a logged in admin user, to your admin self destruct route. 他们已将您(已登录的管理员用户)重定向到您的管理员自毁路线。 Your website is now gone. 您的网站现在不见了。
Security is always a balance act. 安全永远是一种平衡行为。 If you don't think there is any risk to XSS attacks on your website, then don't worry about it. 如果您认为网站上的XSS攻击没有任何风险,那就不用担心。 If you're developing a banking application and you don't want an XSS attack to be able to transfer all the funds of any susceptible user to an offshore banking account, then CSRF would be a good idea. 如果您正在开发银行业务应用程序,并且不希望XSS攻击能够将任何易受影响用户的所有资金转移到离岸银行账户,那么CSRF将是一个好主意。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.