简体繁体 English

带有身份验证的 REST API 中的 CSRF 令牌

[英]CSRF Token in REST API with authentication

原文 2015-07-25 11:17:58 4 2 rest/ authentication/ http-headers/ csrf/ restful-authentication

I understood the purpose of the CSRF Token protection.我了解CSRF 令牌保护的目的。

However, I think this protection is useless and we should remove it in the case of a REST API requiring an authentication token in the header for each action.但是，我认为这种保护是无用的，如果REST API要求每个操作的标头中的身份验证令牌，我们应该将其删除。

This way, even if Mallory forges a malicious HTML link to Alice, the attack can not be done.这样，即使 Mallory 伪造了 Alice 的恶意 HTML 链接，攻击也无法完成。 The reason is that:原因是：

Alice keeps her authentication information in a header key that Mallory don't know. Alice 将她的身份验证信息保存在 Mallory 不知道的标头密钥中。 And unlike a cookie, Alice's browser doesn't submit this authentication token automatically.与 cookie 不同的是，Alice 的浏览器不会自动提交此身份验证令牌。

So in this context, I would like to have you point of view about the question: can we remove a CSRF token protection from this kind of API design?所以在这种情况下，我想请你谈谈这个问题：我们可以从这种 API 设计中删除 CSRF 令牌保护吗？

2 个解决方案

Yes, you don't need CSRF protection when using a bearer scheme authentication as the browser does not automatically add the Authorization header to the request.是的，当使用承载方案身份验证时，您不需要 CSRF 保护，因为浏览器不会自动将 Authorization 标头添加到请求中。

You do need CSRF protection for cookies, basic, Windows, digest and client certificates authentication schemes as these are automatically added by the browser.您确实需要针对 cookie、基本、Windows、摘要和客户端证书身份验证方案的 CSRF 保护，因为这些是由浏览器自动添加的。

See also Dominick Baier's article on implicit vs explicit authentication: http://leastprivilege.com/2015/04/01/implicit-vs-explicit-authentication-in-browser-based-applications/另请参阅 Dominick Baier 关于隐式与显式身份验证的文章： http : //leastprivilege.com/2015/04/01/implicit-vs-explicit-authentication-in-browser-based-applications/

Theoretically, you don´t need CSRF protection as you described.从理论上讲，您不需要像您描述的那样进行 CSRF 保护。 But one of my main concerns is where to store the access token.但我主要关心的问题之一是在哪里存储访问令牌。 The local storage of the browser does not provide a good security.浏览器的本地存储没有提供很好的安全性。 So it´s often stored in cookies.所以它通常存储在 cookie 中。 And so, the CSRF vulnerability comes back.因此，CSRF 漏洞又回来了。

Jean-Christophe Baey described in his article a two-cookie mechanism to prevent access tokens from CSRF and from being stolen by XSS. Jean-Christophe Baey 在他的文章中描述了一种双 cookie 机制，以防止来自 CSRF 的访问令牌和被 XSS 窃取。

To sum that article up: The payload of the access token is stored in a cookie that is accessibly by JavaScript.总结那篇文章：访问令牌的有效负载存储在 JavaScript 可访问的 cookie 中。 The signature of the access token is stored in a cookie that is NOT accessible by JavaScript.访问令牌的签名存储在 JavaScript 无法访问的 cookie 中。 The client reads the payload from the cookie and passes it in the Authentication-Header to the server.客户端从 cookie 中读取有效负载，并将其在 Authentication-Header 中传递给服务器。 The server validates the token based on the signature which is sent in the HttpOnly cookie.服务器根据 HttpOnly cookie 中发送的签名验证令牌。

So, its CSRF-save and an attacker cannot steal the entire token via XSS because there is no JS-access to the signature.因此，它的 CSRF 保存和攻击者无法通过 XSS 窃取整个令牌，因为没有对签名的 JS 访问。