堆栈内存溢出
  简体   繁体   English

REST /无状态:CSRF攻击并记住已登录的用户

[英]REST/stateless: CSRF attacks and remembering logged in user

 原文  2015-11-28 20:59:42       angularjs/ web-services/ rest/ spring-mvc/ csrf

问题描述

I am using Spring-MVC and AngularJS to create my web application, but I suppose that this question can apply for any technology, since it is more of a conceptual question rather than a specific technology question. 我正在使用Spring-MVC和AngularJS创建我的Web应用程序,但是我想这个问题可以适用于任何技术,因为它更多是概念性问题,而不是特定的技术问题。

I am struggling with understanding a few things regarding CSRF attacks as well as authenticating users on my web application. 我正在努力了解有关CSRF攻击的一些知识,并在我的Web应用程序上对用户进行身份验证。 Hence, I have the following questions: 因此,我有以下问题:

  • For CSRF attacks, I read this website which stated the following: 对于CSRF攻击,我阅读了网站,其中指出:

Have the clients generate and send the same unique secret value in both a Cookie and a custom HTTP header. 让客户端在Cookie和自定义HTTP标头中生成并发送相同的唯一秘密值。 Considering a website is only allowed to read/write a Cookie for its own domain, only the real site can send the same value in both headers. 考虑到仅允许网站为其自己的域读取/写入Cookie,因此只有真实网站才能在两个标头中发送相同的值。 Using this approach all your server has to do is check if both values are equal, on a stateless per request basis! 使用这种方法,您的服务器要做的就是在每个请求无状态的基础上检查两个值是否相等!

Now, I don't understand what the purpose is of generating these secret values. 现在,我不明白生成这些秘密值的目的是什么。 I mean, what is the purpose of having these 2 secret values and compare them on the server? 我的意思是,拥有这两个秘密值并在服务器上进行比较的目的是什么? Can't an attacker just put 2 identical values inside a fake cookie and http header and still submits the form? 攻击者不能只是将2个相同的值放在伪造的cookie和http标头中,然后仍然提交表单吗?

  • From my understanding, REST is stateless, so the server does not keep track of any session on the server. 据我了解,REST是无状态的,因此服务器无法跟踪服务器上的任何会话。 In this case, I assume the user should again pass a secret value on every request to let the server now it is him? 在这种情况下,我假设用户应该在每个请求上再次传递一个秘密值,以使服务器现在是他? But what should the server do with this secret value? 但是服务器应该如何处理这个秘密值? Should it be kept inside the database? 是否应该将其保存在数据库中?

1 个解决方案

解决方案1
 1 已采纳  2015-11-28 22:11:10

Now, I don't understand what the purpose is of generating these secret values. 现在,我不明白生成这些秘密值的目的是什么。 I mean, what is the purpose of having these 2 secret values and compare them on the server? 我的意思是,拥有这两个秘密值并在服务器上进行比较的目的是什么? Can't an attacker just put 2 identical values inside a fake cookie and http header and still submits the form? 攻击者不能只是将2个相同的值放在伪造的cookie和http标头中,然后仍然提交表单吗?

You are right, an attacker could add a HTTP header, but he could only set a cookie for his own domain (origin). 没错,攻击者可以添加HTTP标头,但他只能为自己的域(来源)设置Cookie。 The browser will not send a cookie to another domain: 浏览器不会将cookie发送到另一个域:

Considering a website is only allowed to read/write a Cookie for its own domain, only the real site can send the same value in both headers. 考虑到仅允许网站为其自己的域读取/写入Cookie,因此只有真实网站才能在两个标头中发送相同的值。

The server will receive only the HTTP request header from an attacker, not the cookie. 服务器将仅接收来自攻击者的HTTP请求标头,而不接收Cookie。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Rest API 中的 CSRF 保护 - CSRF protection in a Rest API 如何保护单页WebAPI免受CSRF攻击? - How to protect Single Page WebAPI from CSRF attacks? AngularJs + Rest Backend CSRF安全性 - AngularJs + Rest Backend CSRF Security 无状态REST服务器上的Google API回调 - Google API Callback on Stateless REST server 在无状态RESTful API中识别未登录的用户 - Identifying non-logged in users in a stateless RESTful API AngularJs登录了用户权限 - AngularJs logged in user permissions $ stateParams用于登录的用户和所有用户 - $stateParams for logged user and all user AngularJS 是否默认保护用户输入的 XSS 攻击? - Is AngularJS protected to user's input XSS attacks by default? Ionic 1 - 如果用户未登录则显示登录页面,如果用户已登录则跳过 - Ionic 1 - Show login page if user not logged and skip if user is already logged Web Api 2-检查用户是否登录 - Web Api 2 - Check if User Is Logged In
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM