堆栈内存溢出
  简体   繁体   English

为什么要验证REST请求中的内容类型标头

[英]why validate content-type header in REST request

 原文  2016-11-23 11:23:45       rest/ security

问题描述

The OWASP website suggest to validate the content-type header. OWASP网站建议验证内容类型标头。 But it does not specify the rational for the same. 但这并没有指定相同的理由。 What is the reason that I should validate the content-type header, even though I am not reading or using it? 即使我没有阅读或使用它,仍应验证内容类型标头的原因是什么?

When POSTing or PUTting new data, the client will specify the Content-Type (eg application/xml or application/json) of the incoming data. 在发布或放置新数据时,客户端将指定传入数据的内容类型(例如,application / xml或application / json)。 The server should never assume the Content-Type; 服务器不应使用Content-Type。 it should always check that the Content-Type header and the content are the same type. 它应始终检查Content-Type标头和内容是否为同一类型。 A lack of Content-Type header or an unexpected Content-Type header should result in the server rejecting the content with a 406 Not Acceptable response. 缺少Content-Type标头或意外的Content-Type标头应导致服务器以406 Not Acceptable响应拒绝内容。

1 个解决方案

解决方案1
 2  2016-11-23 13:12:28

One example that comes to mind is in a cross-site ajax request, it is easy to send a text/html request which will not generate a pre-flight request, but it is not possible with applictaion/json . 我想到的一个示例是跨站点ajax请求,它很容易发送不会生成飞行前请求的text/html请求,但是applictaion/json则不可能。 So if you have a service with a POST action that expects json and changes server state, it may be possible to exploit CSRF if text/html is accepted for the content type, but there is some basic protection if application/json is verified, because the browser will not send the request from a different domain if the response to the pre-flight does not explicitly allow a CORS post. 因此,如果您的服务具有POST操作,并且期望json并更改服务器状态,则如果内容类型接受text/html ,则有可能利用CSRF,但如果对application/json进行了验证,则有一些基本保护,因为如果对飞行前的响应未明确允许CORS发布,则浏览器将不会从其他域发送请求。

So some properties of cross-domain ajax requests depend on the content type. 因此,跨域Ajax请求的某些属性取决于内容类型。 I think this may be the main reason. 我认为这可能是主要原因。

Also from a more theoretical standpoint, the format of the data is needed to parse it. 从更理论的角度来看,也需要数据格式来解析它。 I cannot think of an actual exploit, but at least in theory, trying to parse data in a wrong format may lead to the wrong results, things parsed different from what they were supposed to be. 我无法想到实际的漏洞利用方法,但至少在理论上,尝试以错误的格式解析数据可能会导致错误的结果,所解析的内容与预期的有所不同。 It's best to just validate that the client is actually sending what it claims, and what it should be. 最好只是验证客户端是否实际发送了它声称的内容以及应该发送的内容。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用HttpClient在(HTTP GET)Rest请求头集合中添加'Content-Type'头? - how to add 'Content-Type' header in (HTTP GET) Rest request header collection using HttpClient? 在PHP中获取请求的“Content-Type”标头 - Get “Content-Type” header of request in PHP GET请求标头中的内容类型 - Content-type in a GET request header REST和内容类型 - REST and content-type 为什么在路由到 REST WebAPI 获取方法时需要内容类型 header? - Why is content-type header needed when routing to an REST WebAPI get method? REST WEB API:如何使Content-Type标头为可选? - REST WEB API: How to make Content-Type header optional? REST客户端的Content-Type标头引发UnsupportedOperationException - REST client Content-Type header throws UnsupportedOperationException REST内容类型:它应该基于扩展名还是Accept头? - REST Content-Type: Should it be based on extension or Accept header? 基于Content-Type标头的Python / Django REST Framework POST - Python/Django REST Framework POST based on Content-Type header 标题参数:REST 上下文中的“Accept”和“Content-type” - Header parameters: “Accept” and “Content-type” in a REST context
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM