csrf…php表单安全性
[英]csrf … php form security
问题描述
I'm creating a site with a number of different access levels, from basic user thru to admin level (5 in total) 
我正在创建一个具有许多不同访问级别的网站,从基本用户到管理员级别(总共5个)
manager and admin levels will have the option to add new users at a level equal to or lower than they are, this is done via a drop down box on the createNewUser page, I've already restricted that to only show less than or equal to their own access level ... however ... what I'm trying to stop is this ... 管理员和管理员级别可以选择以等于或低于他们的级别添加新用户,这是通过createNewUser页面上的下拉框来完成的,我已经将其限制为仅显示小于或等于他们自己的访问级别...但是...我要停止的是...
user loads up the site, gets a copy of the form form the source (including the CSRF token) creates a simple HTML form on there desktop modifies the access level settings and they could in effect very easily create an admin level account ... 用户加载网站,获取源代码(包括CSRF令牌)的表单副本,在此桌面上创建简单的HTML表单,修改访问级别设置,实际上他们可以非常轻松地创建管理员级别的帐户...
is there a way to stop this using CSRF ... or should I just rely on the origin to stop it from coming from an 'off server' source 有没有一种方法可以使用CSRF来阻止它...还是我应该仅依靠来源来阻止它来自“离线服务器”源
I would also appreciate some tips on best practice when setting up the CSRF for this ... 我也很高兴在为此设置CSRF时获得一些最佳做法的提示...
there are also other forms on the site that have similar functions so I think this needs to be a per form solution 该网站上还有其他具有类似功能的表格,所以我认为这需要按表格解决
cheers ... ohh and keep it simple if possible :) 欢呼...哦,如果可能的话,保持简单:)
2 个解决方案
解决方案1
2 已采纳 2017-05-27 00:37:23
is there a way to stop this using CSRF ... or should I just rely on the origin to stop it from coming from an 'off server' source
No, neither approach would work. 不,两种方法都行不通。 A user could just as easily inject new values using the web inspector, or by copying a CSRF token from the real page. 用户可以使用Web检查器或从真实页面复制CSRF令牌来轻松注入新值。
CHECK YOUR INPUTS!! 检查您的输入! If a user tries to add a new user, look at their permissions before letting them proceed. 如果用户尝试添加新用户,请在允许他们继续操作之前查看其权限。 Don't depend on the input form to apply those restrictions. 不要依赖输入表单来应用这些限制。
Applying CSRF checks is still a good idea for other reasons (eg, to prevent a malicious web site from hijacking an admin's session), but it cannot protect you from an authorized user. 由于其他原因(例如,防止恶意网站劫持管理员的会话),应用CSRF检查仍然是一个好主意,但是它不能保护您免受授权用户的侵害。
解决方案2
0 2017-05-27 00:30:51
this is what I'm using, i hope it's good solution 这就是我正在使用的,我希望它是一个好的解决方案
on main page i start session and generate session token 在主页上,我开始会话并生成会话令牌
session_start();
if (empty($_SESSION['token'])) {
$_SESSION['token'] = bin2hex(random_bytes(32));
}
I'm using bin2hex but you can try other hash methods too. 我正在使用bin2hex但您也可以尝试其他哈希方法。
on login php page add this 在登录php页面上添加此
if (isset($_POST['Login']) && !empty($_POST['token'])) {
if (hash_equals($_SESSION['token'], $_POST['token'])) {
//execute script
}
}
check if session token started and if matches the html input value. 检查会话令牌是否已启动,以及是否与html输入值匹配。
add this hidden token input to your html form for $_POST['token'] 将这个隐藏的令牌输入添加到$_POST['token'] html表单中
<input type="hidden" name="token" value="<?php echo $_SESSION['token'];?>">
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.