CSRF-发送Ajax请求以获取令牌
[英]CSRF - sending ajax requests to get token
问题描述
I am developing CSRF protection for my website. 
我正在为我的网站开发CSRF保护。
I am saving token in hidden input in form + session, then i check if they're equal. 我将令牌保存在表单+会话的隐藏输入中,然后检查它们是否相等。
I am just wondering about this scenario : 我只是想知道这种情况:
- user visits malicious website 用户访问恶意网站
- malicious website sends ajax GET request to get page with form and extracts token from it 恶意网站发送ajax GET请求以获取带有表单的页面并从中提取令牌
- malicious website sends POST request to change data + token extracted earlier. 恶意网站发送POST请求以更改先前提取的数据+令牌。
Would that be possible in this scenario? 在这种情况下有可能吗? Am i missing something? 我想念什么吗?
1 个解决方案
解决方案1
0 2017-12-28 13:09:21
Each website must have an unique token to make it work and it is assigned server-side. 每个网站必须具有唯一的令牌才能使其正常运行,并且已在服务器端分配了该令牌。 Take a look a little example on how we made it: https://blog.myetv.tv/2017/09/18/writing-secure-code-how-myetv-do-crypt-auth-transfer-and-store-informations/ 看看我们如何做到的一个小例子: https : //blog.myetv.tv/2017/09/18/writing-secure-code-how-myetv-do-crypt-auth-transfer-and-store-信息/
You could have sessionID or/and another type of data in the token, for example the userip (if you want you can also encrypt them with AES to make it more unique and basically impossible to be cloned); 您可以在令牌中包含sessionID或/和其他类型的数据,例如userip(如果您希望,还可以使用AES对其进行加密,使其更具唯一性,并且基本上无法克隆); the encryption method is just additional and could be very intensive in terms of speed, you should value for how you use it (in the most cases the unique sessionid hashed with SHA is ok). 加密方法只是附加的,而且在速度方面可能非常密集,您应该对使用方式进行评估(在大多数情况下,使用SHA哈希的唯一sessionid可以)。
Hope it helps ;) 希望能帮助到你 ;)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.