堆栈内存溢出
  简体   繁体   English

CSRF表格-您可以更改令牌吗?

[英]CSRF Forms - You can change the token?

 原文  2018-05-01 20:36:44       php/ html/ csrf/ web-inspector

问题描述

Just wanted to ask a general question regarding PHP & HTML Forms with CSRF tokens, so you generate a random token and store it in the session variable in PHP and output as hidden field in HTML form. 只是想问一个关于带有CSRF令牌的PHP和HTML表单的一般问题,因此您生成一个随机令牌并将其存储在PHP的会话变量中,并以HTML表单的隐藏字段输出。

But am I right in saying that, if we have in this case: 但是,如果在这种情况下,我的意思是正确的:

  • 1 person named Bob viewing secureform.php page 1个名为Bob的人正在查看secureform.php页面
  • Same person viewing badform.php page 同一个人查看badform.php页面

If Bob went to the badform.php page and a token was generated, and then they go to secureform.php and get the token from the secureform.php and put that into the badform.php via inspect element and submitted it, that right there is a way to bypass CSRF correct? 如果Bob转到badform.php页面并生成了令牌,然后他们转到secureform.php并从secureform.php获取令牌, badform.php通过inspect元素将其放入badform.php并提交,就在那里一种绕过CSRF的方法正确吗?

Can I have some feedback on if this would work and how to prevent such things like this happening? 我可以就此是否有效以及如何防止此类情况获得一些反馈吗? If it makes sense, if not let me know, thanks! 如果有道理,如果没有让我知道,谢谢!

1 个解决方案

解决方案1
 3  2018-05-01 20:56:37

Bob may well be doing something that you don't want, but it is not the thing that CSRF tokens are meant to protect against. Bob可能正在做您不想要的事情,但这不是CSRF令牌要防止的事情。

A Cross Site Request Forgery version of the same scenario world be someone else (call them Eve) tricking Bob into submitting badform.php . 同一场景世界的跨站点请求伪造版本是其他人(称为Eve),诱使Bob提交了badform.php Since Eve controls the contents of the form, but Bob submits it with his session cookie or other authentication information, Eve can perform actions that only Bob is authorised to do. 由于Eve控制了表单的内容,但是Bob随同会话cookie或其他身份验证信息一起提交了表单,因此Eve可以执行只有Bob有权执行的操作。

However, if the form requires an extra CSRF token, Eve doesn't have access to this token , so when they trick Bob into submitting the form, it's rejected. 但是,如果表单需要额外的CSRF令牌,则Eve无法访问此令牌 ,因此当他们诱骗Bob提交表单时,该表单将被拒绝。 The only way Eve can get the form to validate is to trick Bob into copying a valid token from secureform.php, which is much harder than tricking them into submitting the form. Eve能够验证表单的唯一方法是诱骗Bob从secureform.php复制有效令牌,这比诱使他们提交表单要困难得多。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 CSRF 令牌在本地主机上始终无效 - Symfony 4 表单 - CSRF token is always invalid on localhost - Symfony 4 forms CSRF Token添加到PHP表单中的简单方法 - CSRF Token simple way to add to forms in PHP 如何在 Symfony 2 中跨多种表单实现单个 CSRF 令牌? - How can I achieve a single CSRF token across multiple forms in Symfony 2? 在Codeigniter中提交表单后更改csrf令牌 - change csrf token after form submission in codeigniter 提交并验证表单后更改CSRF令牌 - Change CSRF token after Submission and Validation Form 变更提交时,CSRF令牌在Ajax表上不匹配 - CSRF Token mismatch on Ajax Form on change submission 页面中所有表单的 Laravel 5 CSRF 全局令牌隐藏字段 - Laravel 5 CSRF global token hidden field for all forms in a page Zend Form - 一页中有多个 forms 和(CSRF)令牌验证 - Zend Form - multiple forms in one page and (CSRF) token validations PHP - 如何在同一页面的多个forms中使用csrf token - PHP - How to use csrf token in multiple forms on the same page 何时需要使用 Token 保护 Forms(CSRF 攻击)? - When its Necessary to Protect Forms with Token (CSRF attacks)?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM