堆栈内存溢出
  简体   繁体   English

用户点击恶意链接时易受攻击

[英]Vulnerable when user clicks on a malicious link

 原文  2019-05-23 10:17:05       c#/ asp.net/ security/ authentication/ session-cookies

问题描述

I am trying to understand a secure login authentication. 我正在尝试了解安全登录身份验证。 The code to implement login functionality is in the following link. 实现登录功能的代码位于以下链接中。 (In this scenario, a guid is used but in a real life scenario a better mechanism can be employed) (在这种情况下,使用guid,但在现实生活中,可以采用更好的机制)

https://github.com/GrepSecurity/SessionFixationExample/blob/master/SessionFixationExample/SecureLoginFunc/SecureLogin.aspx.cs https://github.com/GrepSecurity/SessionFixationExample/blob/master/SessionFixationExample/SecureLoginFunc/SecureLogin.aspx.cs

Once the user has logged in, the welcome page has the code in the following link to check user authenticity. 用户登录后,欢迎页面会在以下链接中显示代码以检查用户的真实性。 (This is the most common code I could find for verifying user authentication) (这是我可以找到的用于验证用户身份验证的最常用代码)

https://github.com/GrepSecurity/SessionFixationExample/blob/master/SessionFixationExample/SecureLoginFunc/SecureLogout.aspx.cs https://github.com/GrepSecurity/SessionFixationExample/blob/master/SessionFixationExample/SecureLoginFunc/SecureLogout.aspx.cs

I was thinking of one scenario where this can fail. 我在想一个可能会失败的场景。 Consider the scenario 考虑一下场景

  1. Victim has logged in 受害者已登录
  2. Victim will have 2 session variables created at server. 受害者将在服务器上创建2个会话变量。 Ex: Session["userLoggedin"] = "Victim" Session["AuthToken"] = "GUID" 例如:会话[“userLoggedin”] =“受害者”会话[“AuthToken”] =“GUID”
  3. Victim will have a cookie created in his browser. 受害者将在他的浏览器中创建一个cookie。 Ex: Cookie["AuthToken"] = "GUID" 例如:Cookie [“AuthToken”] =“GUID”
  4. Attacker sends a malicious link to the victim that does some changes to his state (Sends friend request, deletes a user, logs the victim out....). 攻击者向受害者发送恶意链接,对其状态进行一些更改(发送好友请求,删除用户,将受害者记录下来......)。 Lets assume the link is as follows: www.somewebsite.com/Logout and this logs out the user. 让我们假设链接如下:www.somewebsite.com/Logout,这将注销用户。
  5. Victim clicks the link, gets authenticated because the cookie from the browser ie "GUID" is sent to the server and is validated against the session variable. 受害者单击该链接,进行身份验证,因为来自浏览器的cookie即“GUID”被发送到服务器并根据会话变量进行验证。
  6. User gets logged out 用户被注销

I understand that there is no serious effect with the possibilities mentioned above, but still, can this scenario be prevented ? 我知道上述可能性没有严重影响,但是,这种情况是否可以防止? Or is this even a valid scenario ? 或者这甚至是一个有效的场景? Am I missing something ? 我错过了什么吗?

Here are my questions 这是我的问题

  1. Can this scenario be handled ? 可以处理这种情况吗? (Considering this is a valid scenario) (考虑到这是一个有效的场景)
  2. Am I referring to a secure code ? 我指的是安全代码吗?
  3. What is this vulnerability ? 这个漏洞是什么?
  4. How can I mitigate this ? 我该如何缓解这种情况?

1 个解决方案

解决方案1
 0  2019-07-03 16:33:03

In this example you mentioned this was an another attack scenario (CSRF). 在这个例子中,你提到这是另一个攻击场景(CSRF)。

What CSRF basically means: An attacker Performs an Action in behalf of the victim. CSRF基本上意味着什么:攻击者代表受害者执行行动。 This action or the origin request for this action will come from another site. 此操作或此操作的原始请求将来自其他站点。

To protect against CSRF you may need to follow OWASPs Guideline. 为了防止CSRF,您可能需要遵循OWASP指南。 ( https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md ) https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.md

But for your example. 但是对于你的例子。 Let's assume you want to protect the action called Order. 假设你想要保护名为Order的动作。 There will be a token generated on your Server. 将在您的服务器上生成令牌。 This token will be then rendered or sent to the client. 然后,该令牌将被呈现或发送到客户端。 A valid Request would look like www.somewebsite.com/Order with Post Parameter Order=Something & Token="RANDOM_TOKEN" 有效的请求看起来像www.somewebsite.com/Order ,后参数Order=Something & Token="RANDOM_TOKEN"

This token will be afterwards checked by the Server before performing this operation. 在执行此操作之前,服务器将检查此令牌。

The attacker nevertheless won't have access to this token if he is simply originating this request from another site/domain since it was rendered on the client's page. 但是,如果攻击者只是从其他站点/域发起此请求,则无法访问此令牌,因为它是在客户端页面上呈现的。

Is it possible for the attacker to get access to this token? 攻击者是否可以访问此令牌?

Yes, it may possible if the application is vulnerable to (XSS). 是的,如果应用程序易受(XSS)攻击,则可能。 Using JS the attacker can send a malicious link to the victim with JS command that will 使用JS,攻击者可以使用JS命令向受害者发送恶意链接

  • Fetch the Rendered CSRF Token. 获取渲染的CSRF令牌。
  • Perform the Action with the token. 使用令牌执行操作。

Although a usual case scenario for XSS to steal the victim's cookies. 虽然通常情况下XSS窃取受害者的cookie。 But in case the cookies were flagged with HTTPOnly a CSRF attack might be possible. 但是如果使用HTTPOnly标记cookie,则可能会发生CSRF攻击。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 用户单击网站链接时自动填写用户名+密码 - Auto fill-in username + password when user clicks a website link 当用户单击Ctrl键+链接按钮时,如何在新标签页中打开页面? - How to open a page in new tab when user clicks ctrl key + link button? 当用户单击外部来源的链接时,如何在应用程序中打开特定页面? - How can I open a specific page in my app when the user clicks a link from an outside source? 用户单击任务栏上的程序时检测事件? - Detect event when user clicks the program on the taskbar? 用户单击以关闭消息窗口时发生的事件 - Event when user clicks to close message window 当用户单击 treeview 节点时,tabcontrol 发生变化 - tabcontrol changing when user clicks on treeview node 用户单击单选按钮时触发事件 - Firing an event when a user clicks a radio button 如何记录单击电子邮件中的链接的用户的电子邮件地址? - How do I record the email address of a user that clicks a link in an email? 用户单击按钮时重定向到登录页面 - Redirecting to login page when user clicks a button 用户单击时将内容加载到ajax选项卡 - Load contents to an ajax tab when the user clicks on it
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM