REST和CSRF(跨站点请求伪造)
[英]REST and CSRF (Cross-Site Request Forgery)
问题描述
Is Cross-Site Request Forgery possible against a stateless RESTful service? 
是否可以针对无状态RESTful服务进行跨站点请求伪造?
I'm not talking about pseudo-REST where the server remembers that you're logged in via a cookie. 我不是在说伪REST,服务器会记住您是通过Cookie登录的。 I'm talking about pure no-application-state-on-the-server REST with no cookies. 我说的是没有cookie的纯服务器上无应用程序状态的REST。
I'm using SSL and Basic Authentication. 我正在使用SSL和基本身份验证。 For every request, that Authorization header has to be there. 对于每个请求,该Authorization标头都必须存在。 There is no "session" in the JSP sense, although there is some sort of session at the SSL level. 尽管在SSL级别上存在某种会话,但从JSP的意义上讲,没有“会话”。
So let's assume I'm viewing the legitimate web page that makes Ajax requests, and somehow I go to a different page in the same tab or a different tab, and that page makes the same Ajax request. 因此,假设我正在查看发出Ajax请求的合法网页,并以某种方式进入同一标签或不同标签中的另一个页面,并且该页面发出了相同的Ajax请求。 (I'm assuming there is no malicious code on the legitimate web page; that's a different thing entirely and anything is possible in that case.) (我假设合法网页上没有恶意代码;这完全是另一回事,在这种情况下,一切皆有可能。)
When the second page makes the Ajax request, will the browser put on the same Authorization header? 当第二个页面发出Ajax请求时,浏览器是否将使用相同的Authorization标头? ie will the browser say "Oh, you want to go THERE again? Hey, I just happen to still have the key!"? 即浏览器会说“哦,您想再次去那里吗?嘿,我碰巧仍然有钥匙!”?
Also, couldn't the malicious script do the xhr request, then in the callback take the request from the ioargs, get the Authorization header and un-Base64 the name and password? 另外,恶意脚本不能执行xhr请求,然后在回调中从ioargs接收请求,获取Authorization标头,并取消Base64的名称和密码吗?
2 个解决方案
解决方案1
5 已采纳 2010-01-08 15:05:08
Disclaimer: I am not a security expert. 免责声明:我不是安全专家。
Using HTTP Basic Auth does not prevent CSRF attacks via GET requests. 使用HTTP基本身份验证不会阻止通过GET请求进行CSRF攻击。 Eg somebody else can include an img tag in their HTML page that does a GET on some well-known URI, and your browser will happily send along the basic auth info. 例如,其他人可以在其HTML页面中包含一个img标记,该标记对某些知名URI进行GET,您的浏览器将很高兴发送基本的身份验证信息。 If the GET operation is "safe" (which is the #1 rule for anything claiming to be RESTful), this will not create a problem (beyond wasted bandwidth). 如果GET操作是“安全的”(这是声称是RESTful的任何事物的#1规则),那么这将不会造成问题(超出带宽浪费)。
Ajax is not a problem because of the same-origin policy. 由于同源策略,Ajax没问题。
Only including a server-generated token in the HTML you generate, and validating its presence in form submission requests, will protect you from somebody else simply including a "foreign" form in their pages. 仅在您生成的HTML中包含服务器生成的令牌,并验证其在表单提交请求中的存在,才能保护您免受其他人的干扰,只需在其页面中包含“外国”表单即可。 You might limit this to the content types generated by browsers; 您可以将其限制为浏览器生成的内容类型。 no need to do so for XHR requests. 对于XHR请求,无需这样做。
解决方案2
1 2019-04-22 19:08:19
Whether or not CSRF protection is needed is based on 2 factors: - 是否需要CSRF保护取决于两个因素:-
Is the request doing a state changing action (not the same as REST API Statelessness) - State changing actions are any action that will change the state of the application.. for example delete something, add something, update something.
请求是否在执行状态更改操作(与REST API无状态不同) -状态更改操作是将更改应用程序状态的任何操作。例如,删除某些内容,添加某些内容,更新某些内容。 These are actions using which the application will change the backed state of the user. 这些是应用程序将用来更改用户支持状态的操作。 All Post requests and a few Get requests will come under this category. 所有“发帖”请求和一些“获取”请求将属于此类别。 REST APIs can have state changing actions. REST API可以具有状态更改操作。 Is the authentication provided by browser (not limited to cookies) - CSRF happens because authentication information is included in the request by browser irrespective of whether the request was started by the user, or some other open tab.
由浏览器提供身份验证(不限于cookie) -CSRF之所以发生,是因为浏览器的请求中包含身份验证信息,而与请求是由用户启动还是由其他打开的选项卡无关。 So any kind of authentication in which browser can self include information needs CSRF protection. 因此,浏览器可以自行包含信息的任何身份验证都需要CSRF保护。 That includes both cookie based sessions and basic authentication. 这包括基于cookie的会话和基本身份验证。
For all requests that fall in above 2 categories CSRF protection is needed. 对于属于以上2类的所有请求,都需要CSRF保护。
As answered by Stephan above, Ajax requests are protected because of Same Origin Policy (SOP). 就像上面的Stephan回答的那样,Ajax请求受相同来源策略(SOP)的保护。 SOP prevents another domain from reading the content sent by target domain. SOP阻止另一个域读取目标域发送的内容。 So the malicious script can't read the authorization header. 因此,恶意脚本无法读取授权标头。 But SOP doesn't prevent another domain from sending requests to the target domain. 但是SOP不会阻止另一个域将请求发送到目标域。 So the malicious script can still make state changing requests to the target domain. 因此,恶意脚本仍然可以向目标域发出状态更改请求。 Browser will include authentication information and cookies in this request, so server needs to know whether this request originated from the malicious domain or the user. 浏览器将在此请求中包含身份验证信息和cookie,因此服务器需要知道此请求是源自恶意域还是用户。 Because of this CSRF protection is needed. 因此,需要CSRF保护。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.