如果我将静态会话令牌存储在JS中以与AJAX一起使用,那么针对CSRF是否安全?
[英]If I store a static session token in JS for use with AJAX, will it be secure against CSRF?
问题描述
I've been reading about CSRF and XSS vulnerabilities for a few days now, and trying to come up with a solution that's 1) easy to implement and use, 2) uses Javascript to do a lot of heavy lifting, and 3) makes it virtually impossible to perform a CSRF attack against. 
我已经阅读了几天有关CSRF和XSS漏洞的文章,并试图提出一种解决方案:1)易于实现和使用,2)使用Javascript做很多繁重的工作,3)使其成为现实。几乎不可能对它进行CSRF攻击。
I haven't seen a solution like the one I'm about to describe. 我还没有看到像我将要描述的解决方案那样的解决方案。 I'm hoping this doesn't mean that it's leaky. 我希望这并不意味着它泄漏了。
I've come up with the following solution, based on my knowledge of AJAX and JS. 根据我对AJAX和JS的了解,我提出了以下解决方案。 This code assumes the user has passed through a login screen, and a session variable has been set on the server and in a cookie, with the same values. 此代码假定用户已通过登录屏幕,并且已在服务器和 cookie中使用相同的值设置了会话变量。
It's easier to paste the code in and document it, rather than explain what it's doing. 粘贴代码并对其进行文档记录比解释其操作要容易得多。 This code would be run in the page the user sees immediately after logging in: 此代码将在用户登录后立即在页面上显示:
<script>
// this is the constructor:
function Controller(){
//the following 2 variables are private, and inaccessible via JS calls
var secretToken; //this holds the session token, but cannot be read by the browser
//returns the session token from the server
var x = new ajaxObject('AJAX/retrieve_session_cookie.lasso');
x.callback = function(responseText, responseStatus){
secretToken = responseText;
}
//this is a private function, again inaccessible via JS calls
function getCookie(){
x.update();
}
//the following 2 functions are publicly accessible
//just a test function to ensure that secretToken is invisible
this.tell = function(){
alert(secretToken);
}
//privileged function that calls a private function, to load the token into a private variable
this.initialize = function(){
getCookie();
}
}
E = new Controller();
E.initialize();
</script>
The variable secretToken can't be read by the user, as it's a private member variable of the controller object. 变量secretToken无法被用户读取,因为它是控制器对象的私有成员变量。
In retrieve_session_cookie.lasso , I'm checking for a valid session, and matching the session variable with the browser's cookie. 在retrieve_session_cookie.lasso ,我正在检查有效的会话,并将会话变量与浏览器的cookie进行匹配。 If both these conditions are met, the session variable is returned in plain text, where it's set as secretToken in the object E . 如果同时满足这两个条件,则以纯文本形式返回会话变量,该变量在对象E中被设置为secretToken 。 By double-checking to see if the cookie matches the session token, I would hope that it would be impossible obtain the session token via CSRF, as it can't forge a cookie. 通过仔细检查cookie是否与会话令牌匹配,我希望不可能通过CSRF获得会话令牌,因为它无法伪造cookie。 Typing in 'AJAX/retrieve_session_cookie.lasso' would return nothing, unless it was typed in by the user while in a valid session, and from the user's computer only. 键入“ AJAX / retrieve_session_cookie.lasso”将不会返回任何内容,除非用户在有效会话中仅从用户计算机输入了该内容。
Also, now that my controller has local access to the session token, I could 'burn in' the session token with every AJAX request, so I don't even have to think about it passing a token anymore, each time an AJAX file is requested. 另外,既然我的控制器对会话令牌具有本地访问权限,那么我可以在每个AJAX请求中“烧录”会话令牌,因此,每次AJAX文件被保存时,我都不必再考虑传递令牌了。要求。 All the AJAX objects and requests would be initialized as private members in the controller object's constructor, so nobody could access / modify the callback functions to disclose the session token. 所有AJAX对象和请求都将在控制器对象的构造函数中初始化为私有成员,因此没有人可以访问/修改回调函数以公开会话令牌。
Passing the session token with every AJAX call would protect every other AJAX file, as they would all perform the same check for the cookie matching the session token before returning any data. 每次AJAX调用都传递会话令牌将保护其他每个AJAX文件,因为它们都将在返回任何数据之前对与会话令牌匹配的cookie进行相同的检查。 And, in my programming, there would be one less variable to worry about. 而且,在我的编程中,应该少担心一个变量。
If I were to move ahead with a controller implemented this way, would there be ANY way for the token to be accessed / exploited, either by the user or a malicious coder via CSRF? 如果我要继续以这种方式实现控制器,那么用户还是恶意编码器通过CSRF可以访问/利用令牌吗?
1 个解决方案
解决方案1
0 已采纳 2011-04-07 22:49:32
First of all it is trivial for a user to obtain your token and for CSRF this doesn't matter at all. 首先,对于用户而言 ,获取您的令牌很简单,对于CSRF而言,这根本不重要。 Anything you transfer to the user can be intercepted, anything being sent from javascript can be tampered with . 您传输给用户的任何内容都可以被拦截,从javascript发送的任何内容都可以被篡改 。 Cookies are always easy to replay (Who cares about forging them? Its just a random number.), and this doesn't matter as long as you use HTTPS. Cookies总是很容易重播(谁在乎伪造它们?它只是一个随机数。),只要您使用HTTPS,这都没有关系。 To be honest I don't think that this security system addresses CSRF at all, in fact I'm not sure what you are trying to protect against. 老实说,我认为该安全系统根本不解决CSRF,实际上我不确定您要保护的内容。 It doesn't matter where your .lasso files are or what they contain. .lasso文件在哪里或它们包含什么都无关紧要。
What matters is the GET and POST requests can be forged. 重要的是可以伪造GET和POST请求。 The whole point of having a CSRF token is that a 3rd party can't create an exact GET/POST request without knowing somthing about the site(and a simple token written as a hidden value works because of Same-Origin Policy ). 拥有CSRF令牌的全部要点是,第3方在不了解网站内容的情况下无法创建确切的GET / POST请求(由于Same-Origin Policy ,一个简单的令牌作为隐藏值起作用)。 Don't roll your own security system , pick a solution off of the Cross-Site Request Forgery Cheat Sheet . 不要使用自己的安全系统 , 而是从“ 跨站点请求伪造作弊表”中选择解决方案。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.