我有一个网站,人们可以这样投票:
http://mysite.com/vote/25这将对项目25进行投票。我只想将其提供给注册用户,并且只有当他们想要这样做时。 现在我知道有人在网站上忙,有人给他们这样的链接:
http://mysite.com/vote/30那么投票将是他对这个项目的地方,而他不想这样做。
我已经阅读了OWASP网站上的说明 ,但我并不明白
这是CSRF的一个例子,我该如何防止这种情况。 我可以想到的最好的事情是添加一些东西到链接像散列。 但是,在所有环节的最后,这将是一个非常激动的事情。 没有其他方式做到这一点。
另一件事可能有人可能会给我一些其他的例子,因为网站似乎对我来说非常好玩。
I have an website where people can place a vote like this:
http://mysite.com/vote/25This will place a vote on item 25. I want to only make this available for registered users, and only if they want to do this. Now I know when someone is busy on the website, and someone gives them a link like this:
http://mysite.com/vote/30then the vote will be places for him on the item without him wanting to do this.
I have read the explanation on the OWASP website, but i don't really understand it
Is this an example of CSRF, and how can I prevent this. The best thing i can think off is adding something to the link like a hash. But this will be quite irritating to put something on the end of all the links. Is there no other way of doing this.
Another thing can someone maybe give me some other example of this, because the website seems fairly fugue to me.
最满意答案
这可能成为CSRF的一个例子:
该链接被提取(例如通过<img>标签) :伪造 从另一个网站:跨站点例如,如果我可以将这个<img>标签注入到stackoverflow的HTML源代码中(我可以,因为stackoverflow允许在他的帖子中使用<img>标签) :
<img src="http://mysite.com/vote/30" />你只会投票选择该项目;-)
通常使用的解决方案是在URL中放置一个有限的生命周期的令牌,并且在获取URL时,请检查该令牌是否仍然有效。
基本思路是:
生成页面时: 生成唯一的令牌 将其存储在用户的会话中 并将其放在页面的链接中 - 它将如下所示: http://mysite.com/vote/30?token=AZERTYUHQNWGST : http://mysite.com/vote/30?token=AZERTYUHQNWGST 当投票页面被调用时: 检查该令牌是否存在于URL中 检查它是否存在于用户的会话中 如果不是=>不注册投票这个想法有:
令牌的寿命不长,很难猜到 这意味着你的攻击者 : 只有几分钟的窗口,他的注射将是有效的 必须善于猜测^^ 将为每个用户生成不同的页面。另外请注意,用户的会话在离开您的网站后保持活动的时间越短,访问不良网站时仍然有效的风险越小。
但在这里,您必须选择安全性和用户友好型...
另一个想法(这不是完全安全的,但有助于反对人不会知道如何强制POST请求) ,只有当人们投票时才接受POST请求:
浏览器正在发送注入标签的GET请求 由于这个URL正在修改一些数据,反正它不应该使用GET,而只能使用POST但是请注意,这不是完全安全的:(可能是)可能强制/伪造POST请求,使用一些Javascript。
This could become an example of CSRF if :
that link is fetched (via an <img> tag, for example) : forgery from another site : cross-siteFor example, if I could inject this <img> tag in the HTML source-code of stackoverflow (and I can, as stackoverflow allows one to use <img> tags in his posts) :
<img src="http://mysite.com/vote/30" />You would just have voted for that item ;-)
The solution that is generally used is to place a token, that has a limited life-time, in the URL, and, when the URL is fetched, check that this token is still valid.
The basic idea would be :
When generating the page : generate a unique token store it in the user's session and place it in the links of the page -- which would look like this : http://mysite.com/vote/30?token=AZERTYUHQNWGST When the voting page is called : Check if the token is present in the URL Check if it's present in the user's session If not => do not register the voteThe idea there is :
Tokens don't have a long life-time, and are hard to guess Which means your attacker : has only a window of a few minutes during which his injection will be valid will have to be good at guessing ^^ will have to generate a different page for each user.Also, note that the shorter the user's session remains active after he has left your site, the less risks there are that it's still valid when he visits the bad website.
But here, you have to choose between security and user-friendly...
Another idea (that's not perfectly secure, but helps against guys would don't know how to force a POST request), would be to only accept POST requests when people are voting :
The browser is sending GET requests for injected tags As this URL is modifying some data, anyway, it should not work with GET, but only with POSTBut note that this is not perfectly safe : it's (probably ? ) possible to force/forge a POST request, with some bit of Javascript.
更多推荐
website,网站,vote,电脑培训,计算机培训,IT培训"/> <meta name="description&q
发布评论