假设我们在表单中使用了CSRF令牌,但是我们的网站上有一个未被注意的XSS漏洞。
根据我的理解,在这种情况下,CSRF令牌保护完全无效,因为攻击者可以通过XSS使用XMLHttpRequest来检索它。
在这种情况下,是否有办法以一种能够在攻击中幸存下来的方式来附魔CSRF保护,或者在做任何CSRF之王之前,我们的网站是否应首先拥有安全的抗XSS保护?
在每次页面请求时设置新令牌而不是在登录时设置令牌会处理它吗? 这带来了一次打开更多表单的问题,我不喜欢它。
Let's say that we use a CSRF token in our forms, but it happens that there is an unnoticed XSS hole on our site.
From what I uderstand, CSRF token protection is completely void in this case, because attacker can retreive it with XMLHttpRequest through XSS.
In such case, is there a way to enchant the CSRF protection in a way that it would survive the attack or should our site first have a secure anti-XSS protection before doing any king of CSRF at all?
Setting a new token upon every page request instead of token on login would deal with it? This brings up the problem of having more forms open at once and I don't like it.
最满意答案
您的网站应该关闭您发现的任何XSS漏洞,否则CSRF将无用。 但是,并行添加CSRF会很有用,这样一旦修复了所有XSS错误,站点的csrf保护也会起作用。
遗憾的是,如果存在XSS漏洞,则无法防止CSRF,因为有了XSS漏洞,攻击者可以读取您的网站并检查令牌(使用javascript)。 因此,无论何时何地添加令牌,都可以找到该令牌,然后进行屏幕截图
但是,如果确保重要页面上没有XSS错误然后添加CSRF保护,则仍然存在安全漏洞,但将多个错误链接在一起所需的技能水平更加困难。
Your site should have closed any XSS holes that you've found otherwise CSRF is useless. However it would be useful to add CSRF in parallel so that once all XSS bugs are fixed the site's csrf protection is working too.
Unfortunately there is no way to protect against CSRF if there are XSS holes because with an XSS hole an attacker can read your website and check for tokens (using javascript). So any way and anywhere you add a token, that token can be found and then screenscraped
However if you make sure that there are no XSS bugs on your important pages and then add CSRF protection, there are still security holes but the skill level needed to chain multiple bugs together is more difficult.
更多推荐
发布评论