我用Google搜索了两天,我找不到任何描述以下问题的内容:
假设我在“www.example.com”上有以下表格:
<form action="formProcessor.htm" method="post"> <input name="field1" value="abc" /> <input name="field2" value="123" /> <input name="field3" value="etc" type="hidden" /> <input value="Submit" type="submit" /> </form>我担心的是:如果某人创建了一个模拟此表单的本地文件,手动填写所有值,然后将其提交到“www.example.com/formProcessor”怎么办?
问题1:有什么方法可以阻止这种情况吗?
问题2:这被认为是所谓的CSRF吗?
我知道你可以尝试验证REFERRER,但我也知道这可以很容易伪造(只需查看“修改标题”FF附加组件)。
如果这是一个基本问题,请耐心等待我,我对网站安全性还不熟悉。
标记
I've googled this for two days and I just can't find anything describing the following issue:
Let's say I have the following form on "www.example.com":
<form action="formProcessor.htm" method="post"> <input name="field1" value="abc" /> <input name="field2" value="123" /> <input name="field3" value="etc" type="hidden" /> <input value="Submit" type="submit" /> </form>My concern is: What if somebody creates a local file simulating this form, fills in all the values manually, and then submit it to "www.example.com/formProcessor"?
Question #1: Is there any way to prevent this?
Question #2: Is this considered so-called CSRF?
I know you can try to validate the REFERRER, but I also know that this can be easily forged (just look for the "modify header" FF add-on).
If this is a basic question, please bear patience with me, I'm fairly new to website security.
Mark
最满意答案
是的,那就是跨站点请求伪造 。
您可以通过创建一次性密钥来阻止它,并将其存储在表单中的隐藏输入元素中,如下所示:
<?php $_SESSION['formkey'] = md5(rand() . time() . $_SERVER['REMOTE_ADDR']); ... <input type="hidden" name="formkey" value="$_SESSION['formkey']" /> ?>提交后,您将检查提交的密钥是否与您在会话中存储的密钥匹配。 如果是,则处理表单,否则拒绝请求。
攻击者(或通过攻击者网站访问的无辜访问者)将不知道密钥,因此无法提交表单。
只有来自您网站的访问者才能提交,您可以在其中重新生成并在每个表单上设置正确的密钥。
Yes, that is Cross-site Request Forgery.
You can prevent it by creating a one-time key, and storing that in a hidden input element in your form something like this:
<?php $_SESSION['formkey'] = md5(rand() . time() . $_SERVER['REMOTE_ADDR']); ... <input type="hidden" name="formkey" value="$_SESSION['formkey']" /> ?>And upon submit, you check whether the submitted key matches the one you have stored in your session. If so, you process the form, otherwise deny the request.
An attacker (or innocent visitor visiting through an attackers' site) will not know the key, and thus not be able to submit the form.
Only visitors from your site, where you regenerate and set the correct key on every form, will be able to submit.
更多推荐
问题,www,com,example,电脑培训,计算机培训,IT培训"/> <meta name="descriptio
发布评论