Regarding cross-site request forgery (CSRF) attacks, if cookies are most used authentication method, why do web browsers allow sending cookies of some domain (and to that domain) from a page generated from another domain?
关于跨站点请求伪造(CSRF)攻击,如果cookie是最常用的身份验证方法,为什么Web浏览器允许从另一个域生成的页面发送某个域(以及该域)的cookie?
Isn't CSRF easily preventable in browser by disallowing such behavior?
通过禁止这种行为,在浏览器中是否可以轻易地预防CSRF?
As far as I know, this kind of security check isn't implemented in web browsers, but I don't understand why. Did I get something wrong?
据我所知,这种安全检查没有在Web浏览器中实现,但我不明白为什么。我弄错了吗?
About CSRF:
- On wikipedia
- On coding horror
关于编码恐怖
Edit: I think that cookies should not be sent on http POST in the above case. That's the browser behavior that surprises me.
编辑:我认为在上述情况下不应该在http POST上发送cookie。这是令我惊讶的浏览器行为。
6 个解决方案
#1
8
Why wouldn't the browser send cookies?
为什么浏览器不发送cookie?
Site A (http://www.sitea.com) sets a cookie for the user.
站点A(http://www.sitea.com)为用户设置cookie。
User navigates to site B (http://www.siteb.com). Site B features integration with site A - click here to do something on site A! The users clicks "here".
用户导航到站点B(http://www.siteb.com)。站点B与站点A集成 - 点击此处在站点A上执行某些操作!用户点击“这里”。
As far as the browser can tell, the user is making a conscious decision to make a request to site A, so it handles it the same way it would handle any request to site A, and that includes sending site A cookies in the request to site A.
就浏览器而言,用户有意识地决定向站点A发出请求,因此它处理它的方式与处理对站点A的任何请求的方式相同,并且包括在请求中发送站点A cookie。网站A.
Edit: I think the main issue here is that you think there is a distinction between authentication cookies and other cookies. Cookies can be used to store anything - user preferences, your last high score, or a session token. The browser has no idea what each cookie is used for. I want my cookies to always be available to the site that set them, and I want the site to make sure that it takes the necessary precautions.
编辑:我认为这里的主要问题是您认为身份验证Cookie和其他Cookie之间存在区别。 Cookie可用于存储任何内容 - 用户首选项,最后一个高分或会话令牌。浏览器不知道每个cookie的用途。我希望我的cookie始终可用于设置它们的网站,我希望该网站确保它采取必要的预防措施。
Or are you saying that if you search yahoo for "gmail", and then click on the link that takes you to http://mail.google.com, you shouldn't be logged in, even if you told gmail to keep you logged in, because you clicked on the link from another site?
或者你是说如果你搜索雅虎的“gmail”,然后点击链接带你到http://mail.google.com,你不应该登录,即使你告诉gmail让你登录,因为您点击了其他网站的链接?
#2
4
It isn't that a browser is sending the cookie to or from an outside domain, it's the fact that you're authenticated and the site isn't validating the source of the request, so it treats it as if the request came from the site.
并不是浏览器正在向外部域发送cookie或者从外部域发送cookie,这是因为您已经过身份验证且该站点未验证请求的来源,因此它将其视为请求来自现场。
As far as whether a browser should disallow that... what about the many situations where cross-site requests are desirable?
至于浏览器是否应该禁止...那么需要跨站点请求的许多情况呢?
Edit: to be clear, your cookie is not sent across domains.
编辑:要清楚,您的Cookie不会跨域发送。
#3
2
I don't know that there's much the browser can do in that situation since the point of an XSRF attack is to direct the browser to another point in the application that would perform something bad. Unfortunately, the browser has no idea whether or not the request it's being directed to send is malicious or not. For example, given the classic example of XSRF:
我不知道浏览器在这种情况下可以做多少事情,因为XSRF攻击的目的是将浏览器指向应用程序中另一个执行不良操作的点。不幸的是,浏览器不知道它被发送的请求是否是恶意的。例如,给出XSRF的经典示例:
<img src="http://domain.com/do_something_bad" />
it's not apparent to the browser that something bad is happening. After all, how is it to know the difference between that and this:
浏览器不清楚发生了什么不好的事情。毕竟,如何知道它与此之间的区别:
<img src="http://domain.com/show_picture_if_authenticated" />
#4
2
A lot of the old protocols have big security holes -- think back to the recently-discovered DNS vulnerabilities. Like basically any network security, it's the responsibility of the end-points; yeah, it sucks that we have to fix this ourselves, but it's a lot harder to fix at the browser level. There are some obvious ones (<img src="logoff.php"> looks damn fishy, right?), but there will always be edge cases. (Maybe it's a GD script in a PHP file after all.) What about AJAX queries? And so on...
许多旧协议都有很大的安全漏洞 - 回想一下最近发现的DNS漏洞。与基本上任何网络安全一样,它是终点的责任;是的,很糟糕我们必须自己解决这个问题,但是在浏览器级别修复起来要困难得多。有一些显而易见的(看起来该死的,对吗?),但总会有边缘情况。 (毕竟,这可能是PHP文件中的GD脚本。)AJAX查询怎么样?等等...
#5
1
The cookies for a site are never sent to another site. In fact, to implement a successful CSRF attack, the attacker does not need to have access to these cookies.
网站的Cookie永远不会发送到其他网站。事实上,为了实现成功的CSRF攻击,攻击者无需访问这些cookie。
Basically, an attacker tricks the user, who is already logged in to the target website, into clicking a link or loading an image that will do something on the target site with that user's credentials.
基本上,攻击者欺骗已经登录到目标网站的用户点击链接或加载图像,该图像将使用该用户的凭据在目标站点上执行某些操作。
I.e., the user is performing the action, and the attacker has tricked the user into doing so.
即,用户正在执行操作,并且攻击者欺骗用户这样做。
#6
0
Some people have said they don't think there's a lot the browser can do.
有些人说他们并不认为浏览器可以做很多事情。
See this:
http://people.mozilla.org/~bsterne/content-security-policy/origin-header-proposal.html
It's an overview of a proposal for a new HTTP header to help mitigate CSRF attacks.
这是对新HTTP标头的建议的概述,以帮助缓解CSRF攻击。
The proposed header name is "Origin" and it's basically the "Referer" header minus the path, etc.
建议的标题名称是“Origin”,它基本上是“Referer”标题减去路径等。
#1
8
Why wouldn't the browser send cookies?
为什么浏览器不发送cookie?
Site A (http://www.sitea.com) sets a cookie for the user.
站点A(http://www.sitea.com)为用户设置cookie。
User navigates to site B (http://www.siteb.com). Site B features integration with site A - click here to do something on site A! The users clicks "here".
用户导航到站点B(http://www.siteb.com)。站点B与站点A集成 - 点击此处在站点A上执行某些操作!用户点击“这里”。
As far as the browser can tell, the user is making a conscious decision to make a request to site A, so it handles it the same way it would handle any request to site A, and that includes sending site A cookies in the request to site A.
就浏览器而言,用户有意识地决定向站点A发出请求,因此它处理它的方式与处理对站点A的任何请求的方式相同,并且包括在请求中发送站点A cookie。网站A.
Edit: I think the main issue here is that you think there is a distinction between authentication cookies and other cookies. Cookies can be used to store anything - user preferences, your last high score, or a session token. The browser has no idea what each cookie is used for. I want my cookies to always be available to the site that set them, and I want the site to make sure that it takes the necessary precautions.
编辑:我认为这里的主要问题是您认为身份验证Cookie和其他Cookie之间存在区别。 Cookie可用于存储任何内容 - 用户首选项,最后一个高分或会话令牌。浏览器不知道每个cookie的用途。我希望我的cookie始终可用于设置它们的网站,我希望该网站确保它采取必要的预防措施。
Or are you saying that if you search yahoo for "gmail", and then click on the link that takes you to http://mail.google.com, you shouldn't be logged in, even if you told gmail to keep you logged in, because you clicked on the link from another site?
或者你是说如果你搜索雅虎的“gmail”,然后点击链接带你到http://mail.google.com,你不应该登录,即使你告诉gmail让你登录,因为您点击了其他网站的链接?
#2
4
It isn't that a browser is sending the cookie to or from an outside domain, it's the fact that you're authenticated and the site isn't validating the source of the request, so it treats it as if the request came from the site.
并不是浏览器正在向外部域发送cookie或者从外部域发送cookie,这是因为您已经过身份验证且该站点未验证请求的来源,因此它将其视为请求来自现场。
As far as whether a browser should disallow that... what about the many situations where cross-site requests are desirable?
至于浏览器是否应该禁止...那么需要跨站点请求的许多情况呢?
Edit: to be clear, your cookie is not sent across domains.
编辑:要清楚,您的Cookie不会跨域发送。
#3
2
I don't know that there's much the browser can do in that situation since the point of an XSRF attack is to direct the browser to another point in the application that would perform something bad. Unfortunately, the browser has no idea whether or not the request it's being directed to send is malicious or not. For example, given the classic example of XSRF:
我不知道浏览器在这种情况下可以做多少事情,因为XSRF攻击的目的是将浏览器指向应用程序中另一个执行不良操作的点。不幸的是,浏览器不知道它被发送的请求是否是恶意的。例如,给出XSRF的经典示例:
<img src="http://domain.com/do_something_bad" />
it's not apparent to the browser that something bad is happening. After all, how is it to know the difference between that and this:
浏览器不清楚发生了什么不好的事情。毕竟,如何知道它与此之间的区别:
<img src="http://domain.com/show_picture_if_authenticated" />
#4
2
A lot of the old protocols have big security holes -- think back to the recently-discovered DNS vulnerabilities. Like basically any network security, it's the responsibility of the end-points; yeah, it sucks that we have to fix this ourselves, but it's a lot harder to fix at the browser level. There are some obvious ones (<img src="logoff.php"> looks damn fishy, right?), but there will always be edge cases. (Maybe it's a GD script in a PHP file after all.) What about AJAX queries? And so on...
许多旧协议都有很大的安全漏洞 - 回想一下最近发现的DNS漏洞。与基本上任何网络安全一样,它是终点的责任;是的,很糟糕我们必须自己解决这个问题,但是在浏览器级别修复起来要困难得多。有一些显而易见的(看起来该死的,对吗?),但总会有边缘情况。 (毕竟,这可能是PHP文件中的GD脚本。)AJAX查询怎么样?等等...
#5
1
The cookies for a site are never sent to another site. In fact, to implement a successful CSRF attack, the attacker does not need to have access to these cookies.
网站的Cookie永远不会发送到其他网站。事实上,为了实现成功的CSRF攻击,攻击者无需访问这些cookie。
Basically, an attacker tricks the user, who is already logged in to the target website, into clicking a link or loading an image that will do something on the target site with that user's credentials.
基本上,攻击者欺骗已经登录到目标网站的用户点击链接或加载图像,该图像将使用该用户的凭据在目标站点上执行某些操作。
I.e., the user is performing the action, and the attacker has tricked the user into doing so.
即,用户正在执行操作,并且攻击者欺骗用户这样做。
#6
0
Some people have said they don't think there's a lot the browser can do.
有些人说他们并不认为浏览器可以做很多事情。
See this:
http://people.mozilla.org/~bsterne/content-security-policy/origin-header-proposal.html
It's an overview of a proposal for a new HTTP header to help mitigate CSRF attacks.
这是对新HTTP标头的建议的概述,以帮助缓解CSRF攻击。
The proposed header name is "Origin" and it's basically the "Referer" header minus the path, etc.
建议的标题名称是“Origin”,它基本上是“Referer”标题减去路径等。