Do I need to use csrf tokens in my ajax requests?
我需要在我的ajax请求中使用csrf标记吗?
I think that someone tricking my users to execute malicious ajax requests from another site, to my site, will fail because of the origin policy, which is handled by the browser, am I right?
我认为有人欺骗我的用户从另一个站点到我的站点执行恶意ajax请求会因为原始策略而失败,这是由浏览器处理的,我是对的吗?
I don't care about duplicated requests when using ajax, I'm only asking about the attacks. Am I at risk if I don't use csrf in my ajax requests?
我不关心使用ajax时的重复请求,我只是询问攻击。如果我在我的ajax请求中不使用csrf,我是否有风险?
3 个解决方案
#1
1
As per my research, We can reduce the vulnerability by using POST request(for the request which will take side affect). But thing is that we can forge the POST request as well with form submission, cause same origin policy will not applies plain html for submissions. But it applies to request which are getting generated with JS.
根据我的研究,我们可以通过使用POST请求来减少漏洞(对于会产生副作用的请求)。但事情是我们可以伪造POST请求以及表单提交,因为相同的原始策略将不会应用简单的html提交。但它适用于使用JS生成的请求。
So if you use ajax POST request and you are safe if you are using JSON payload. Cause url encoded payload(POST request) can be forged with form submission from other sites. If you use JSON, as it is not possible to send plain text pay load(with out urlform encoded) with html form submission you are safe. Because with ajax POST request if you use urlform encoded data payload it can be forged with POST form submission.
因此,如果您使用ajax POST请求,并且如果您使用JSON有效负载则是安全的。导致url编码的有效负载(POST请求)可以使用来自其他站点的表单提交来伪造。如果您使用JSON,因为无法使用html表单提交发送纯文本付费加载(使用out urlform编码),您将是安全的。因为如果使用urlform编码数据有效负载,使用ajax POST请求,可以使用POST表单提交伪造。
#2
0
This is how we solved the problem with CSRF token in Ajax requests http://mylifewithjava.blogspot.com/2010/11/implicit-csrf-protection-of-ajax_22.html
这就是我们在Ajax请求中解决CSRF令牌问题的方法http://mylifewithjava.blogspot.com/2010/11/implicit-csrf-protection-of-ajax_22.html
#3
0
The fact that you are using Ajax doesn't mean that others have to as well. Your server won't be able to distinguish a request made by XHR from one made by <form> submission. (Yes XHR usually adds a header identifying itself, but this is not hard to spoof.)
您使用Ajax的事实并不意味着其他人也必须这样做。您的服务器将无法区分XHR发出的请求与
So yes, you do need to consider CSRF attacks.
所以,是的,您需要考虑CSRF攻击。
Edit
Django have a POC, which is why they and Ruby on Rails now implement CSRF protection on AJAX requests.
Django有一个POC,这就是他们和Ruby on Rails现在在AJAX请求上实现CSRF保护的原因。
Once again, please check your facts before downvoting, and explain what the downvote is for.
再一次,请在downvoting之前检查你的事实,并解释downvote的用途。
#1
1
As per my research, We can reduce the vulnerability by using POST request(for the request which will take side affect). But thing is that we can forge the POST request as well with form submission, cause same origin policy will not applies plain html for submissions. But it applies to request which are getting generated with JS.
根据我的研究,我们可以通过使用POST请求来减少漏洞(对于会产生副作用的请求)。但事情是我们可以伪造POST请求以及表单提交,因为相同的原始策略将不会应用简单的html提交。但它适用于使用JS生成的请求。
So if you use ajax POST request and you are safe if you are using JSON payload. Cause url encoded payload(POST request) can be forged with form submission from other sites. If you use JSON, as it is not possible to send plain text pay load(with out urlform encoded) with html form submission you are safe. Because with ajax POST request if you use urlform encoded data payload it can be forged with POST form submission.
因此,如果您使用ajax POST请求,并且如果您使用JSON有效负载则是安全的。导致url编码的有效负载(POST请求)可以使用来自其他站点的表单提交来伪造。如果您使用JSON,因为无法使用html表单提交发送纯文本付费加载(使用out urlform编码),您将是安全的。因为如果使用urlform编码数据有效负载,使用ajax POST请求,可以使用POST表单提交伪造。
#2
0
This is how we solved the problem with CSRF token in Ajax requests http://mylifewithjava.blogspot.com/2010/11/implicit-csrf-protection-of-ajax_22.html
这就是我们在Ajax请求中解决CSRF令牌问题的方法http://mylifewithjava.blogspot.com/2010/11/implicit-csrf-protection-of-ajax_22.html
#3
0
The fact that you are using Ajax doesn't mean that others have to as well. Your server won't be able to distinguish a request made by XHR from one made by <form> submission. (Yes XHR usually adds a header identifying itself, but this is not hard to spoof.)
您使用Ajax的事实并不意味着其他人也必须这样做。您的服务器将无法区分XHR发出的请求与
So yes, you do need to consider CSRF attacks.
所以,是的,您需要考虑CSRF攻击。
Edit
Django have a POC, which is why they and Ruby on Rails now implement CSRF protection on AJAX requests.
Django有一个POC,这就是他们和Ruby on Rails现在在AJAX请求上实现CSRF保护的原因。
Once again, please check your facts before downvoting, and explain what the downvote is for.
再一次,请在downvoting之前检查你的事实,并解释downvote的用途。