- I-CSRF isebenzisa iqiniso lokuthi iseva iyayethemba isikhathi somsebenzisi futhi ayiqinisekisi umsuka wangempela wesicelo.
- Ukunciphisa okusebenzayo: amathokheni avumelanisiwe, ukugwema izinguquko zesimo nge-GET, nokuqinisekisa i-Origin/Referer.
- I-ASP.NET Core inokwesekwa komdabu kwe: I-IAntiforgery, ukuqinisekiswa kwesihlungi, nezihloko zangokwezifiso.
- I-SameSite Cookies, i-WAF nemikhuba emihle yabasebenzisi inciphisa kakhulu ubungozi.
Uma usebenza ekuthuthukisweni kwewebhu noma ekuvikelekeni, uzofuna ukucaca kabanzi mayelana nokuthi iyini inkohliso yesicelo sesizindalwazi. I-CSRF (I-Forgery Application Forgery) Iwuhlobo lokuhlasela okuyimfihlo olusebenzisa isikhathi esesivele siqalisiwe somsebenzisi ukwenza isiphequluli sakhe senze izenzo ngaphandle kwemvume yabo.
Lesi simo asisisha, kodwa sihlala sibalulekile ngoba iziphequluli zinamathisela ngokuzenzakalelayo imininingwane efana namakhukhi noma izihloko ezicelweni ezithile. Iseva "yethemba" umsebenzisi futhi icubungule isicelo, noma ngabe siqalwe yikhasi elinonya, i-iframe, noma isixhumanisi esifihliwe.
Iyini i-CSRF futhi kungani isadala izinkinga?
Ngamafuphi, i-CSRF yilapho isayithi A linxenxa isiphequluli somsebenzisi esigunyaziwe ukuthi sithumele isicelo kusayithi B lapho lowo msebenzisi esengene ngemvume, ukuze u-B acubungule ukusebenza njengokuvumelekile. Ukhiye ukwethemba kwesayithi kumsebenzisi.hhayi ukwethenjwa komsebenzisi kusayithi.
Ngokungafani ne-XSS, esebenzisa kabi ukwethenjwa komsebenzisi ekhasini ukuze ifake futhi ikhiphe ikhodi ngaphakathi komongo wayo, i-CSRF ihlukumeza iqiniso lokuthi iseva yamukela noma yisiphi isicelo esifika siphelezelwa iziqinisekiso ezivumelekile (isb., amakhukhi esikhathi)Zombili izinkinga zingahlanganisa futhi zibe zimbi kakhulu umthelela.
Umlando omncane nobunzima be-forensic
Ukuba sengozini kwalolu hlobo kwaziwa kusukela ngasekupheleni kwawo-90, futhi igama elithi CSRF/XSRF laqanjwa ngu-Peter Watkins ngo-2001. Umkhondo wokuhlasela uvamise ukukhomba ekhelini le-IP elisemthethweni. kusuka kumsebenzisi, okwenza kube nzima ukunikeza imithwalo yemfanelo futhi kudinga ukuhlaziya okukhethekile kwe-forensic.
Sekuyiminyaka bekumbalwa ukuxhashazwa komphakathi okubhalwe kahle, kodwa inkinga ibilokhu ivela kaningi futhi ivele kaningi I-OWASP ephezulu ye-10 ngenxa yomthelela wayo kanye nemvamisa.
Indlela ukuhlasela okusebenza ngayo (izimo nokugeleza)
Kufanele kuhlangatshezwane nemibandela eminingana ukuze i-CSRF iphumelele. Umsebenzisi ungene kuhlelo lokusebenza oluqondiwe; isiphequluli sinamathisela ngokuzenzakalelayo amakhukhi, imininingwane eyisisekelo/yenhlabamkhosi, noma umongo wokufakazela ubuqiniso ezicelweni; futhi isicelo samukela izinguquko zesimo ngaphandle kwendlela yokuqinisekisa eyengeziwe.
Umhlaseli ukholisa isisulu, ngokusebenzisa ubunjiniyela bezenhlalo (i-imeyili, ingxoxo noma iwebhusayithi ekhangayo), ukulayisha ikhasi elivusa isicelo esinonya kusayithi elisengozini. Umsebenzisi akakwazi ukwenza lutho. okungaphezu nje kokuvakashela ikhasi: ifomu elizithumele lona, isithombe esishunyekiwe, noma i-iframe yanele ukuqala isicelo.
Ama-vector ajwayelekile: GET, POST futhi “agciniwe”
Ngeshwa, ezinye izinhlelo zokusebenza zishintsha isimo zisebenzisa i-GET. Uma kunjalo, elula Ekhasini lenkampani yangaphandle, isenzo senziwa lapho isithombe silayishwa. Ngakho-ke, njengomgomo oyisisekelo, isicelo se-GET akufanele siguqule izinsiza.
Nge-POST, i-vector evamile iyifomu le-HTML elifihliwe elizithumela lona ngokwalo ne-JavaScript, noma umsebenzisi alithumelayo ecabanga ukuthi ngenye into. Isiphequluli sinamathisela ikhukhi yeseshini yesizinda esisemthethweni futhi iseva icubungula ushintsho (dlulisela imali, susa irekhodi, shintsha i-imeyili, njll.).
Kwesinye isikhathi ikhodi yokuhlasela ingafakwa ngaphakathi kwesizinda somuntu ohlukunyeziwe (ngenxa yamaphutha angeziwe), ibanjwe komaki be-IMG noma ama-iframe. Le "CSRF egciniwe" Kunciphisa izinsolo ngoba ukusebenzelana kubonakala kuhlala ngaphakathi kwesizinda sokwethenjwa.
Umthelela wangempela kuma-akhawunti namasistimu
Imiphumela isukela ekwenziweni kwezimali okungagunyaziwe kuya ekushintsheni kokucushwa, ukwabiwa kabusha kwezimvume, noma ukususwa kwedatha. Uma isisulu sinendima yomqondisiUmhlaseli angashintsha ingqondo yohlelo lokusebenza noma anike amandla izicabha ezingemuva ezithinta abasebenzisi abaningi.
Ngisho nezenzo ezibonakala zizincane, ezinjengokushintsha ikheli le-imeyili lephrofayela, zingavimba ukutholwa kwe-akhawunti noma zenze ukukhwabanisa okulandelayo. Inkinga enkulu ukuthi konke kwenzeka "egameni lomsebenzisi" futhi kaningi engaboni.
Izibonelo eziqondile (futhi ezivame kakhulu).
Cabanga ngephaneli yokuphatha elikuvumela ukuthi ususe umsebenzisi ngesicelo se-GET usebenzisa i-URL efana /users/delete/63. Uma umlawuli ogunyaziwe evakashela ikhasi lenkampani yangaphandle elihlanganisa a Isiphequluli sizokwenza isicelo futhi i-akhawunti izonyamalala.
Enye yakudala: ukubhanga ku-inthanethi. Uma ukudlulisa kungahlelwa nge-GET—isibonelo, /transfer?amount=500&account=XXXX-isixhumanisi esibonakala simsulwa yikho konke okudingekayo kumsebenzisi ongene ngemvume ukuze aqalise ukudluliselwa kwemali ku-akhawunti yomhlaseli.
Nge-POST iphethini iyafana: ifomu elifihliwe elinezinkambu "inani" kanye "ne-akhawunti" lihanjiswa ngokuzenzakalelayo lapho ikhasi lilayisha. ikhukhi iseshini yasebhange kusuka esizindeni esisemthethweni futhi iseva icubungula ukudluliswa.
Izici zesiphequluli nezephrothokholi
Ukusebenzisa i-HTTPS akuvimbeli ukuhlasela ngokwako: isayithi eliyingozi lingaqondisa kalula isiphequluli ukwenza isicelo esivikelekile. Ukuqinisekiswa okuyisisekelo kanye ne-Digest nakho kusengoziniUma umsebenzisi eseqinisekisiwe, isiphequluli sidlulisela phambili ngokuzenzakalelayo imininingwane kuze kuphele isikhathi.
Izinqubomgomo zekhukhi ye-SameSite ziyasiza, kodwa kukhona okuhlukile. Nge-SameSite=Strict, isiphequluli ngeke sithumele ikhukhi ezindaweni ezihlukene kanye Ingxenye enkulu ye-CSRF inqanyuliwe empandeni.With SameSite=None (futhi Ivikelekile), nokho, ikhukhi lihamba phakathi kwamasayithi futhi andise indawo yokuhlasela.
Imikhuba emihle kubasebenzisi
Nakuba inkinga ngokuyisisekelo ikuhlelo lokusebenza, kunemikhuba enciphisa ubungozi. Phuma uma usuqedileUkususa amakhukhi ngezikhathi ezithile, nokugwema inketho ethi "ngigcine ngingenile" kunciphisa ukuvezwa kwamawindi.
Kuyasiza futhi ukuhlukanisa imisebenzi: sebenzisa isiphequluli esisodwa semisebenzi ebucayi nesinye ngokuphequlula okuvamile, noma sebenzisa i- imodi ye-incognito ukuze ugweme ukuqinisekisa okuqhubekayoIzandiso ezivimba izikripthi zikhawulela ukuzenzela (nakuba zingezona isixazululo esiphelele).
Izinyathelo zokuvikela isicelo
Umthetho wokuqala wegolide: ungashintshi isimo nge-GETUkugcina i-POST/PUT/DELETE yemisebenzi eshintsha izinsiza kunciphisa ama-vector amancane njengezithombe noma izixhumanisi eziyimfihlo.
Indlela esabalele kakhulu yokunciphisa i-CSRF iphethini yethokheni yokuvumelanisa: iseva ikhipha ithokheni eyingqayizivele, engahleliwe exhunywe kubunikazi bomsebenzisi, futhi iklayenti liyibuyisela esicelweni esilandelayo sokushintsha isimo. Uma ithokheni lingahambisani Isicelo sinqatshiwe ngokusekelwe kubunikazi kanye nolwazi lwekhukhi.
Esinye isendlalelo esiwusizo siqinisekisa imisuka: ukuhlola izihloko ze-Origin/Referer uma zikhona. Uma isicelo singaveli esizindeni esilindelwe, ukucubungula kuvinjiweQaphela: Amanye amaklayenti afihla i-Referrer ngenxa yenqubomgomo yobumfihlo, ngakho lokhu kuqinisekisa kufanele kusetshenziswe ngokucophelela.
Ama-WAF nawo ayasiza. Izixazululo zebhizinisi, njenge I-F5 BIG-IP ASM noma izinsiza zokuvikela ezihlanganiswe nezinkundla zokusingatha, engeza imithetho ukuze uhlonze futhi umise amaphethini asolisayo ngaphambi kokuthi afinyelele kuhlelo lwakho lokusebenza.
Imikhawulo namaphutha avamile namathokheni
Amathokheni ahlinzeka ngokuvikeleka uma esetshenziswa ngendlela efanele. Uma uhlelo lokusebenza ludlula inqubo yokuqinisekisa lapho ithokheni ingekho, umhlaseli umane udinga ukuthumela ithokheni engenalutho. Ukusebenzisa ichibi elisebenziseka kabusha kuyingozi ngokufanayo. Esikhundleni sethokheni eyodwa ngomsebenzisi ngamunye: vele untshontshe evumelekile ukuze uzenze izikhathi zabanye abantu.
Ukugcina ithokheni kukhukhi elifinyeleleka i-JavaScript nakho kuwumbono omubi uma kungekho amasheke namabhalansi: Ukuhlasela kwe-XSS kungayifunda. futhi uyisebenzise futhi. Ukuqina kuvela ekuhlanganiseni ikhukhi leseshini + ithokheni ngendlela ehlukile noma unhlokweni, nokuqinisekisa kokubili.
Ubudlelwano ne-SPA, amathokheni kanye ne-XSS
Kuzinhlelo zokusebenza ezinokuqinisekisa okusekelwe kumathokheni (isb., i-JWT), thumela ithokheni kusihloko sokugunyaza njengoMthwali kanye hhayi kukhukhi Lokhu kunciphisa ubungozi be-CSRF ngoba isiphequluli asinamathiseli ngokuzenzakalelayo. Noma kunjalo, uma kunokuhlasela kwe-XSS, umhlaseli angayintshontsha esipheqululini. isitoreji indawo
Ngakho-ke, ngaphezu kwe-CSRF, kuyadingeka ukuvikela indawo yokuphuma yeseva futhi uvimbele nikeza i-HTML engabaleki futhi usebenzise i-CSP. I-CSRF ne-XSS ziyaqinisana uma ushiya izikhala nhlangothi zombili.
I-CSRF ku-ASP.NET Core: okubalulekile konjiniyela
I-ASP.NET Core ihlanganisa ukuncishiswa okwakhelwe ngaphakathi. Amafomu ane-method="post" angafaka ngokuzenzakalelayo amathokheni aphikisana nokukhohlisa ekubukweni kwe-Razor (Ama-TagHelpers nabasizi abanjengo-BeginForm bawafaka ngokuzenzakalelayo). Ungakwazi futhi ukuwajova ngokusobala. futhi uqinisekise kuseva ngezihlungi.
Ukuqinisekisa kwenziwa kusebenze ngezibaluli ezifana ne-ValidateAntiForgeryToken noma, ngokulula kakhudlwana, i-AutoValidateAntiforgeryToken, edinga ithokheni ezindleleni ezingaphephile (THUMELA/BEKA/SUSA) futhi igwema ukuyidinga kokuthi GET/HEAD/OPTIONS/TRACE. Uma udinga okuhlukile, IgnoreAntiforgeryToken ikhansela imfuneko yezenzo eziphathekayo.
Kuma-API nama-SPA, isevisi ye-IAntiforgery ikuvumela ukuthi ukhiqize futhi ugcine amathokheni, futhi uwathole ngesihloko ngokwezifiso (isibonelo, I-X-XSRF-TOKENAmafreyimu afana ne-Angular ngokuvamile afunda ikhukhi le-“XSRF-TOKEN” futhi athumele inani lawo kuleyo nhlokweni, okufanele iseva iqinisekise.
Ama-API amancane angaqinisekisa ngokucacile ithokheni (kusuka ku-middleware noma izihlungi ze-endpoint), futhi kuyatuseka ukuthi usebenzise i-anti-counterfeiting middleware. ngemuva kokuqinisekisa nokugunyazwaukugwema ukufunda okungadingekile kwesigungu sesicelo uma singafanele.
Ukucushwa okuhle: I-AntiforgeryOptions ikuvumela ukuthi wenze ngendlela oyifisayo igama lenkambu efihliwe, unhlokweni olindelekile, kanye nokuthi unhlokweni we-X-Frame-Options uyakhishwa yini (SAMEORIGIN ngokuzenzakalelayo). Ngesikhathi sokuthuthukiswa, uhlobo oluvikelekile kwesinye isikhathi luba lugqame kancane. kwekhukhi; ezindaweni zomhlaba wangempela, kuyanconywa ukuphoqa i-HTTPS.
Khumbula ukuthi ngephethini yethokheni yokuvumelanisa, ukuvula amathebhu amaningi nokuzulazula ekugelezeni okuhlukile kungase kwenze amathokheni adlule angasebenzi: ikhasi lakamuva kuphela Ivamise ukuba nethokheni evumelekile. Cabangela ezinye izindlela uma i-UX yakho incike kumathebhu amaningi ngesikhathi esisodwa.
Enye indawo okufanele uyiqaphele wukusingathwa okwabiwe ngaphansi kwesizinda esifanayo noma isizinda esingaphansi kwesinye. Yabelana *.domain.com Ingavumela uhlelo lokusebenza olulodwa ukuthi liphazamise amakhukhi womunye, ngakho ukuhlukanisa izinhlelo zokusebenza ngezizinda ezihlukene kukhulisa ukuzihlukanisa.
Ekugcineni, ukuqinisekiswa kwe Windows (I-NTLM/Kerberos) ayikukhululi: isiphequluli sithumela ngokungaguquki umongo wokuqinisekisa futhi, ngaphandle kwamathokheni noma ukuhlola umsuka, I-CSRF ingase ibe khona.
I-CDN, i-cross-loading, nokuthi kungani udinga ukuqaphela
Kuvamile ukuthi isayithi licele okuqukethwe kubantu besithathu (amavidiyo e-YouTube, imitapo yolwazi ye-CDN, njll.). Uma lokho kushintshana kungalawulwa kahleUmhlaseli angasebenzisa izindlela ezinqamula amasayithi ukuze aphoqelele izicelo isiphequluli esizoziqedela ngemininingwane enamathiselwe.
Ngokungeziwe kuzinqubomgomo eziqinile zamakhukhi, buyekeza ukusetshenziswa kwama-iframe nezinto ezishumekiwe, futhi usebenzise i-SRI uma usebenzisa ama-CDN. imikhawulo eyamukelwe imvelaphi nge-CSP echazwe kahle kanye ne-CORS.
Imikhuba emihle eyengeziwe yamaqembu
Misa ukubuyekezwa kokuvikeleka kwezinguquko zefomu namaphoyinti okugcina ashintsha isimo. Ukuhlola okuzenzakalelayo eziqinisekisa ubukhona nokuqinisekisa okulungile kwethokheni, futhi zimaka “njengokuvimbela” noma yikuphi ukuhlehla okwethula kabusha i-GET enemiphumela engemihle.
Isebenzisa ukugawulwa kwemithi ukuthola amaphethini angajwayelekile (isb., ukuthumela ifomu ngaphandle kwethokheni, noma izihloko ezingalindelekile zemithombo) kanye Ukusekela nge-WAF lokho kunciphisa umsindo futhi kuvimbe imikhuba yokuxhaphaza eyaziwayo.
Isikhumbuzi esibalulekile: lokho i-CSRF iyodwa engakuxazululi
Ithokheni yokulwa nokwenza umgunyathi ayiwulungisi umjovo weskripthi; futhi ayithathi indawo yezilawuli zokugunyazwa. Okokuqala, qinisekisa ukuthi umsebenzisi angakwazi ukwenza isenzoBese uqinisekisa ithokheni futhi, uma kunesidingo, hlola i-Origin/Refeor. Ukuzivikela ngokujula kuqala.
Futhi ungakhohlwa ukuxhumana nethimba lomkhiqizo elithi "kungani": ukugwema izicelo ze-GET ezishintsha isimo noma ezidinga ithokheni eyengeziwe emisebenzini ethile akuyona isifiso sobuchwepheshe, Kuwukuvikela okuqondile kwebhizinisi ngokumelene nokukhwabanisa nokukhwabanisa.
Okwenza i-CSRF ibe yingozi ubuqili bayo: izicelo zisuka kusiphequluli sesisulu, zisebenzisa imininingwane yazo futhi zibonakala zisemthethweni. Ukuhlanganisa amathokheni asetshenziswe kahleUkuqinisekiswa komsuka, izinqubomgomo ezifanele zamakhukhi, idizayini enesibopho ye-REST futhi, lapho kufanele, ukuvikelwa kwe-WAF, kunciphisa kakhulu iwindi lokuhlasela ngaphandle kokudela ulwazi lomsebenzisi.
Umbhali oshisekayo ngomhlaba wamabhayithi nobuchwepheshe ngokujwayelekile. Ngiyathanda ukwabelana ngolwazi lwami ngokubhala, futhi yilokho engizokwenza kule bhulogi, ngikubonise zonke izinto ezithakazelisayo kakhulu ngamagajethi, isofthiwe, ihadiwe, izitayela zobuchwepheshe, nokuningi. Inhloso yami ukukusiza ukuthi uzulazule emhlabeni wedijithali ngendlela elula nejabulisayo.