Is an X-Requested-With header server check sufficient to protect against a CSRF for an ajax-driven application?

前端 未结 6 2135
庸人自扰
庸人自扰 2020-12-05 04:44

I\'m working on a completely ajax-driven application where all requests pass through what basically amounts to a main controller which, at its bare bones, looks something li

相关标签:
6条回答
  • 2020-12-05 05:11

    Short answer : no. Any attacker would just use Ajax himself to attack your website. You should generate a random token with a short but not too much lifetime which you would update during each ajax request.

    You'd have to use an array of tokens in javascript as you may have multiple ajax request running at the same time.

    0 讨论(0)
  • 2020-12-05 05:11

    What you are doing is secure because xmlhttprequest is usually not vulnerable to cross-site request forgery.

    As this is a client side problem, the safest way would be to check the security architecture of each browser :-)

    (This is a summary; I am adding this answer because this question is very confusing, let's see what the votes say)

    0 讨论(0)
  • 2020-12-05 05:12

    I do not believe that this is safe. The same origin policies are designed to prevent the documents from different domains from accessing the content that is returned from a different domain. This is why XSRF problems exist in the first place. In general XSRF doesn't care about the response. It is used to execute a specific type of request, like a delete action. In the simplest form, this can be done with a properly formatted img tag. Your proposed solution would prevent this simplest form, but doesn't protect someone from using the XMLHttp object to make the request. You need to use the standard prevention techniques for XSRF. I like to generate a random number in javascript and add it to the cookie and a form variable. This makes sure that the code can also write cookies for that domain. If you want more information please see this entry.

    Also, to pre-empt the comments about XMLHttp not working in script. I used the following code with firefox 3.5 to make a request to google from html running in the localhost domain. The content will not be returned, but using firebug, you can see that the request is made.

    <script>
    var xmlhttp = false; 
    
    if (!xmlhttp && typeof XMLHttpRequest != 'undefined') {
        try {
            xmlhttp = new XMLHttpRequest();
        } catch (e) {
            xmlhttp = false;
        }
    }
    if (!xmlhttp && window.createRequest) {
        try {
            xmlhttp = window.createRequest();
        } catch (e) {
            xmlhttp = false;
        }
    }
    
    xmlhttp.open("GET", "http://www.google.com", true);
    xmlhttp.onreadystatechange = function() {
        if (xmlhttp.readyState == 4) {
            alert("Got Response");
            alert(xmlhttp.responseText)
        }
    }
    
    xmlhttp.send(null)
    alert("test Complete");
    

    0 讨论(0)
  • 2020-12-05 05:18

    I'd say it's enough. If cross-domain requests were permitted, you'd be doomed anyway because the attacker could use Javascript to fetch the CSRF token and use it in the forged request.

    A static token is not a great idea. The token should be generated at least once per session.

    EDIT2 Mike is not right after all, sorry. I hadn't read the page I linked to properly. It says:

    A simple cross-site request is one that: [...] Does not set custom headers with the HTTP Request (such as X-Modified, etc.)

    Therefore, if you set X-Requested-With, the request has to be pre-flown, and unless you respond to pre-flight OPTIONS request authorizing the cross-site request, it won't get through.

    EDIT Mike is right, as of Firefox 3.5, cross-site XMLHttpRequests are permitted. Consequently, you also have to check if the Origin header, when it exists, matches your site.

    if (array_key_exists('HTTP_ORIGIN', $_SERVER)) {
        if (preg_match('#^https?://myserver.com$#', $_SERVER['HTTP_ORIGIN'])
            doStuff();
    }
    elseif (array_key_exists('HTTP_X_REQUESTED_WITH', $_SERVER) &&
            (strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest'))
        doStuff(); 
    
    0 讨论(0)
  • 2020-12-05 05:22

    No this can be easily bypassed , By making A Cross-domain-Flash request to the server that contains this header and the request with it's credentials , see this : https://www.geekboy.ninja/blog/exploiting-json-cross-site-request-forgery-csrf-using-flash/?unapproved=6685&moderation-hash=91554c30888cfb21580f6873e0569da0

    The best way to protect against CSRFs is to make Header or Parameter contains a secret key for each request ,

    0 讨论(0)
  • 2020-12-05 05:24

    I do not think this offers any kind of protection. An attacking site could still use xmlhttprequest for its cross-site request bypass your check.

    0 讨论(0)
提交回复
热议问题