gpt4 book ai didi

django - django:csrftoken COOKIE与csrfmiddlewaretoken HTML表单值

转载 作者:行者123 更新时间:2023-12-03 13:25:20 27 4
gpt4 key购买 nike

试图了解安全性。好奇为什么在Django何时
提交表单(POST)时,有2个单独的“元素”
包含相同的csrf token 值:

- the csrftoken cookie:
COOKIES:{'csrftoken': '1effe96056e91a8f58461ad56c0d4ddc', ...

- the Form's hidden csrfmiddlewaretoken:
POST:<QueryDict: {u'csrfmiddlewaretoken':
[u'1effe96056e91a8f58461ad56c0d4ddc'], ...

如果django将隐藏的csrf字段/值插入到
表单发送到浏览器(GET)并期望
收到POST时返回相同的值,为什么呢
还要设置一个cookie吗?

一个更笼统的问题,如果缺少其中任何一个(表单,Cookie),
您能否提供一个说明该如何利用的方案
(安全攻击)?

顺便说一句,我进行了一些简单的测试,以确保
django分别检查了每一个的有效性,
的确是:
  • 如果我在执行POST之前更改了表单的csrf值,
    我收到此调试错误:

    CSRF token 丢失或
  • 不正确
  • 如果我在执行POST之前删除了csrf cookie,
    我收到另一个错误:

    未设置CSRF cookie。

  • 我只是熟悉基本的CSRF概念,并且想要
    了解django如何帮助抵御这些类型的攻击。

    谢谢,

    d

    更新:

    尽管这两个答案(S.Lott和M. DeSimone)都是有益的,
    有道理,我认为可能会有更详细的解释
    用于要求同时存在形式和形式的安全值
    在Cookie中。在stackoverflow.com外部搜索时,我遇到了
    杰夫·阿特伍德(Jeff Atwood)的博客文章。

    我提供了第三个答案(很抱歉回答我自己的问题,但
    我认为这是涉及博客的相关补充信息)
    杰夫(Jeff)的帖子,其中包含引号。

    最佳答案

    从Jeff Atwood的博客文章中:

    防止CSRF和XSRF攻击
    (2008年10月14日)

    The original post

    Felten和Zeller的论文(pdf)建议“双重提交
    cookie”方法来防止XSRF:

    When a user visits a site, the site should generate a (cryptographically strong) pseudorandom value and set it as a cookie on the user's machine. The site should require every form submission to include this pseudorandom value as a form value and also as a cookie value. When a POST request is sent to the site, the request should only be considered valid if the form value and the cookie value are the same. When an attacker submits a form on behalf of a user, he can only modify the values of the form. An attacker cannot read any data sent from the server or modify cookie values, per the same-origin policy. This means that while an attacker can send any value he wants with the form, he will be unable to modify or read the value stored in the cookie. Since the cookie value and the form value must be the same, the attacker will be unable to successfully submit a form unless he is able to guess the pseudorandom value.

    The advantage of this approach is that it requires no server state; you simply set the cookie value once, then every HTTP POST checks to ensure that one of the submitted values contains the exact same cookie value. Any difference between the two means a possible XSRF attack.

    关于django - django:csrftoken COOKIE与csrfmiddlewaretoken HTML表单值,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/5588374/

    27 4 0
    Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
    广告合作:1813099741@qq.com 6ren.com