界: Encapsulation
封装即绘制强边界。在 Web 浏览器中,这可能意味着确保您的移动代码不会被其他移动代码滥用。在服务器上,这可能意味着区分已验证数据和未验证数据、区分一个用户的数据和另一个用户的数据,或者区分允许用户查看的数据和不允许用户查看的数据。
Cross-Site Request Forgery
Abstract
Visualforce 页面操作方法或控制器构造函数在未提供针对未经授权的请求的防护的情况下执行敏感任务。
Explanation
Cross-Site Request Forgery (CSRF) 漏洞会在以下情况下发生:
1.Web 应用程序使用会话 Cookie。
2.应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
默认情况下,Visualforce 页面以隐藏的表单字段呈现,这些字段用作反 CSRF 令牌。这些令牌包含在从页面内发送的请求中,服务器会在执行相应的操作方法或命令之前检查令牌的有效性。但是,此内置防御不适用于页面操作方法和自定义页面控制器构造函数,因为它们是在页面加载期间生成反 CSRF 令牌之前执行的。
示例 1:以下 Visualforce 页面声明了一个自定义控制器
攻击者可以设置一个包含以下代码的恶意网站:
如果 Visualforce 页面的管理员在网站上具有活动会话时访问了恶意页面,则他们会在毫不知情的情况下为攻击者删除帐户。
1.Web 应用程序使用会话 Cookie。
2.应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
默认情况下,Visualforce 页面以隐藏的表单字段呈现,这些字段用作反 CSRF 令牌。这些令牌包含在从页面内发送的请求中,服务器会在执行相应的操作方法或命令之前检查令牌的有效性。但是,此内置防御不适用于页面操作方法和自定义页面控制器构造函数,因为它们是在页面加载期间生成反 CSRF 令牌之前执行的。
示例 1:以下 Visualforce 页面声明了一个自定义控制器
MyAccountActions 和一个页面操作方法 pageAction()。该 pageAction() 方法在访问页面 URL 时执行,且服务器不会检查是否存在反 CSRF 令牌。
<apex:page controller="MyAccountActions" action="{!pageAction}">
...
</apex:page>
public class MyAccountActions {
...
public void pageAction() {
Map<String,String> reqParams = ApexPages.currentPage().getParameters();
if (params.containsKey('id')) {
Id id = reqParams.get('id');
Account acct = [SELECT Id,Name FROM Account WHERE Id = :id];
delete acct;
}
}
...
}
攻击者可以设置一个包含以下代码的恶意网站:
<img src="http://my-org.my.salesforce.com/apex/mypage?id=YellowSubmarine" height=1 width=1/>
如果 Visualforce 页面的管理员在网站上具有活动会话时访问了恶意页面,则他们会在毫不知情的情况下为攻击者删除帐户。
References
[1] Salesforce Security Tips for Apex and Visualforce Development - Cross-Site Request Forgery (CSRF)
[2] A. Klein Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
[3] OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
[4] Standards Mapping - Common Weakness Enumeration CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[9] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[10] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[11] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[12] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[13] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[14] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)
[15] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[16] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[17] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[20] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[27] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[30] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[31] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[33] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[34] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[56] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[57] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.structural.apex.csrf
Abstract
状态不断变化的 HTTP 请求必须包含用户特有的密码,以防止攻击者发出未经授权的请求。
Explanation
Cross-Site Request Forgery (CSRF) 漏洞会在以下情况下发生:
1.Web 应用程序使用会话 Cookie。
2.应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
示例 1:在下列示例中,Web 应用程序允许管理员创建新帐户:
攻击者可以设置一个包含以下代码的恶意网站。
如果
如果应用程序通过 URL 传递会话标识符(而不是 Cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
部分框架会自动将 CSRF nonce 包含在其中,以保护应用程序的安全。禁用此功能会将应用程序置于风险之中。
示例 2:受此 Spring Security 保护的应用程序明确禁用 CSRF 保护功能。
1.Web 应用程序使用会话 Cookie。
2.应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
示例 1:在下列示例中,Web 应用程序允许管理员创建新帐户:
RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, "/new_user");
body = addToPost(body, new_username);
body = addToPost(body, new_passwd);
rb.sendRequest(body, new NewAccountCallback(callback));
攻击者可以设置一个包含以下代码的恶意网站。
RequestBuilder rb = new RequestBuilder(RequestBuilder.POST, "http://www.example.com/new_user");
body = addToPost(body, "attacker";
body = addToPost(body, "haha");
rb.sendRequest(body, new NewAccountCallback(callback));
如果
example.com 的管理员在网站上具有活动会话时访问了恶意页面,则他们会在毫不知情的情况下为攻击者创建一个帐户。这就是 CSRF 攻击。正是由于该应用程序无法确定请求的来源,才有可能受到 CSRF 攻击。任何请求都有可能是用户选定的合法操作,也有可能是攻击者设置的伪操作。攻击者无法查看伪请求生成的网页,因此,这种攻击技术仅适用于篡改应用程序状态的请求。如果应用程序通过 URL 传递会话标识符(而不是 Cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
部分框架会自动将 CSRF nonce 包含在其中,以保护应用程序的安全。禁用此功能会将应用程序置于风险之中。
示例 2:受此 Spring Security 保护的应用程序明确禁用 CSRF 保护功能。
<http auto-config="true">
...
<csrf disabled="true"/>
</http>
References
[1] A. Klein Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
[2] OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
[3] Standards Mapping - Common Weakness Enumeration CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[16] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.config.java.csrf
Abstract
HTTP 请求必须包含用户特定的密码,以防止攻击者发出未经授权的请求。
Explanation
跨站点伪装请求 (CSRF) 漏洞会在以下情况下发生:
1. Web 应用程序使用会话 cookie。
2. 应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
nonce 是加密随机值,随消息发送,以防止转发攻击。如果请求中不包含证明其来源的 nonce,则用来处理该请求的代码容易受到 CSRF 攻击(除非请求不改变应用程序的状态)。这意味着使用会话 Cookie 的 Web 应用程序必须采取特殊的预防措施,以确保攻击者无法诱骗用户提交虚假请求。假设某个 Web 应用程序允许管理员新建帐户,如下所示:
攻击者可以设置一个包含以下代码的恶意网站。
如果
如果应用程序通过 URL 传递会话标识符(而不是 cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
1. Web 应用程序使用会话 cookie。
2. 应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
nonce 是加密随机值,随消息发送,以防止转发攻击。如果请求中不包含证明其来源的 nonce,则用来处理该请求的代码容易受到 CSRF 攻击(除非请求不改变应用程序的状态)。这意味着使用会话 Cookie 的 Web 应用程序必须采取特殊的预防措施,以确保攻击者无法诱骗用户提交虚假请求。假设某个 Web 应用程序允许管理员新建帐户,如下所示:
var req = new XMLHttpRequest();
req.open("POST", "/new_user", true);
body = addToPost(body, new_username);
body = addToPost(body, new_passwd);
req.send(body);
攻击者可以设置一个包含以下代码的恶意网站。
var req = new XMLHttpRequest();
req.open("POST", "http://www.example.com/new_user", true);
body = addToPost(body, "attacker");
body = addToPost(body, "haha");
req.send(body);
如果
example.com 的管理员在网站上具有活动会话时访问了恶意页面,则会在毫不知情的情况下为攻击者创建一个帐户。这就是 CSRF 攻击。正是由于该应用程序无法确定请求的来源,才有可能受到 CSRF 攻击。任何请求都有可能是用户选定的合法操作,也有可能是攻击者设置的伪操作。攻击者无法查看伪请求生成的网页,因此,这种攻击技术仅适用于篡改应用程序状态的请求。如果应用程序通过 URL 传递会话标识符(而不是 cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
References
[1] A. Klein Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
[2] OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
[3] Standards Mapping - Common Weakness Enumeration CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[16] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.structural.javascript.csrf
Abstract
Django 应用程序不启用 CSRF 中间件保护
Explanation
跨站点伪装请求 (CSRF) 漏洞会在以下情况下发生:
1. Web 应用程序使用会话 cookie。
2. 应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
Nonce 是随消息一起发送的加密随机值,可防止 replay 攻击。如果该请求未包含证明其来源的 nonce,则处理该请求的代码将易受到 CSRF 攻击(除非它并未更改应用程序的状态)。这意味着使用会话 cookie 的 Web 应用程序必须采取特殊的预防措施,确保攻击者无法诱骗用户提交伪请求。假设有一个 Web 应用程序,它允许管理员通过提交此表单来创建新帐户:
攻击者可能会使用以下内容来建立一个网站:
如果
如果应用程序通过 URL 传递会话标识符(而不是 cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
1. Web 应用程序使用会话 cookie。
2. 应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
Nonce 是随消息一起发送的加密随机值,可防止 replay 攻击。如果该请求未包含证明其来源的 nonce,则处理该请求的代码将易受到 CSRF 攻击(除非它并未更改应用程序的状态)。这意味着使用会话 cookie 的 Web 应用程序必须采取特殊的预防措施,确保攻击者无法诱骗用户提交伪请求。假设有一个 Web 应用程序,它允许管理员通过提交此表单来创建新帐户:
<form method="POST" action="/new_user" >
Name of new user: <input type="text" name="username">
Password for new user: <input type="password" name="user_passwd">
<input type="submit" name="action" value="Create User">
</form>
攻击者可能会使用以下内容来建立一个网站:
<form method="POST" action="http://www.example.com/new_user">
<input type="hidden" name="username" value="hacker">
<input type="hidden" name="user_passwd" value="hacked">
</form>
<script>
document.usr_form.submit();
</script>
如果
example.com 的管理员在网站上具有活动会话时访问了恶意页面,则会在毫不知情的情况下为攻击者创建一个帐户。这就是 CSRF 攻击。正是由于该应用程序无法确定请求的来源,才有可能受到 CSRF 攻击。任何请求都有可能是用户选定的合法操作,也有可能是攻击者设置的伪操作。攻击者无法查看伪请求生成的网页,因此,这种攻击技术仅适用于篡改应用程序状态的请求。如果应用程序通过 URL 传递会话标识符(而不是 cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
References
[1] A. Klein Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
[2] Standards Mapping - Common Weakness Enumeration CWE ID 352
[3] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[8] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[9] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[10] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[11] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[12] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)
[13] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[14] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[15] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[16] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[19] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[26] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[29] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[30] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[32] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[33] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[55] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.structural.python.cross_site_request_forgery_django_settings
Abstract
HTTP 请求必须包含用户特定的密码,以防止攻击者发出未经授权的请求。
Explanation
Cross-Site Request Forgery (CSRF) 漏洞会在以下情况下发生:
1. Web 应用程序使用会话 Cookie。
2. 应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
随机数是随消息一起发送的加密随机值,可防止 Replay 攻击。 如果该请求不包含可证明其来源的随机数,则处理该请求的代码将易受到 CSRF 攻击(除非它并未更改应用程序的状态)。 这意味着使用会话 Cookie 的 Web 应用程序必须采取特殊的预防措施,确保攻击者无法诱骗用户提交伪请求。 假设有一个 Web 应用程序,它允许管理员创建新帐户,如下所示:
默认情况下,Play Framework 可抵御 CSRF 攻击,但是也可以全局或针对某些路由禁用。
示例 1:以下路由定义将禁用
如果用户在
如果应用程序通过 URL 传递会话标识符(而不是 Cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
1. Web 应用程序使用会话 Cookie。
2. 应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
随机数是随消息一起发送的加密随机值,可防止 Replay 攻击。 如果该请求不包含可证明其来源的随机数,则处理该请求的代码将易受到 CSRF 攻击(除非它并未更改应用程序的状态)。 这意味着使用会话 Cookie 的 Web 应用程序必须采取特殊的预防措施,确保攻击者无法诱骗用户提交伪请求。 假设有一个 Web 应用程序,它允许管理员创建新帐户,如下所示:
默认情况下,Play Framework 可抵御 CSRF 攻击,但是也可以全局或针对某些路由禁用。
示例 1:以下路由定义将禁用
buyItem 控制器方法的 CSRF 保护。
+ nocsrf
POST /buyItem controllers.ShopController.buyItem
如果用户在
shop.com 上具有活动会话时被诱骗访问了恶意网页,她会在毫不知情的情况下为攻击者购买物品。 这就是 CSRF 攻击。 正是由于该应用程序无法确定请求的来源,才有可能受到 CSRF 攻击。 任何请求都有可能是用户选定的合法操作,也有可能是攻击者设置的伪操作。 攻击者无法查看伪请求生成的网页,因此,这种攻击技术仅适用于篡改应用程序状态的请求。如果应用程序通过 URL 传递会话标识符(而不是 Cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
References
[1] A. Klein Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
[2] OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
[3] Standards Mapping - Common Weakness Enumeration CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[16] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.semantic.scala.cross_site_request_forgery
Abstract
表单发布必须包含用户特有的机密,防止攻击者发出未经授权的请求。
Explanation
跨站点伪装请求 (CSRF) 漏洞会在以下情况下发生:
1. Web 应用程序使用会话 cookie。
2. 应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
Nonce 是随消息一起发送的加密随机值,可防止 replay 攻击。如果该请求未包含证明其来源的 nonce,则处理该请求的代码将易受到 CSRF 攻击(除非它并未更改应用程序的状态)。这意味着使用会话 cookie 的 Web 应用程序必须采取特殊的预防措施,确保攻击者无法诱骗用户提交伪请求。假设有一个 Web 应用程序,它允许管理员通过提交此表单来创建新帐户:
攻击者可能会使用以下内容来建立一个网站:
如果
如果应用程序通过 URL 传递会话标识符(而不是 cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
1. Web 应用程序使用会话 cookie。
2. 应用程序未验证请求是否经过用户同意便处理 HTTP 请求。
Nonce 是随消息一起发送的加密随机值,可防止 replay 攻击。如果该请求未包含证明其来源的 nonce,则处理该请求的代码将易受到 CSRF 攻击(除非它并未更改应用程序的状态)。这意味着使用会话 cookie 的 Web 应用程序必须采取特殊的预防措施,确保攻击者无法诱骗用户提交伪请求。假设有一个 Web 应用程序,它允许管理员通过提交此表单来创建新帐户:
<form method="POST" action="/new_user" >
Name of new user: <input type="text" name="username">
Password for new user: <input type="password" name="user_passwd">
<input type="submit" name="action" value="Create User">
</form>
攻击者可能会使用以下内容来建立一个网站:
<form method="POST" action="http://www.example.com/new_user">
<input type="hidden" name="username" value="hacker">
<input type="hidden" name="user_passwd" value="hacked">
</form>
<script>
document.usr_form.submit();
</script>
如果
example.com 的管理员在网站上具有活动会话时访问了恶意页面,则会在毫不知情的情况下为攻击者创建一个帐户。这就是 CSRF 攻击。正是由于该应用程序无法确定请求的来源,才有可能受到 CSRF 攻击。任何请求都有可能是用户选定的合法操作,也有可能是攻击者设置的伪操作。攻击者无法查看伪请求生成的网页,因此,这种攻击技术仅适用于篡改应用程序状态的请求。如果应用程序通过 URL 传递会话标识符(而不是 cookie),则不会出现 CSRF 问题,因为攻击者无法访问会话标识符,也无法在伪请求中包含会话标识符。
References
[1] A. Klein Divide and Conquer: HTTP Response Splitting, Web Cache Poisoning Attacks, and Related Topics
[2] OWASP Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet
[3] Standards Mapping - Common Weakness Enumeration CWE ID 352
[4] Standards Mapping - Common Weakness Enumeration Top 25 2019 [9] CWE ID 352
[5] Standards Mapping - Common Weakness Enumeration Top 25 2020 [9] CWE ID 352
[6] Standards Mapping - Common Weakness Enumeration Top 25 2021 [9] CWE ID 352
[7] Standards Mapping - Common Weakness Enumeration Top 25 2022 [9] CWE ID 352
[8] Standards Mapping - Common Weakness Enumeration Top 25 2023 [9] CWE ID 352
[9] Standards Mapping - DISA Control Correlation Identifier Version 2 CCI-001310, CCI-001941, CCI-001942
[10] Standards Mapping - General Data Protection Regulation (GDPR) Access Violation
[11] Standards Mapping - NIST Special Publication 800-53 Revision 4 IA-2 Identification and Authentication (Organizational Users) (P1), SC-23 Session Authenticity (P1), SI-10 Information Input Validation (P1)
[12] Standards Mapping - NIST Special Publication 800-53 Revision 5 IA-2 Identification and Authentication (Organizational Users), SC-23 Session Authenticity, SI-10 Information Input Validation
[13] Standards Mapping - OWASP Application Security Verification Standard 4.0 3.5.3 Token-based Session Management (L2 L3), 4.2.2 Operation Level Access Control (L1 L2 L3), 13.2.3 RESTful Web Service Verification Requirements (L1 L2 L3)
[14] Standards Mapping - OWASP Mobile 2014 M5 Poor Authorization and Authentication
[15] Standards Mapping - OWASP Mobile 2024 M3 Insecure Authentication/Authorization
[16] Standards Mapping - OWASP Top 10 2007 A5 Cross Site Request Forgery (CSRF)
[17] Standards Mapping - OWASP Top 10 2010 A5 Cross-Site Request Forgery (CSRF)
[18] Standards Mapping - OWASP Top 10 2013 A8 Cross-Site Request Forgery (CSRF)
[19] Standards Mapping - OWASP Top 10 2021 A01 Broken Access Control
[20] Standards Mapping - Payment Card Industry Data Security Standard Version 1.2 Requirement 6.5.5
[21] Standards Mapping - Payment Card Industry Data Security Standard Version 2.0 Requirement 6.5.9
[22] Standards Mapping - Payment Card Industry Data Security Standard Version 3.0 Requirement 6.5.9
[23] Standards Mapping - Payment Card Industry Data Security Standard Version 3.1 Requirement 6.5.9
[24] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2 Requirement 6.5.9
[25] Standards Mapping - Payment Card Industry Data Security Standard Version 3.2.1 Requirement 6.5.9
[26] Standards Mapping - Payment Card Industry Data Security Standard Version 4.0 Requirement 6.2.4
[27] Standards Mapping - Payment Card Industry Software Security Framework 1.0 Control Objective 5.4 - Authentication and Access Control
[28] Standards Mapping - Payment Card Industry Software Security Framework 1.1 Control Objective 5.4 - Authentication and Access Control
[29] Standards Mapping - Payment Card Industry Software Security Framework 1.2 Control Objective 5.4 - Authentication and Access Control, Control Objective C.2.3 - Web Software Access Controls
[30] Standards Mapping - SANS Top 25 2009 Insecure Interaction - CWE ID 352
[31] Standards Mapping - SANS Top 25 2010 Insecure Interaction - CWE ID 352
[32] Standards Mapping - SANS Top 25 2011 Insecure Interaction - CWE ID 352
[33] Standards Mapping - Security Technical Implementation Guide Version 3.1 APP3585 CAT II
[34] Standards Mapping - Security Technical Implementation Guide Version 3.4 APP3585 CAT II
[35] Standards Mapping - Security Technical Implementation Guide Version 3.5 APP3585 CAT II
[36] Standards Mapping - Security Technical Implementation Guide Version 3.6 APP3585 CAT II
[37] Standards Mapping - Security Technical Implementation Guide Version 3.7 APP3585 CAT II
[38] Standards Mapping - Security Technical Implementation Guide Version 3.9 APP3585 CAT II
[39] Standards Mapping - Security Technical Implementation Guide Version 3.10 APP3585 CAT II
[40] Standards Mapping - Security Technical Implementation Guide Version 4.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[41] Standards Mapping - Security Technical Implementation Guide Version 4.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[42] Standards Mapping - Security Technical Implementation Guide Version 4.4 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[43] Standards Mapping - Security Technical Implementation Guide Version 4.5 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[44] Standards Mapping - Security Technical Implementation Guide Version 4.6 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[45] Standards Mapping - Security Technical Implementation Guide Version 4.7 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[46] Standards Mapping - Security Technical Implementation Guide Version 4.8 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[47] Standards Mapping - Security Technical Implementation Guide Version 4.9 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[48] Standards Mapping - Security Technical Implementation Guide Version 4.10 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[49] Standards Mapping - Security Technical Implementation Guide Version 4.11 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[50] Standards Mapping - Security Technical Implementation Guide Version 4.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[51] Standards Mapping - Security Technical Implementation Guide Version 5.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[52] Standards Mapping - Security Technical Implementation Guide Version 5.2 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[53] Standards Mapping - Security Technical Implementation Guide Version 5.3 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[54] Standards Mapping - Security Technical Implementation Guide Version 6.1 APSC-DV-001620 CAT II, APSC-DV-001630 CAT II, APSC-DV-002500 CAT II
[55] Standards Mapping - Web Application Security Consortium Version 2.00 Cross-Site Request Forgery (WASC-09)
[56] Standards Mapping - Web Application Security Consortium 24 + 2 Cross-Site Request Forgery
desc.content.html.csrf