我正在开发一个Web API。身份验证是通过cookie。所有端点都通过请求正文中的JSON接收参数。
我是否需要实施CSRF token来保护他们?
这怎么可以被利用?是否可以通过普通的<form>元素发送JSON?
攻击者是否有可能拥有这样的内容?
<form type="application/json" method="POST">
<input name="json" value="{ my json code here }">
<input type="submit">Send</input>
<form>
答案 0 :(得分:2)
Firstly, you have to secure your API to avoid HTML/JavaScript injections that can cause CSRF attacks on OTHER sites. To do it:
use HTTPS for all communications to avoid MITM attacks
sanitize all income data to prevent HTML/JavaScript/SQL/LDAP/Command/... injections. You can also use web application firewall or WAF that prevents different types of attacks.
Use HTTP headers:
X-XSS-Protection "1; mode=block" - this header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
Content-Security-Policy - this header tells the browser that it can only communicate with the domains you explicitly allow.
In case your API provides any sensitive information than use CSRF token to avoid CSRF attacks on YOUR API. The CSRF attack to your API can be done for example by injected JavaScript to another website. In this case the injection can make correct AJAX request.
答案 1 :(得分:1)
CSRF令牌是必须的,也许你可以根据值添加一些哈希并在以后匹配它,你可能想要考虑使用ajax发送值而不是把它放在输入中,因为JSON经常有双引用谎言值=&#34; {名称:&#34;&#34;}&#34;这会使HTML变得无效。
答案 2 :(得分:1)
HTML表单没有名为public class MySingleton {
private static volatile MySingleton INSTANCE;
@SuppressWarnings("UnusedAssignment")
public static void initialize(
final SomeDependency someDependency) {
MySingleton result = INSTANCE;
if (result != null) {
throw new IllegalStateException("The singleton has already "
+ "been initialized.");
}
synchronized (MySingleton.class) {
result = INSTANCE;
if (result == null) {
INSTANCE = result = new MySingleton(someDependency);
}
}
}
public static MySingleton get() {
MySingleton result = INSTANCE;
if (result == null) {
throw new IllegalStateException("The singleton has not been "
+ "initialized. You must call initialize(...) before "
+ "calling get()");
}
return result;
}
...
}
的属性。最近的属性是 /// <summary>
/// Unzips (inflates) zipped data.
/// </summary>
/// <param name="zippedData">The zipped data.</param>
/// <returns>The inflated data.</returns>
public Byte[] GUnzip(Byte[] zippedData)
{
using (MemoryStream unzippedData = new MemoryStream())
{
using (GZipInputStream zippedDataStream = new GZipInputStream(new MemoryStream(zippedData)))
{
CopyStream(zippedDataStream, unzippedData);
}
return unzippedData.ToArray();
}
}
/// <summary>
/// zips data.
/// </summary>
/// <param name="unzippedData">The unzipped data.</param>
/// <returns>The zipped data.</returns>
public Byte[] GZip(Byte[] unzippedData)
{
using (MemoryStream zippedData = new MemoryStream())
{
using (GZipOutputStream unzippedDataStream = new GZipOutputStream(new MemoryStream(unzippedData)))
{
CopyStream(unzippedDataStream, zippedData);
}
return zippedData.ToArray();
}
}
/// <summary>
/// Accepts an inStream, writes it to a buffer and goes out the outStream
/// </summary>
/// <param name="inStream">The input Stream</param>
/// <param name="outStream">The output Stream</param>
private static void CopyStream(Stream inStream, Stream outStream)
{
int nRead = 0;
// Using a 2k buffer
Byte[] theBuffer = new Byte[2048];
while ((nRead = inStream.Read(theBuffer, 0, theBuffer.Length)) > 0)
{
outStream.Write(theBuffer, 0, nRead);
}
}
,您可以找到它的引用here。该属性的唯一有效值为:
- type,默认值。所有字符在发送之前都被编码(空格转换为“+”符号,特殊字符转换为ASCII HEX值)
- enctype,没有编码字符。使用具有文件上载控件的表单时,此值是必需的。
- application/x-www-form-urlencoded空格转换为“+”符号,但不会编码特殊字符。
因此,简单表单无法提交有效的JSON有效负载。