安全和不安全的HTTP方法与跨站请求伪造(CSRF)的关系

huangapple go评论56阅读模式
英文:

Safe and unsafe HTTP methods relation to cross-site request forgery (CSRF)

问题

Sonar引发了关于允许GET和POST方法的后端端点的安全警报,如此处所述

这与CSRF有何关联?

OWASP在这里解释了CSRF,但我不明白为什么在GET和POST都开放的端点会有害?如果我将其限制为仅接受POST请求的端点,攻击者仍然可以构建CSRF POST请求。

英文:

Sonar raises security alerts on backend endpoints allowing GET & POST methods, as described here.

How is it related to CSRF?

CSRF is explained by OWASP here but I don't get why having an endpoint opened in both GET & POST is harmful? If I limit it to a POST-only endpoint, the attacker can still build a CSRF POST request.

答案1

得分: 0

正如Heiko在评论中所说,Sonar假定我们正在使用一个框架,在敏感端点上为我们添加和处理CSRF令牌。

例如,Java Spring允许您根据文档中所述进行配置。Sonar假定您已经配置好它。

它考虑了POST/PUT/PATCH/DELETE请求,但不考虑GET请求,因为它假定您的代码遵循最佳实践:在GET端点中不进行数据更改。当然,您应该根据您的用例进行调整,识别哪些是您的敏感端点,并相应地进行配置。

英文:

As Heiko said in comment, Sonar assumes we're using a framework that adds and handle CSRF Token for us on sensitive endpoints.

For example, Java Spring allows you to configure it as explained in the documentation. Sonar assumes you've already configured it.

It's considering POST/PUT/PATCH/DELETE requests but not considering GET requests because it assumes that your code follows the best practice: no data alteration in GET endpoints. Of course, you should adapt it to your use case, identifying what are your sensitive endpoints and configure it accordingly.

huangapple
  • 本文由 发表于 2023年6月14日 23:48:41
  • 转载请务必保留本文链接:https://go.coder-hub.com/76475379.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定