Использование Токена против CSRF атак
рейтинг: 6.3/10, голосов: 10
Токены (Token) обеспечивают дополнительный уровень безопасности при отправки форм залогинеными пользователями. После того как пользователь вошел на сайт Joomla (даже если он еще не залогинился), система присваивает ему уникальный идентификатор. По нему можно легко отличать посетителей друг от друга, отслеживать действия и переходы пользователя по сайту. Но тут возникает проблема связанная с безопасностью, а именно если идентификатор сессии пользователя попадет в руки злоумышленнику. Тогда последний сможет не зная логина и пароля, ходить по сайту под чужим именем и т.д. Атака подобного рода носит название CWE-352: Cross-Site Request Forgery (CSRF) - Подделка межсайтовых запросов. Разберемся как уберечь себя от подобной ситуации.
Обычный пользователь интернета, открыл в своем браузере две разные вкладки - на одной открыт сайт на Joomla, на другой сайт злоумышленника с вредоносным JavaScript и при этом в настройках безопасности пользовательского браузера скрипты сайта могут управлять любыми окнами. Таким образом сайт злоумышленника без ведома пользователя будет получать желаемую информацию с посещенных страниц, отправлять формы. Здесь описан простейший метод атаки, от которого современные браузеры защищены. Подробнее можно прочитать, например, на сайте securitylab.ru.
Joomla в своем арсенале имеет готовый способ защиты от CSRF-атак. Для этого нужно воспользоваться статическими встроенными классами JUtility, JRequest и JHTML.
Уникальный идентификатор пользователя (так же его иногда называют токеном, маркером, ИД-шником и прочее...) добавляется следующим образом:
где tokenValue - уникальное значение (нечто похожее на md5).
Реализовывается это в расширении следующим образом:
// получаем Токен
$token = JUtility::getToken();
// собираем URL с включенным Токеном
$url = 'index.php?option=com_foobar&controller=foo&task=bar&'.$token.'=1';
$url = JRoute::_($url);
В примере идентификатор был передан как GET-параметр. Как известно, в адресе должны передаться только параметры для чтения страницы, что не свойственно для токена. Обычно он передается вместе формой в POST. Делается это следующим образом:
// импорт JHTML
jimport('joomla.html.html');
// вставляем скрытое поле в форму
echo JHTML::_('form.token');
Для проверки воспользуемся методом JRequest:checkToken(). Он вернет булево значение — правильный, либо нет маркер. Ниже идет небольшой пример использования. Примерно так же проверяются формы в панели управления Joomla.
// проверка маркера
JRequest::checkToken() or jexit('Invalid Token');
Примечание: функция jexit() - это наиболее верный способ моментальной остановки работы Joomla. Почему нельзя использовать die()?
По умолчанию, checkToken() проверяет данные из массива POST. Первым аргументом можно явно указать, где искать маркер.
// проверка токена из GET
JRequest::checkToken('GET') or jexit('Invalid Token');
В предыдущих примерах мы поступали очень жестко — при несовпадении маркеров просто выход из программы. Можно расширить текст ошибки и добавить соответствующий HTTP заголовок.
// проверяем индентификатор
if (!JRequest::checkToken('REQUEST')) {
// возвращаем 403 заголовок (Запрещено!)
JError::raiseError(403, JText::_('ALERTNOAUTH'));
// остановка выполнения сценария
jexit('Invalid Token');
}
Обычно в Joomla используется для одного пользователя один и тот же маркер, что не совсем верно с точки зрения безопасности. Рекомендуется для всех форм на сайте использовать различные значения, особенно будет полезно для сайтов с высокими требованиями к безопасности. Но с различными маркерами нужно быть очень осторожным. Например, пользователь может открыть один сайт на нескольких вкладках сразу, тогда проверка может серьезно затрудниться из-за устаревания, проверки "не тех" маркеров и.т.д. Поэтому, прежде чем делать подобные проверки, лучше хорошенько обдумать, стоит оно того или нет.
Следующий листинг демонстрирует, как заново сгенерировать метку
// старый маркер
$oldToken = JUtility::getToken();
// новый маркер
$newToken = JUtility::getToken(true);
Легко! Но нужно быть внимательным и чтобы не смешать различные маркеры, лучше генерировать его в самом начале работы компонента, тогда можно быть увереным в его уникальности.
Для дополнительной безопасности, иногда проверяют реферер (HTTP_REFERER). Но тогда могут возникнуть проблемы для пользователей которые работают в интернете через какие-нибудь фаерволы или прокси сервера, которые обычно блокируют этот заголовок. Поэтому подобную проверку нужно тоже использовать только в крайних случаях. Следующий пример демонстрирует, проерку реферера и в случае неудачи выводит соответствующую ошибку.
// проверка маркера
JRequest::checkToken() or jexit('Invalid Token');
// берем реферер
$referer = JRequest::getString('HTTP_REFERER', null, 'SERVER');
// проверка реферера
if ($referer != null && $referer != '') {
// проверка реферера
if (JURI::isInternal($referer)) {
// не верный реферер
jexit('Invalid Referrer');
}
}
tset
dwewe
Для создателя этой статьи:
Если вы не умеете танцевать, то нечего и других учить!
Вашу защиту обойти как 2 раза плюнуть:
Форум АНТИЧАТ - Обход защиты от CSRF посредством XSS
forum.antichat.ru/printthread.php?t=273030
Надо ДОПОЛНИТЕЛЬНО создавать защиту на iframe - только в этом случае token будет полезным!
Всем привет,
Скажите, а разве POST запрос не генерирует свой token идентификатор? зачем дополнительные танцы?
Nice post. I wwas checking continuously this weblog andd I'mimpressed!
Very useful information particularly the ultimate part :) I handle such ingo a lot.
I was seeking this particular information for a very ong
time. Thanks and good luck.
Hello
I hope you are well. I used to work for an SEO agency based in London, but I have decided to start freelancing on a full time basis.
I have taken some time to analyse joomla-book.ru/development/extensions-security/using-the-token-against-csrf-attacks and have found that your backlink profile is quite thin, which is one reason why your organic Google rankings are not where you would like them to be. I specialise in backlink creation and lead generation and I feel that my backlinks SEO packages could help to get your site much better Google rankings, more traffic and more customers.
I am fairly new on a freelance site called Fiverr as most of my work has been through other Freelance platforms and the agency.
I welcome you to check out and order my seo services here: https://fiverr.com/boutiqueeluxe
If you have any questions, please do not hesitate to drop me a line on Fiverr.
Many thanks for your time and I look forward to helping joomla-book.ru/development/extensions-security/using-the-token-against-csrf-attacks grow to new heights.
This post is truly a nice one it assists new internet viewers, who are wishing for blogging.
Paragraph writing is also a excitement, if you know afterward you can write otherwise it is complicated to write.
What's up Dear, are you in fact visiting this website daily, if so after that you
will definitely obtain fastidious know-how.
Hey there! I've been following your website for a while now and finally
got the bravery to go ahead and give you a shout out from Lubbock Tx!
Just wanted to tell you keep up the good work!
A person necessarily lend a hand to make severely posts I would
state. That is the very first time I frequented your website page
and to this point? I surprised with the analysis you made to create this particular post amazing.
Fantastic task!
My coder is trying to convince me to move to .net from PHP.
I have always disliked the idea because of
the costs. But he's tryiong none the less. I've been using Movable-type on a number
of websites for about a year and am concerned about switching to another platform.
I have heard great things about blogengine.net.
Is there a way I can transfer all my wordpress content into it?
Any kind of help would be greatly appreciated!
We are a group of volunteers and starting a brand new scheme in our community.
Your website provided us with helpful information to work on. You've done a formidable
task and our entire community can be thankful to you.
This is very attention-grabbing, You're a very skilled blogger.
I've joined your rss feed and sit up for in quest of more of your excellent post.
Additionally, I've shared your website in my social networks
If some one desires to be updated with most up-to-date technologies therefore he must be go to see this site and be up to date everyday.
I for all time emailed this weblog post page to all my
contacts, as if like to read it after that my friends will too.
I'm amazed, I must say. Seldom do I come across a blog that's
both equally educative and amusing, and let me tell
you, you have hit the nail on the head. The issue is something which too few folks are speaking intelligently
about. I'm very happy I came across this in my search for something regarding this.
A motivating discussion is definitely worth comment.
I do believe that you ought to publish more on this subject matter, it may not be a taboo
matter but usually people don't speak about these issues.
To the next! Cheers!!
Simply wish to say your article is as surprising.
The clarity in your post is simply spectacular and i could assume you are
an expert on this subject. Fine with your permission let me to grab your feed to keep updated with forthcoming
post. Thanks a million and please keep up the gratifying work.
It's awesome to pay a visit this site and reading the views of all friends regarding this post,
while I am also keen of getting know-how.
I visit every day some web pages and sites to read posts, except this website
provides quality based writing.
Admiring the dedication you put into your website and
detailed information you provide. It's awesome to come across
a blog every once in a while that isn't the same out of date rehashed material.
Fantastic read! I've bookmarked your site and I'm including your
RSS feeds to my Google account.
This text is priceless. When can I find out more?
Hi it's me, I am also visiting this web site regularly, this web page is truly pleasant and the people are actually sharing good thoughts.
Thank you, I've just been looking for info approximately this
subject for a long time and yours is the greatest I have discovered till now.
But, what in regards to the bottom line? Are you sure concerning the supply?
We stumbled over here coming from a different web page and thought
I might as well check things out. I like what I see so i am just following you.
Look forward to looking over your web page again.
I am truly grateful to the holder of this site who has shared
this fantastic article at at this time.
If you are going for best contents like I do, only
pay a visit this web page everyday because it presents quality contents, thanks
I'm really enjoying the design and layout of your site. It's
a very easy on the eyes which makes it much more pleasant
for me to come here and visit more often. Did you hire out a developer to create your theme?
Exceptional work!
hi!,I like your writing very much! proportion we keep up a correspondence extra about your article on AOL?
I require an expert in this area to resolve my problem. May
be that's you! Taking a look forward to see you.
Thank you for the good writeup. It in fact was a amusement account it.
Look advanced to more added agreeable from you!
However, how can we communicate?
Very rapidly this web site will be famous amid all blogging and site-building viewers, due to it's good content
I am really loving the theme/design of your web site. Do you ever run into any
internet browser compatibility issues? A number of my blog readers have complained about my blog not operating correctly in Explorer but
looks great in Firefox. Do you have any ideas to help fix this issue?
It's hard to come by experienced people on this topic,
however, you sound like you know what you're talking about!
Thanks
What's Happening i'm new to this, I stumbled upon this I
have found It absolutely useful and it has helped me out loads.
I'm hoping to contribute & assist other users like its helped me.
Great job.
I got this web site from my buddy who informed me concerning this web page and now this
time I am browsing this web page and reading very informative posts here.
Pretty nice post. I just stumbled upon your blog and wished to say that I have truly enjoyed surfing around your blog
posts. In any case I will be subscribing to
your rss feed and I hope you write again soon!
I was wondering if you ever thought of changing the structure of
your blog? Its very well written; I love what youve got
to say. But maybe you could a little more in the way of content so people could
connect with it better. Youve got an awful lot of text for only having
1 or two images. Maybe you could space it out better?
What's up, I want to subscribe for this webpage to take hottest updates,
thus where can i do it please help.
This is really fascinating, You are an overly skilled blogger.
I have joined your rss feed and stay up for seeking extra of your magnificent post.
Also, I've shared your site in my social networks
Heya i am for the first time here. I came across this board and
I in finding It truly useful & it helped me out a lot.
I'm hoping to give something back and aid others
such as you helped me.
My family all the time say that I am wasting my time here at web, however
I know I am getting familiarity every day by reading thes pleasant posts.
Asking questions are truly nice thing if you are
not understanding anything totally, except this post gives
good understanding even.
Someone essentially lend a hand to make critically posts I would state.
This is the very first time I frequented your website page and up to now?
I surprised with the research you made to make this particular put up incredible.
Magnificent activity!
Hi excellent website! Does running a blog like this take a great deal of work?
I have absolutely no expertise in coding but I had been hoping to start my own blog in the near future.
Anyways, should you have any ideas or tips for new blog owners
please share. I understand this is off subject nevertheless I just needed to ask.
Many thanks!
It's perfect time to make some plans for the longer term and it is time to
be happy. I have learn this post and if I could I desire to counsel you few interesting issues or suggestions.
Perhaps you can write subsequent articles referring to this article.
I desire to learn more things about it!
Please let me know if you're looking for a article author for your blog.
You have some really good articles and I believe I would be a
good asset. If you ever want to take some of the load off, I'd
really like to write some articles for your blog
in exchange for a link back to mine. Please blast me an email if interested.
Many thanks!
Hey! I just wanted to ask if you ever have any issues with hackers?
My last blog (wordpress) was hacked and I ended up losing
months of hard work due to no back up. Do you have any solutions to stop hackers?
I loved as much as you'll receive carried out right here. The
sketch is attractive, your authored subject matter stylish.
nonetheless, you command get got an shakiness over that you wish be delivering the following.
unwell unquestionably come further formerly again since exactly the same
nearly a lot often inside case you shield this increase.
I do not even know how I ended up here, but I thought this post was good.
I do not know who you are but certainly you are going
to a famous blogger if you are not already ;) Cheers!
В Play Fortuna можно играть на рубли, доллары и евро.
Выигрыш от бонуса поступает на бонусный счет.
А потому, что любит кино и заботится о его репутации.
Первые игровые автоматы были чисто механическими.
Hi, i think that i saw you visited my site thus i came to “return the
favor”.I'm trying to find things to improve my website!I suppose
its ok to use some of your ideas!!
Бонус за первый депозит для новых игроков.
Я совсем недавно играю в on line casino Джокер com.
Поэтому Ivi обязательно выведет вам любой выигрыш.
Именно поэтому они приносят максимальные
выигрыши.
Использование Токена против CSRF атак / Безопасность расширений .:. Документация Joomla! CMS
qylgcyrhk grgdx6cymt20b126j75484sr10g0p20es.org/
<a href="/ grgdx6cymt20b126j75484sr10g0p20es.org/ ">aqylgcyrhk</a>
[url= grgdx6cymt20b126j75484sr10g0p20es.org/ ]uqylgcyrhk[/url]
Hello! I'm at work surfing around your blog from my new iphone
3gs! Just wanted to say I love reading through your blog and look forward to all your posts!
Keep up the fantastic work!
Great blog here! Also your site loads up very fast!
What web host are you using? Can I get your affiliate link to your host?
I wish my web site loaded up as quickly as yours lol
I enjoy, cause I discovered just what I was having a look for.
You've ended my four day long hunt! God Bless you man. Have a great day.
Bye
Использование Токена против CSRF атак / Безопасность расширений .:. Документация Joomla! CMS
<a href="/ gb4q2839255eo5ptzfc21zox6k5c627ks.org/ ">azzrybcmjmv</a>
[url= gb4q2839255eo5ptzfc21zox6k5c627ks.org/ ]uzzrybcmjmv[/url]
zzrybcmjmv gb4q2839255eo5ptzfc21zox6k5c627ks.org/
W?at's ?p і amm kavin, itss mу fiгst occasion to commenting anywhеre, whеn i read this posst i thougyht і ccould also creatе comment due to this
brilliant article.
Good day! I just would like to give you a big thumbs up for your great information you hhave right here on this post.
I will be returning to youjr site for more soon.
php patterns
Why visitors still use to read news papers when in this technological globe the
whole thing is existing on net?
I have read so many articles regarding the blogger lovers however this article is in fact a
nice piece of writing, keep it up.
Hi joomla-book.ru webmaster, Keep sharing your knowledge!