Hacking Exposed ™ Web 2.0 phần 5

Bảo vệ tốt nhất chống lại CSRF tấn công thể hiện trong chương này, giúp giảm thiểu các cuộc tấn công cross-domain, là sử dụng một mã thông báo mật mã cho tất cả các yêu cầu GET / POST cho phép sửa đổi dữ liệu phía máy chủ (như đã nêu trong sách trắng được viết bởi Jesse Burns của iSEC Partners1). | 86 Hacking Exposed Web CSRF Protections The best protection against the CSRF attacks shown in this chapter which help mitigate cross-domain attacks is the use a cryptographic token for every GET POST request allowed to modify server-side data as noted in a whitepaper written by Jesse Burns of iSEC Partners1 . The token will give the application an unpredictable and unique parameter that is per-user per-session specific making the application s controls structure different across users. This behavior makes control structure unpredictable for an attacker reducing the exposure of CSRF. See the whitepaper for more information. SUMMARY Since the invention of the World Wide Web web pages have been allowed to interact with web servers belonging to completely different domains. This is a fundamental of the Web and without links among domains the Internet would be a much less useful tool. However the fact that users and autonomous script are both able to create HTTP requests that look identical creates a class of vulnerabilities to which most web applications are vulnerable by default. These vulnerabilities have existed for decades but are only now being explored by legitimate and malicious security researchers and they have only become more interesting with the invention of AJAX web applications. 1 Available at files . Copyright 2008 by The McGraw-Hill Companies. Click here for terms of use. 88 Hacking Exposed Web JavaScript and Asynchronous JavaScript and XML AJAX are great technologies that have changed the way web applications are used on the Internet. While so much of the web is written in Java and JavaScript and soon AJAX the attack surface for malicious users is also very wide. Malicious JavaScript including malicious AJAX has already started to do damage on the Internet. The things that make AJAX and JavaScript attractive for developers including its agility flexibility and powerful functions are the same things that .

Không thể tạo bản xem trước, hãy bấm tải xuống
TỪ KHÓA LIÊN QUAN
TÀI LIỆU MỚI ĐĂNG
Đã phát hiện trình chặn quảng cáo AdBlock
Trang web này phụ thuộc vào doanh thu từ số lần hiển thị quảng cáo để tồn tại. Vui lòng tắt trình chặn quảng cáo của bạn hoặc tạm dừng tính năng chặn quảng cáo cho trang web này.