Articles

Laravel Web Security: He aha ka Cross-Site Request Forgery (CSRF)?

palekana pūnaewele

Ma kēia kumu aʻo Laravel e kamaʻilio mākou e pili ana i ka Pūnaewele Pūnaewele a pehea e pale ai i kahi noi pūnaewele mai Cross-Site Request Forgery a i ʻole CSRF attacks.

ʻO CSRF kahi hana ʻino i hana ʻia e ka mea hoʻouka kaua, nāna e hana i nā hana ma ka inoa o ka mea hoʻohana i hōʻoia ʻia, e hōʻino i ka palekana pūnaewele. ʻO ka mea pōmaikaʻi, hāʻawi ʻo Laravel i nā mea hana e pale ai i kēia ʻano nāwaliwali.

He aha ka CSRF?

Hoʻouka ka CSRF i nā kau mea hoʻohana. Hana lākou i kēia ma ka hoʻopunipuni ʻana i ka mea hoʻohana i ka waiho ʻana i kahi noi ma o nā hōʻailona palapala huna a i ʻole URL maikaʻi ʻole (kiʻi a i ʻole nā ​​loulou) me ka ʻike ʻole o ka mea hoʻohana.

Ke alakaʻi nei kēia hoʻouka ʻana i ka hoʻololi ʻana i ke kūlana kau o ka mea hoʻohana, leak data, a i kekahi manawa hiki i nā hackers ke hoʻopunipuni i ka ʻikepili hoʻohana hope i kahi noi.

Hōʻike ke kiʻi ma luna nei i kahi hiʻohiʻona kahi i haki ʻia ai ka palekana pūnaewele. Hoʻouna ka mea i pepehi ʻia i kahi noi ma ke kaomi ʻana i kahi loulou (loaʻa), e hoʻouna ana i kahi noi i kahi kikowaena pūnaewele e hoʻopuka i nā hopena i makemake ʻia e ka hacker, ka mea i loaʻa i ka ʻike pono no ke komo ʻana a me ka hoʻoponopono ʻana i ka kikowaena pūnaewele.

Pehea e pale ai i nā noi CSRF

E hoʻomaikaʻi i ka e malu ai pūnaewele o kāu mau noi, i kēlā me kēia kau mea hoʻohana, hana ʻo Laravel i nā hōʻailona palekana e hoʻohana ai e hōʻoia i ka mea hoʻohana i hōʻoia ʻia ʻo ia ka mea e noi ana i ka noi.

Ma muli o ka loli ʻana o kēia hōʻailona i kēlā me kēia manawa i hana hou ʻia kahi kau mea hoʻohana, ʻaʻole hiki i ka mea hoʻouka ke komo iā ia.

I kēlā me kēia manawa he noi e hoʻololi i ka ʻike mea hoʻohana ma ka ʻaoʻao kikowaena (backend) like POSTPUTPATCHDELETE, pono ʻoe e hoʻokomo i ke kuhikuhi @csrf ma ka palapala noi blade HTML. ʻO ka @csrf nolaila he kuhikuhi Blade hoʻohana ʻia e hana i kahi hōʻailona huna i hōʻoia ʻia e ka noi.

ʻO ke kuhikuhi Blade ʻo ia ka syntax i hoʻohana ʻia i loko o ka mīkini template Laravel i kapa ʻia kōmi ' . No ka hana ʻana i kahi faila blade pono ʻoe e hāʻawi i kahi inoa - ma kā mākou ʻano hihia - a ukali ʻia e ka hoʻonui ʻia o ka lau. 'O ia ho'i, e loa'a ka inoa i ka faila form.blade.php.

Hoʻohana ʻia ka faila blade e hāʻawi i nā manaʻo no nā mea hoʻohana ma ka ʻaoʻao pūnaewele. Aia kekahi mau kuhikuhi muadefihiki iā ʻoe ke hoʻohana i ka syntax pōkole nite a i ʻole blade. ʻo kahi laʻana, @if e nānā inā hoʻokō ʻia kahi kūlana, @empty e nānā inā ʻaʻole nele nā ​​moʻolelo, @auth e nānā inā hōʻoia ka mea hoʻohana a pēlā aku.

Akā, e hoʻi kāua i ke kuhikuhi @csrf. Eia kāu hoʻohana ʻana:

<form method="POST" action="{{route('pay')}}">

    @csrf
    
</form>

He ʻano hoʻonohonoho ʻokoʻa nā mana o Laravel: hana lāua a hana like.

Nupepa hou
Mai poina i ka nūhou nui loa e pili ana i ka hana hou. E kākau inoa e loaʻa iā lākou ma ka leka uila.
<form method="POST" action="{{route('pay')}}">
    
    <input type="hidden" name="_token" value="{{ csrf_token() }}" />
    
</form>

I ka nalo ʻana o ka hōʻailona CSRF mai ka palapala noi i waiho ʻia a inā ʻike ʻole ʻia, hoʻolei ʻo Laravel i kahi memo hewa "Page Expired" me kahi code status 419.

Pehea a me kahi e hana ʻia ai ka hōʻoia CSRF

ʻO ka middleware VerifyCsrfToken lawelawe ʻo ia i ka hōʻoia CSRF i loko o ka noi Laravel. ʻO ka middleware ua kakauinoa ma Kernel.php a aia ma ka papa kuhikuhi app/Http/Middleware. ʻO kēia ke ʻano o ka middleware Hoʻomaka ia no nā noi i loko o ka pūnaewele, ʻaʻole pili i nā API.

protected $middlewareGroups = [
        'web' => [
           .
           .
           .
           .
           .
            \App\Http\Middleware\VerifyCsrfToken::class,
        ],
    ];

Hoʻonui ka VerifyCsrfToken middleware i ka papa Illuminate\Foundation\Http\Middleware\VerifyCsrfToken, ʻo ia hoʻi ka hōʻoia CSRF defii loko o ka lumi papa.

E ʻeli hohonu e ʻike pehea e lawelawe ai ʻo Laravel i ka hōʻoia CSRF.

I loko o ka papa, loaʻa iā mākou ka hana tokensMatch.

protected function tokensMatch($request)
{
     $token = $this->getTokenFromRequest($request);

     return is_string($request->session()->token()) &&
            is_string($token) &&
            hash_equals($request->session()->token(), $token);
}

ma ke code e hoʻoholo inā pili ka hālāwai a me nā hōʻailona CSRF hoʻokomo.

Hana ka hana i ʻelua mau mea:

  1. loaa $this->getTokenFromRequest ka hōʻailona mai ka noi e komo mai i hoʻopili ʻia ma kahi kahua huna a i ʻole ke poʻo noi. Hoʻokaʻawale ʻia ka hōʻailona a laila hoʻihoʻi ʻia i ka hoʻololi hōʻailona.
protected function getTokenFromRequest($request)
{
    $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');

    if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
        try {
            $token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
        } catch (DecryptException $e) {
            $token = '';
            }
    }

    return $token;
}

Ma ke code e loaʻa iā ia ka hōʻailona mai ke poʻo

2. E hoʻolei i ka hōʻailona noi a me ke kau i kahi kaula a laila hoʻohana hash_equals i kūkulu ʻia ma PHP e hoʻohālikelike inā like nā kaula ʻelua. ʻO ka hopena o kēia hana i nā manawa a pau bool (ʻoiaʻiʻo) a i ʻole (hewa) .

Ercole Palmeri

Nupepa hou
Mai poina i ka nūhou nui loa e pili ana i ka hana hou. E kākau inoa e loaʻa iā lākou ma ka leka uila.
Nā huaʻōlelo: laravelLIKEpalekana ITlako polokalamuhoʻolālā polokalamulako polokalamu uluPūnaewele Pūnaewele
ʻApelila 26, 2023 2:17 pm

Nā nūpepa hou

Nā Pōmaikaʻi o nā ʻaoʻao kala no nā keiki - he honua kilokilo no nā makahiki āpau

ʻO ka hoʻomohala ʻana i nā mākau kaʻa maikaʻi ma o ke kala ʻana e hoʻomākaukau i nā keiki no nā mākau paʻakikī e like me ke kākau ʻana. E kala…

2 Mei 2024

Eia ka wā e hiki mai ana: Pehea e hoʻololi ai ka ʻoihana moku i ka hoʻokele waiwai honua

He mana hoʻokele waiwai maoli ka ʻāpana moana, kahi i hoʻokele i kahi mākeke 150 biliona ...

1 Mei 2024

Hoʻopaʻa inoa nā mea hoʻopuka a me OpenAI i nā ʻaelike e hoʻoponopono i ka kahe o ka ʻike i hana ʻia e Artificial Intelligence

I ka Pōʻakahi i hala, ua hoʻolaha ka Financial Times i kahi kuʻikahi me OpenAI. Laikini ʻo FT i kāna nūpepa papa honua…

30ʻApelila 2024

Uku Online: Eia ke ʻano e uku mau ai nā lawelawe Streaming iā ʻoe

E uku ana nā miliona o ka poʻe no nā lawelawe streaming, e uku ana i nā uku kau inoa o kēlā me kēia mahina. He manaʻo maʻamau ʻoe…

29ʻApelila 2024

E heluhelu i ka Innovation ma kāu ʻōlelo

Nupepa hou
Mai poina i ka nūhou nui loa e pili ana i ka hana hou. E kākau inoa e loaʻa iā lākou ma ka leka uila.

E hahai mai iā mākou

Nā nūpepa hou

Tag

alimony polokalamu pūnaewele blockchain 'ōlelo chatbot kamaʻilio gpt ao ao Me maʻiʻo ke kūʻai akuʻana hana kaua uila cyber maluhia pono kūʻai ecommerce ʻAinea hanana hou gianfranco fedele google ka pā HOU hoʻopukapuka kālā kūlia hoonui mea hou lapaʻau ka hoomau hou ana Nā hana hou ʻenehana ʻike kūlohelohe Iot Ka Papa Hana ʻikeʻole Microsoft nft ʻAʻohe kanaka i loko o ka Loop LIKE pane pane Hoʻokūkū Lopaka SEO SERP lako polokalamu hoʻolālā polokalamu lako polokalamu ulu Pūnaewele Pūnaewele kuleana mea hoʻomaka kohola palapala aʻoaʻo vpn webxNUMX