Articles

Laravel Webhu Chengetedzo: Chii chinonzi Cross-Site Chikumbiro Forgery (CSRF)?

kuchengetedzwa kwewebhu

Muchidzidzo ichi cheLaravel tinotaura nezveWebhu Chengetedzo uye maitiro ekudzivirira webhu application kubva kuCross-Site Chikumbiro Forgery kana CSRF kurwiswa.

CSRF ibasa rakashata rinoitwa neanorwisa, anoita zviito achimiririra mushandisi ane chokwadi, zvinokanganisa kuchengetedzeka kwewebhu. Neraki, Laravel inopa maturusi ekudzivirira rudzi urwu rwekusagadzikana.

Chii chinonzi CSRF?

CSRF inorwisa kubira masesheni evashandisi. Ivo vanoita izvi nekunyengedza mushandisi kuendesa chikumbiro kuburikidza neakavanzika fomu tag kana hutsinye maURL (mifananidzo kana malink) pasina ruzivo rwemushandisi.

Kurwiswa uku kunotungamira kushanduko yechikamu chemushandisi mamiriro, kuburitswa kwedata, uye dzimwe nguva matsotsi anogona kushandura data rekupedzisira-mushandisi mune application.

Mufananidzo uri pamusoro unoratidza mamiriro apo kuchengetedzwa kwewebhu kunotyorwa. Iye akabatwa anotumira chikumbiro nekudzvanya pane chinongedzo (chagamuchirwa), kutumira chikumbiro kune webhusaiti server iyo inoburitsa mhedzisiro inodiwa neanobira, uyo anouya aine ruzivo runobatsira pakuwana uye kubata webhusaiti server.

Maitiro ekudzivirira zvikumbiro zveCSRF

Kuvandudza chibatiso Webhu yemashandisirwo ako, muchikamu chega chega chemushandisi, Laravel inogadzira tokeni dzakachengeteka dzaanoshandisa kuve nechokwadi chekuti mushandisi ane chokwadi ndiye ari kukumbira application.

Nekuti ichi chiratidzo chinochinja pese pese nguva yemushandisi inogadzirwa patsva, anorwisa haakwanise kuiwana.

Pese paine chikumbiro chekushandura ruzivo rwemushandisi pane server side (backend) senge POSTPUTPATCHDELETE, unofanira kusanganisira rairo @csrf mufomu rekukumbira blade HTML. The @csrf naizvozvo murairo Blade inoshandiswa kugadzira chiratidzo chakavanzika chakasimbiswa nechishandiso.

The directive Blade ndiyo syntax inoshandiswa mukati meLaravel template injini inonzi chisvo . Kugadzira faira blade iwe unofanirwa kuipa zita - mune yedu fomu fomu - inoteverwa nekuwedzera kweblade. Izvi zvinoreva kuti faira rine zita form.blade.php.

Iyo faira inoshandiswa blade kupa maonero evashandisi pawebhu peji.Pane mapre-directive akati wandeidefinite kana blade shorthand syntax yaunogona kushandisa. Semuyenzaniso, @if tarisa kana mamiriro agutsikana, @empty tarisa kana marekodhi asina chinhu, @auth tarisa kana mushandisi akatendeseka uye zvichingodaro.

Asi ngatidzokere kune rairo @csrf. Heano mashandisiro aunoita:

<form method="POST" action="{{route('pay')}}">

    @csrf
    
</form>

Yakapfuura vhezheni yeLaravel yaive neimwe setup: vese vanoshanda uye vanoita chinhu chimwe chete.

Innovation newsletter
Usarasikirwa nenhau dzakanyanya kukosha dzekuvandudza. Nyora kuti uvagamuchire neemail.
<form method="POST" action="{{route('pay')}}">
    
    <input type="hidden" name="_token" value="{{ csrf_token() }}" />
    
</form>

Kana chiratidzo cheCSRF chisipo pachikumbiro chefomu chiri kuendeswa kana chichiita sechisina basa, Laravel anokanda meseji ye "Peji Yakapera" ine 419 mamiriro kodhi.

Kuongororwa kweCSRF kunoitika sei uye kupi

The middleware VerifyCsrfToken inobata CSRF verification mukati meLaravel application. The middleware inonyoreswa mukati Kernel.php uye inowanikwa mudhairekitori app/Http/Middleware. Izvi zvinoreva kuti middleware inokonzeresa zvikumbiro mukati mewebhu, isina hukama nemaAPI.

protected $middlewareGroups = [
        'web' => [
           .
           .
           .
           .
           .
            \App\Http\Middleware\VerifyCsrfToken::class,
        ],
    ];

Iyo VerifyCsrfToken middleware inowedzera kirasi Illuminate\Foundation\Http\Middleware\VerifyCsrfToken, kureva CSRF verification ndiyo defindite mukati mekirasi.

Ngatichembei zvakadzama kuti tione kuti Laravel inobata sei CSRF verification.

Mukati mekirasi, tine basa tokensMatch.

protected function tokensMatch($request)
{
     $token = $this->getTokenFromRequest($request);

     return is_string($request->session()->token()) &&
            is_string($token) &&
            hash_equals($request->session()->token(), $token);
}

mukodhi inosarudza kana chikamu uye yekuisa CSRF tokens inowirirana.

Basa racho rinoita zvinhu zviviri:

  1. get $this->getTokenFromRequest chiratidzo kubva kuchikumbiro chinouya chakabatanidzwa kuburikidza nemunda wakavanzika kana musoro wekukumbira. Chiratidzo chinodzimwa uye chobva chadzoserwa kune chinja chechiratidzo.
protected function getTokenFromRequest($request)
{
    $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');

    if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
        try {
            $token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
        } catch (DecryptException $e) {
            $token = '';
            }
    }

    return $token;
}

Mune kodhi inowana chiratidzo kubva kumusoro

2. Kanda zvose chiratidzo chekukumbira uye chikamu kune tambo uye wozoshandisa hash_equals yakavakwa muPHP kuenzanisa kana tambo dzose dzakaenzana. Chigumisiro chekushanda uku chinogara chiripo bool (chokwadi) kana (nhema) .

Ercole Palmeri

Innovation newsletter
Usarasikirwa nenhau dzakanyanya kukosha dzekuvandudza. Nyora kuti uvagamuchire neemail.
Tags: laravelPHPIT kuchengetedzaSoftwaresoftware dhizainisoftware developmentSoftware Engineering
Kubvumbi 26, 2023 2:17 pm

Zvinyorwa zvekare

Veeam inoratidzira yakanyatso tsigiro yerudzikinuro, kubva padziviriro kusvika pakupindura uye kupora

Coveware neVeeam icharamba ichipa cyber kubira chiitiko mhinduro masevhisi. Coveware ichapa forensics uye kugadzirisa kugona…

23 April 2024

Green uye Digital Revolution: Sei Predictive Maintenance iri Kushandura Oiri & Gasi Indasitiri

Kufanofungidzira kugadzirisa kuri kushandura chikamu cheoiri & gasi, nemaitiro matsva uye akasimba ekutarisira zvidyarwa.…

22 April 2024

UK antitrust regulator inosimudza BigTech alarm pamusoro peGenAI

Iyo UK CMA yakapa yambiro nezvemaitiro eBig Tech mumusika wehungwaru hwekugadzira. Ikoko…

18 April 2024

Casa Green: shanduko yesimba kune ramangwana rakagadzikana muItari

Chirevo che "Case Green", chakagadzirwa neEuropean Union kuti chiwedzere kushanda nesimba kwezvivakwa, chapedza hurongwa hwayo hwemutemo ne…

18 April 2024

Verenga Innovation mumutauro wako

Innovation newsletter
Usarasikirwa nenhau dzakanyanya kukosha dzekuvandudza. Nyora kuti uvagamuchire neemail.

kutitevera

Zvinyorwa zvekare

Tag

gupuro cyber attack blockchain chatbot chat gpt gore gore kadambari Content Marketing cyber attack cyber kuchengetedzwa kodzero yevatengi ecommerce Eniasi chiitiko chekuvandudza gianfranco fedele google kuchinja utsanzi mari innovation kuwedzera kwebasa kuvandudzwa kwezvokurapa innovation sustainability Tekinoroji nyowani kungwara kwekunyepedzera IOT Machine Learning metaverse Microsoft nft Hapana Munhu muLoop PHP pindura Robotics seo SERP Software software dhizaini software development Software Engineering kuenderera tanga thales Tutorial Vpn web3