LinuxЧÀÍÆ÷ÍøÂçÇå¾²£º±£»¤Web½Ó¿ÚÃâÊÜCSRF¹¥»÷¡£
LinuxЧÀÍÆ÷ÍøÂçÇå¾²£º±£»¤Web½Ó¿ÚÃâÊÜCSRF¹¥»÷
½üÄêÀ´£¬Ëæ×Å»¥ÁªÍøµÄÆÕ¼°ºÍÉú³¤£¬ÈËÃǶÔÍøÂçÇå¾²µÄÖØÊÓˮƽҲԽÀ´Ô½¸ß¡£×÷Ϊһ¸ö»ùÓÚ¿ªÔ´ÔÔòµÄ²Ù×÷ϵͳ£¬LinuxÔÚÍøÂçÇå¾²ÁìÓòÓµÓÐÆÕ±éµÄÓ¦ÓúÍÈÏ¿É¡£ÔÚLinuxЧÀÍÆ÷µÄʹÓÃÖУ¬±£»¤Web½Ó¿ÚÃâÊÜCSRF£¨Cross-Site Request Forgery£©¹¥»÷ÊÇÒ»ÏîÖÁ¹ØÖ÷ÒªµÄʹÃü¡£
CSRF¹¥»÷ÊÇÒ»ÖÖʹÓÃÊܺ¦ÕßÔÚ»á¼ûÒ»¸ö¿ÉÐÅÍøվʱÔÚ¸ÃÍøÕ¾Éϱ»Ö²ÈëµÄ¶ñÒâ´úÂ룬´Ó¶øÔÚÊܺ¦Õß²»ÖªÇéµÄÇéÐÎϾÙÐв»·¨²Ù×÷µÄ¹¥»÷·½·¨¡£ÕâÖÖ¹¥»÷ʹÓÃÁËWebÓ¦ÓóÌÐòµÄÉè¼ÆȱÏÝ£¬Í¨¹ýαÔìÕýµ±ÇëÇóÀ´Ö´ÐжñÒâ²Ù×÷£¬¿ÉÄܵ¼ÖÂÓû§ÐÅϢй¶¡¢ÕË»§±»Ð®ÖÆÉõÖÁ¸üÑÏÖصÄЧ¹û¡£
ΪÁ˱£»¤LinuxЧÀÍÆ÷ÉϵÄWeb½Ó¿ÚÃâÊÜCSRF¹¥»÷£¬ÏÂÃ潫ÏÈÈÝһЩÓÐÓõķÀÓù²½·¥¡£
ºÏÀíʹÓÃCSRFÁîÅÆ
CSRFÁîÅÆÊÇ·ÀÓùCSRF¹¥»÷µÄÒ»ÖÖÖ÷ÒªÊֶΡ£Ð§ÀÍÆ÷ÔÚÏòä¯ÀÀÆ÷·¢ËÍ±íµ¥Ò³Ãæʱ£¬ÌìÉú²¢Ç¶ÈëÒ»¸öΨһµÄCSRFÁîÅÆ¡£µ±ä¯ÀÀÆ÷Ìá½»±íµ¥Êý¾Ýʱ£¬Ð§ÀÍÆ÷»áÑéÖ¤¸ÃÁîÅƵÄÕýµ±ÐÔ¡£ÈôÊÇÇëÇóÖÐûÓÐÕýµ±µÄCSRFÁîÅÆ£¬Ð§ÀÍÆ÷½«¾Ü¾ø¸ÃÇëÇó¡£
ʹÓÃHTTPÇëÇóÍ·ÖеÄReferer×Ö¶Î
Referer×Ö¶ÎÊÇHTTPÇëÇóÍ·µÄÒ»²¿·Ö£¬ÓÃÓÚָʾÇëÇóµÄÔ´¡£Í¨¹ýÔÚЧÀͶËÑéÖ¤Referer×ֶΣ¬¿ÉÒÔ±ÜÃâ¿çÕ¾ÇëÇóαÔì¡£Ö»½ÓÊÜÀ´×ÔͳһվµãµÄÇëÇ󣬴Ӷø¾Ü¾øÀ´×Ô²»·¨ÍøÕ¾µÄÇëÇó¡£
ÏÞÖÆCookieµÄ×÷ÓÃÓòºÍ»á¼ûȨÏÞ
ÔÚLinuxЧÀÍÆ÷ÉÏ£¬¿ÉÒÔͨ¹ýÉèÖÃCookieµÄ×÷ÓÃÓòºÍ»á¼ûȨÏÞÀ´ïÔÌCSRF¹¥»÷µÄΣº¦¡£½«CookieÏÞÖÆÔÚÌض¨µÄÓòÃûÏ£¬²¢ÉèÖÃΪֻÔÚÇå¾²µÄHTTPSÅþÁ¬Öд«Ê䣬¿ÉÒÔÓÐÓõؽµµÍ±»Ð®ÖÆCookie¾ÙÐй¥»÷µÄ¸ÅÂÊ¡£
ʵÑéÇå¾²µÄCORSÕ½ÂÔ
CORS£¨¿çÔ´×ÊÔ´¹²Ïí£©ÊÇÒ»ÖÖä¯ÀÀÆ÷»úÖÆ£¬ÓÃÓÚÏÞÖÆ¿çÓòÇëÇóµÄȨÏÞ¡£Í¨¹ýÔÚЧÀÍÆ÷µÄÏìӦͷÖÐÌí¼ÓÊʵ±µÄCORSÕ½ÂÔ£¬¿ÉÒÔÏÞÖÆÖ»ÔÊÐíÀ´×ÔÌض¨ÓòÃûµÄÇëÇóͨ¹ý£¬´Ó¶øïÔ̱»CSRF¹¥»÷µÄ¿ÉÄÜÐÔ¡£
ʵʱ¸üкÍÐÞ²¹ÏµÍ³ÓëÓ¦ÓóÌÐò
LinuxЧÀÍÆ÷µÄÇå¾²ÐÔÓëÆä²Ù×÷ϵͳºÍÓ¦ÓóÌÐòµÄ°æ±¾Ç×½üÏà¹Ø¡£°´ÆÚ¸üÐÂϵͳºÍÓ¦ÓóÌÐò£¬²¢ÊµÊ±ÐÞ²¹ÒÑÖªµÄÎó²î¿ÉÒÔ×îºéÁ÷ƽµØïÔ̱»CSRF¹¥»÷µÄΣº¦¡£
×ܽáÆðÀ´£¬ÔÚ±£»¤LinuxЧÀÍÆ÷µÄWeb½Ó¿ÚÃâÊÜCSRF¹¥»÷·½Ã棬ºÏÀíʹÓÃCSRFÁîÅÆ¡¢ÑéÖ¤Referer×ֶΡ¢ÏÞÖÆCookieµÄ×÷ÓÃÓòºÍ»á¼ûȨÏÞ¡¢ÊµÑéÇå¾²µÄCORSÕ½ÂÔÒÔ¼°ÊµÊ±¸üкÍÐÞ²¹ÏµÍ³ÓëÓ¦ÓóÌÐò¶¼ÊÇÖÁ¹ØÖ÷ÒªµÄ·À»¤²½·¥¡£
ÍøÂçÇå¾²ÊÇÒ»¸öÓÀºãµÄ»°Ì⣬ÔÚÒ»Ö±·ºÆðеÄÇå¾²ÍþвºÍ¹¥»÷ÊֶεÄÅä¾°Ï£¬±£»¤Ð§ÀÍÆ÷µÄWeb½Ó¿ÚÃâÊÜCSRF¹¥»÷ÊÇÍøÂçÖÎÀíÔ±±ØÐèÈÏÕæ¿´´ýºÍ´¦Öóͷ£µÄÎÊÌ⡣ͨ¹ý½ÓÄÉÇÐʵÓÐÓõķÀÓù²½·¥£¬¿ÉÒÔ¸üºÃµØ°ü¹ÜϵͳºÍÓû§µÄÇå¾²¡£
ÒÔÉϾÍÊÇLinuxЧÀÍÆ÷ÍøÂçÇå¾²£º±£»¤Web½Ó¿ÚÃâÊÜCSRF¹¥»÷¡£µÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡