17錛巙buntu 闃茬伀澧?/a>
16錛巙buntu 寮€鍚?ssh 鏈嶅姟
15錛巙buntu jdk 瀹夎涓庨厤緗?/a>
14錛巙buntu tomcat 瀹夎涓庨厤緗?/a>
13錛巙buntu mysql 瀹夎
12錛巙buntu root 鍜?user 鐢ㄦ埛鍒囨崲
11錛巐inux more 鍛戒護
10錛巐inux tar 鍛戒護
09錛巐inux chmod 鍛戒護
08錛巐inux touch 鍛戒護
07錛巐inux cat 鍛戒護
06錛巐inux mv 鍛戒護
05錛巐inux rm 鍛戒護
04錛巐inux cp 鍛戒護
03錛巐inux mkdir 鍛戒護
02錛巐inux cd 鍛戒護
01錛巐inux ls 鍛戒護
]]>
]]>
package com.qiyi.appstore.util;
import java.lang.reflect.Field;
import java.lang.reflect.InvocationTargetException;
import org.apache.commons.beanutils.BeanUtils;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.qiyi.appstore.exception.AppStoreException;
import com.qiyi.cloud.user.ApiCode;
public class XssUtils {
private static final Logger logger=LoggerFactory.getLogger(XssUtils.class);
public static String getSafeStringXSS(String s){
if (StringUtils.isBlank(s)) {
return s;
}
StringBuilder sb = new StringBuilder(s.length() + 16);
for (int i = 0; i < s.length(); i++) {
char c = s.charAt(i);
switch (c) {
case '<':
sb.append("<");
break;
case '>':
sb.append(">");
break;
case '\'':
sb.append("′");// ´");
break;
case '′':
sb.append("′");// ´");
break;
case '\"':
sb.append(""");
break;
case '錛?:
sb.append(""");
break;
case '&':
sb.append("錛?);
break;
case '#':
sb.append("錛?);
break;
case '\\':
sb.append('錕?);
break;
case '=':
sb.append("=");
break;
default:
sb.append(c);
break;
}
}
return sb.toString();
}
public static <T> void getXssSaftBean(Class<?> clz,T bean) throws IllegalAccessException, InvocationTargetException, NoSuchMethodException{
String classname = clz.getSimpleName();
logger.info("map target class name is {} .",classname);
Field[] fields = clz.getDeclaredFields();
for(Field field : fields){
Class<?> type = field.getType();
if(type.equals(String.class)){
String fieldname = field.getName();
String value = BeanUtils.getProperty(bean, fieldname);
if(StringUtils.isNotBlank(value)){
BeanUtils.setProperty(bean, fieldname, getSafeStringXSS(value));
}
}
}
}
}
]]>
浣跨敤apr綾誨簱 鍙互璁﹖omcat鐨勬€ц兘鎻愬崌鍒?鍒?鍊?
鐩墠欏圭洰涓兘浣跨敤榪欐牱鐨勯厤緗?br />
<Connector port="8080" protocol="org.apache.coyote.http11.Http11AprProtocol" URIEncoding="UTF-8"
enableLookups="false"
acceptCount="300"
connectionTimeout="20000"
disableUploadTimeout="true" maxThreads="1000" maxSpareThreads="50" minSpareThreads="25"
redirectPort="8443" />
catalia.sh
catalia.sh
CATALINA_OPTS="$CATALINA_OPTS -Djava.library.path=/usr/local/apr/lib"
]]>
]]>
CSRF錛圕ross Site Request Forgery, 璺ㄧ珯鍩熻姹備吉閫狅級鏄竴縐嶇綉緇滅殑鏀誨嚮鏂瑰紡錛屽畠鍦?2007 騫存浘琚垪涓轟簰鑱旂綉 20 澶у畨鍏ㄩ殣鎮d箣涓€銆傚叾浠栧畨鍏ㄩ殣鎮o紝姣斿 SQL 鑴氭湰娉ㄥ叆錛岃法绔欏煙鑴氭湰鏀誨嚮絳夊湪榪戝勾鏉ュ凡緇忛€愭笎涓轟紬浜虹啛鐭ワ紝寰堝緗戠珯涔熼兘閽堝浠栦滑榪涜浜嗛槻寰°€傜劧鑰岋紝瀵逛簬澶у鏁頒漢鏉ヨ錛孋SRF 鍗翠緷鐒舵槸涓€涓檶鐢熺殑姒傚康銆傚嵆渚挎槸澶у悕榧庨紟鐨?Gmail, 鍦?2007 騫村簳涔熷瓨鍦ㄧ潃 CSRF 婕忔礊錛屼粠鑰岃榛戝鏀誨嚮鑰屼嬌 Gmail 鐨勭敤鎴烽€犳垚宸ㄥぇ鐨勬崯澶便€?/p>
CSRF 鏀誨嚮瀹炰緥
CSRF 鏀誨嚮鍙互鍦ㄥ彈瀹寵€呮涓嶇煡鎯呯殑鎯呭喌涓嬩互鍙楀鑰呭悕涔変吉閫犺姹傚彂閫佺粰鍙楁敾鍑葷珯鐐癸紝浠庤€屽湪騫舵湭鎺堟潈鐨勬儏鍐典笅鎵ц鍦ㄦ潈闄愪繚鎶や箣涓嬬殑鎿嶄綔銆傛瘮濡傝錛屽彈瀹寵€?Bob 鍦ㄩ摱琛屾湁涓€絎斿瓨嬈撅紝閫氳繃瀵歸摱琛岀殑緗戠珯鍙戦€佽姹?http://bank.example/withdraw?account=bob&amount=1000000&for=bob2 鍙互浣?Bob 鎶?1000000 鐨勫瓨嬈捐漿鍒?bob2 鐨勮處鍙蜂笅銆傞€氬父鎯呭喌涓嬶紝璇ヨ姹傚彂閫佸埌緗戠珯鍚庯紝鏈嶅姟鍣ㄤ細鍏堥獙璇佽璇鋒眰鏄惁鏉ヨ嚜涓€涓悎娉曠殑 session錛屽茍涓旇 session 鐨勭敤鎴?Bob 宸茬粡鎴愬姛鐧婚檰銆傞粦瀹?Mallory 鑷繁鍦ㄨ閾惰涔熸湁璐︽埛錛屼粬鐭ラ亾涓婃枃涓殑 URL 鍙互鎶婇挶榪涜杞笎鎿嶄綔銆侻allory 鍙互鑷繁鍙戦€佷竴涓姹傜粰閾惰錛歨ttp://bank.example/withdraw?account=bob&amount=1000000&for=Mallory銆備絾鏄繖涓姹傛潵鑷?Mallory 鑰岄潪 Bob錛屼粬涓嶈兘閫氳繃瀹夊叏璁よ瘉錛屽洜姝よ璇鋒眰涓嶄細璧蜂綔鐢ㄣ€傝繖鏃訛紝Mallory 鎯沖埌浣跨敤 CSRF 鐨勬敾鍑繪柟寮忥紝浠栧厛鑷繁鍋氫竴涓綉绔欙紝鍦ㄧ綉绔欎腑鏀懼叆濡備笅浠g爜錛?src=”http://bank.example/withdraw?account=bob&amount=1000000&for=Mallory ”錛屽茍涓旈€氳繃騫垮憡絳夎浣?Bob 鏉ヨ闂粬鐨勭綉绔欍€傚綋 Bob 璁塊棶璇ョ綉绔欐椂錛屼笂榪?url 灝變細浠?Bob 鐨勬祻瑙堝櫒鍙戝悜閾惰錛岃€岃繖涓姹備細闄勫甫 Bob 嫻忚鍣ㄤ腑鐨?cookie 涓€璧峰彂鍚戦摱琛屾湇鍔″櫒銆傚ぇ澶氭暟鎯呭喌涓嬶紝璇ヨ姹備細澶辮觸錛屽洜涓轟粬瑕佹眰 Bob 鐨勮璇佷俊鎭€備絾鏄紝濡傛灉 Bob 褰撴椂鎭板閥鍒氳闂粬鐨勯摱琛屽悗涓嶄箙錛屼粬鐨勬祻瑙堝櫒涓庨摱琛岀綉绔欎箣闂寸殑 session 灝氭湭榪囨湡錛屾祻瑙堝櫒鐨?cookie 涔嬩腑鍚湁 Bob 鐨勮璇佷俊鎭€傝繖鏃訛紝鎮插墽鍙戠敓浜嗭紝榪欎釜 url 璇鋒眰灝變細寰楀埌鍝嶅簲錛岄挶灝嗕粠 Bob 鐨勮處鍙瘋漿縐誨埌 Mallory 鐨勮處鍙鳳紝鑰?Bob 褰撴椂姣笉鐭ユ儏銆傜瓑浠ュ悗 Bob 鍙戠幇璐︽埛閽卞皯浜嗭紝鍗充嬌浠栧幓閾惰鏌ヨ鏃ュ織錛屼粬涔熷彧鑳藉彂鐜扮‘瀹炴湁涓€涓潵鑷簬浠栨湰浜虹殑鍚堟硶璇鋒眰杞Щ浜嗚祫閲戯紝娌℃湁浠諱綍琚敾鍑葷殑鐥曡抗銆傝€?Mallory 鍒欏彲浠ユ嬁鍒伴挶鍚庨€嶉仴娉曞銆?/p>
CSRF 鏀誨嚮鐨勫璞?/strong>
鍦ㄨ璁哄浣曟姷寰?CSRF 涔嬪墠錛屽厛瑕佹槑紜?CSRF 鏀誨嚮鐨勫璞★紝涔熷氨鏄淇濇姢鐨勫璞°€備粠浠ヤ笂鐨勪緥瀛愬彲鐭ワ紝CSRF 鏀誨嚮鏄粦瀹㈠€熷姪鍙楀鑰呯殑 cookie 楠楀彇鏈嶅姟鍣ㄧ殑淇′換錛屼絾鏄粦瀹㈠茍涓嶈兘鎷垮埌 cookie錛屼篃鐪嬩笉鍒?cookie 鐨勫唴瀹廣€傚彟澶栵紝瀵逛簬鏈嶅姟鍣ㄨ繑鍥炵殑緇撴灉錛岀敱浜庢祻瑙堝櫒鍚屾簮絳栫暐鐨勯檺鍒訛紝榛戝涔熸棤娉曡繘琛岃В鏋愩€傚洜姝わ紝榛戝鏃犳硶浠庤繑鍥炵殑緇撴灉涓緱鍒頒換浣曚笢瑗匡紝浠栨墍鑳藉仛鐨勫氨鏄粰鏈嶅姟鍣ㄥ彂閫佽姹傦紝浠ユ墽琛岃姹備腑鎵€鎻忚堪鐨勫懡浠わ紝鍦ㄦ湇鍔″櫒绔洿鎺ユ敼鍙樻暟鎹殑鍊鹼紝鑰岄潪紿冨彇鏈嶅姟鍣ㄤ腑鐨勬暟鎹€傛墍浠ワ紝鎴戜滑瑕佷繚鎶ょ殑瀵硅薄鏄偅浜涘彲浠ョ洿鎺ヤ駭鐢熸暟鎹敼鍙樼殑鏈嶅姟錛岃€屽浜庤鍙栨暟鎹殑鏈嶅姟錛屽垯涓嶉渶瑕佽繘琛?CSRF 鐨勪繚鎶ゃ€傛瘮濡傞摱琛岀郴緇熶腑杞處鐨勮姹備細鐩存帴鏀瑰彉璐︽埛鐨勯噾棰濓紝浼氶伃鍒?CSRF 鏀誨嚮錛岄渶瑕佷繚鎶ゃ€傝€屾煡璇綑棰濇槸瀵歸噾棰濈殑璇誨彇鎿嶄綔錛屼笉浼氭敼鍙樻暟鎹紝CSRF 鏀誨嚮鏃犳硶瑙f瀽鏈嶅姟鍣ㄨ繑鍥炵殑緇撴灉錛屾棤闇€淇濇姢銆?/p>
褰撳墠闃插盡 CSRF 鐨勫嚑縐嶇瓥鐣?/strong>
鍦ㄤ笟鐣岀洰鍓嶉槻寰?CSRF 鏀誨嚮涓昏鏈変笁縐嶇瓥鐣ワ細楠岃瘉 HTTP Referer 瀛楁錛涘湪璇鋒眰鍦板潃涓坊鍔?token 騫墮獙璇侊紱鍦?HTTP 澶翠腑鑷畾涔夊睘鎬у茍楠岃瘉銆備笅闈㈠氨鍒嗗埆瀵硅繖涓夌絳栫暐榪涜璇︾粏浠嬬粛銆?/p>
楠岃瘉 HTTP Referer 瀛楁
鏍規嵁 HTTP 鍗忚錛屽湪 HTTP 澶翠腑鏈変竴涓瓧孌靛彨 Referer錛屽畠璁板綍浜嗚 HTTP 璇鋒眰鐨勬潵婧愬湴鍧€銆傚湪閫氬父鎯呭喌涓嬶紝璁塊棶涓€涓畨鍏ㄥ彈闄愰〉闈㈢殑璇鋒眰鏉ヨ嚜浜庡悓涓€涓綉绔欙紝姣斿闇€瑕佽闂?http://bank.example/withdraw?account=bob&amount=1000000&for=Mallory錛岀敤鎴峰繀欏誨厛鐧婚檰 bank.example錛岀劧鍚庨€氳繃鐐瑰嚮欏甸潰涓婄殑鎸夐挳鏉ヨЕ鍙戣漿璐︿簨浠躲€傝繖鏃訛紝璇ヨ漿甯愯姹傜殑 Referer 鍊煎氨浼氭槸杞處鎸夐挳鎵€鍦ㄧ殑欏甸潰鐨?URL錛岄€氬父鏄互 bank.example 鍩熷悕寮€澶寸殑鍦板潃銆傝€屽鏋滈粦瀹㈣瀵歸摱琛岀綉绔欏疄鏂?CSRF 鏀誨嚮錛屼粬鍙兘鍦ㄤ粬鑷繁鐨勭綉绔欐瀯閫犺姹傦紝褰撶敤鎴烽€氳繃榛戝鐨勭綉绔欏彂閫佽姹傚埌閾惰鏃訛紝璇ヨ姹傜殑 Referer 鏄寚鍚戦粦瀹㈣嚜宸辯殑緗戠珯銆傚洜姝わ紝瑕侀槻寰?CSRF 鏀誨嚮錛岄摱琛岀綉绔欏彧闇€瑕佸浜庢瘡涓€涓漿璐﹁姹傞獙璇佸叾 Referer 鍊鹼紝濡傛灉鏄互 bank.example 寮€澶寸殑鍩熷悕錛屽垯璇存槑璇ヨ姹傛槸鏉ヨ嚜閾惰緗戠珯鑷繁鐨勮姹傦紝鏄悎娉曠殑銆傚鏋?Referer 鏄叾浠栫綉绔欑殑璇濓紝鍒欐湁鍙兘鏄粦瀹㈢殑 CSRF 鏀誨嚮錛屾嫆緇濊璇鋒眰銆?/p>
榪欑鏂規硶鐨勬樉鑰屾槗瑙佺殑濂藉灝辨槸綆€鍗曟槗琛岋紝緗戠珯鐨勬櫘閫氬紑鍙戜漢鍛樹笉闇€瑕佹搷蹇?CSRF 鐨勬紡媧烇紝鍙渶瑕佸湪鏈€鍚庣粰鎵€鏈夊畨鍏ㄦ晱鎰熺殑璇鋒眰緇熶竴澧炲姞涓€涓嫤鎴櫒鏉ユ鏌?Referer 鐨勫€煎氨鍙互銆傜壒鍒槸瀵逛簬褰撳墠鐜版湁鐨勭郴緇燂紝涓嶉渶瑕佹敼鍙樺綋鍓嶇郴緇熺殑浠諱綍宸叉湁浠g爜鍜岄€昏緫錛屾病鏈夐闄╋紝闈炲父渚挎嵎銆?/p>
鐒惰€岋紝榪欑鏂規硶騫墮潪涓囨棤涓€澶便€俁eferer 鐨勫€兼槸鐢辨祻瑙堝櫒鎻愪緵鐨勶紝铏界劧 HTTP 鍗忚涓婃湁鏄庣‘鐨勮姹傦紝浣嗘槸姣忎釜嫻忚鍣ㄥ浜?Referer 鐨勫叿浣撳疄鐜板彲鑳芥湁宸埆錛屽茍涓嶈兘淇濊瘉嫻忚鍣ㄨ嚜韜病鏈夊畨鍏ㄦ紡媧炪€備嬌鐢ㄩ獙璇?Referer 鍊肩殑鏂規硶錛屽氨鏄妸瀹夊叏鎬ч兘渚濊禆浜庣涓夋柟錛堝嵆嫻忚鍣級鏉ヤ繚闅滐紝浠庣悊璁轟笂鏉ヨ錛岃繖鏍峰茍涓嶅畨鍏ㄣ€備簨瀹炰笂錛屽浜庢煇浜涙祻瑙堝櫒錛屾瘮濡?IE6 鎴?FF2錛岀洰鍓嶅凡緇忔湁涓€浜涙柟娉曞彲浠ョ鏀?Referer 鍊箋€傚鏋?bank.example 緗戠珯鏀寔 IE6 嫻忚鍣紝榛戝瀹屽叏鍙互鎶婄敤鎴鋒祻瑙堝櫒鐨?Referer 鍊艱涓轟互 bank.example 鍩熷悕寮€澶寸殑鍦板潃錛岃繖鏍峰氨鍙互閫氳繃楠岃瘉錛屼粠鑰岃繘琛?CSRF 鏀誨嚮銆?/p>
鍗充究鏄嬌鐢ㄦ渶鏂扮殑嫻忚鍣紝榛戝鏃犳硶綃℃敼 Referer 鍊鹼紝榪欑鏂規硶浠嶇劧鏈夐棶棰樸€傚洜涓?Referer 鍊間細璁板綍涓嬬敤鎴風殑璁塊棶鏉ユ簮錛屾湁浜涚敤鎴瘋涓鴻繖鏍蜂細渚電姱鍒頒粬浠嚜宸辯殑闅愮鏉冿紝鐗瑰埆鏄湁浜涚粍緇囨媴蹇?Referer 鍊間細鎶婄粍緇囧唴緗戜腑鐨勬煇浜涗俊鎭硠闇插埌澶栫綉涓€傚洜姝わ紝鐢ㄦ埛鑷繁鍙互璁劇疆嫻忚鍣ㄤ嬌鍏跺湪鍙戦€佽姹傛椂涓嶅啀鎻愪緵 Referer銆傚綋浠栦滑姝e父璁塊棶閾惰緗戠珯鏃訛紝緗戠珯浼氬洜涓鴻姹傛病鏈?Referer 鍊艱€岃涓烘槸 CSRF 鏀誨嚮錛屾嫆緇濆悎娉曠敤鎴風殑璁塊棶銆?/p>
鍦ㄨ姹傚湴鍧€涓坊鍔?token 騫墮獙璇?/strong>
CSRF 鏀誨嚮涔嬫墍浠ヨ兘澶熸垚鍔燂紝鏄洜涓洪粦瀹㈠彲浠ュ畬鍏ㄤ吉閫犵敤鎴風殑璇鋒眰錛岃璇鋒眰涓墍鏈夌殑鐢ㄦ埛楠岃瘉淇℃伅閮芥槸瀛樺湪浜?cookie 涓紝鍥犳榛戝鍙互鍦ㄤ笉鐭ラ亾榪欎簺楠岃瘉淇℃伅鐨勬儏鍐典笅鐩存帴鍒╃敤鐢ㄦ埛鑷繁鐨?cookie 鏉ラ€氳繃瀹夊叏楠岃瘉銆傝鎶靛盡 CSRF錛屽叧閿湪浜庡湪璇鋒眰涓斁鍏ラ粦瀹㈡墍涓嶈兘浼€犵殑淇℃伅錛屽茍涓旇淇℃伅涓嶅瓨鍦ㄤ簬 cookie 涔嬩腑銆傚彲浠ュ湪 HTTP 璇鋒眰涓互鍙傛暟鐨勫艦寮忓姞鍏ヤ竴涓殢鏈轟駭鐢熺殑 token錛屽茍鍦ㄦ湇鍔″櫒绔緩绔嬩竴涓嫤鎴櫒鏉ラ獙璇佽繖涓?token錛屽鏋滆姹備腑娌℃湁 token 鎴栬€?token 鍐呭涓嶆紜紝鍒欒涓哄彲鑳芥槸 CSRF 鏀誨嚮鑰屾嫆緇濊璇鋒眰銆?/p>
榪欑鏂規硶瑕佹瘮媯€鏌?Referer 瑕佸畨鍏ㄤ竴浜涳紝token 鍙互鍦ㄧ敤鎴風櫥闄嗗悗浜х敓騫舵斁浜?session 涔嬩腑錛岀劧鍚庡湪姣忔璇鋒眰鏃舵妸 token 浠?session 涓嬁鍑猴紝涓庤姹備腑鐨?token 榪涜姣斿錛屼絾榪欑鏂規硶鐨勯毦鐐瑰湪浜庡浣曟妸 token 浠ュ弬鏁扮殑褰㈠紡鍔犲叆璇鋒眰銆傚浜?GET 璇鋒眰錛宼oken 灝嗛檮鍦ㄨ姹傚湴鍧€涔嬪悗錛岃繖鏍?URL 灝卞彉鎴?http://url?csrftoken=tokenvalue銆?鑰屽浜?POST 璇鋒眰鏉ヨ錛岃鍦?form 鐨勬渶鍚庡姞涓?<input type=”hidden” name=”csrftoken” value=”tokenvalue”/>錛岃繖鏍峰氨鎶?token 浠ュ弬鏁扮殑褰㈠紡鍔犲叆璇鋒眰浜嗐€備絾鏄紝鍦ㄤ竴涓綉绔欎腑錛屽彲浠ユ帴鍙楄姹傜殑鍦版柟闈炲父澶氾紝瑕佸浜庢瘡涓€涓姹傞兘鍔犱笂 token 鏄緢楹葷儲鐨勶紝騫朵笖寰堝鏄撴紡鎺夛紝閫氬父浣跨敤鐨勬柟娉曞氨鏄湪姣忔欏甸潰鍔犺澆鏃訛紝浣跨敤 javascript 閬嶅巻鏁翠釜 dom 鏍戯紝瀵逛簬 dom 涓墍鏈夌殑 a 鍜?form 鏍囩鍚庡姞鍏?token銆傝繖鏍峰彲浠ヨВ鍐沖ぇ閮ㄥ垎鐨勮姹傦紝浣嗘槸瀵逛簬鍦ㄩ〉闈㈠姞杞戒箣鍚庡姩鎬佺敓鎴愮殑 html 浠g爜錛岃繖縐嶆柟娉曞氨娌℃湁浣滅敤錛岃繕闇€瑕佺▼搴忓憳鍦ㄧ紪鐮佹椂鎵嬪姩娣誨姞 token銆?/p>
璇ユ柟娉曡繕鏈変竴涓己鐐規槸闅句互淇濊瘉 token 鏈韓鐨勫畨鍏ㄣ€傜壒鍒槸鍦ㄤ竴浜涜鍧涗箣綾繪敮鎸佺敤鎴瘋嚜宸卞彂琛ㄥ唴瀹圭殑緗戠珯錛岄粦瀹㈠彲浠ュ湪涓婇潰鍙戝竷鑷繁涓漢緗戠珯鐨勫湴鍧€銆傜敱浜庣郴緇熶篃浼氬湪榪欎釜鍦板潃鍚庨潰鍔犱笂 token錛岄粦瀹㈠彲浠ュ湪鑷繁鐨勭綉绔欎笂寰楀埌榪欎釜 token錛屽茍椹笂灝卞彲浠ュ彂鍔?CSRF 鏀誨嚮銆備負浜嗛伩鍏嶈繖涓€鐐癸紝緋葷粺鍙互鍦ㄦ坊鍔?token 鐨勬椂鍊欏鍔犱竴涓垽鏂紝濡傛灉榪欎釜閾炬帴鏄摼鍒拌嚜宸辨湰绔欑殑錛屽氨鍦ㄥ悗闈㈡坊鍔?token錛屽鏋滄槸閫氬悜澶栫綉鍒欎笉鍔犮€備笉榪囷紝鍗充嬌榪欎釜 csrftoken 涓嶄互鍙傛暟鐨勫艦寮忛檮鍔犲湪璇鋒眰涔嬩腑錛岄粦瀹㈢殑緗戠珯涔熷悓鏍峰彲浠ラ€氳繃 Referer 鏉ュ緱鍒拌繖涓?token 鍊間互鍙戝姩 CSRF 鏀誨嚮銆傝繖涔熸槸涓€浜涚敤鎴峰枩嬈㈡墜鍔ㄥ叧闂祻瑙堝櫒 Referer 鍔熻兘鐨勫師鍥犮€?/p>
鍦?HTTP 澶翠腑鑷畾涔夊睘鎬у茍楠岃瘉
榪欑鏂規硶涔熸槸浣跨敤 token 騫惰繘琛岄獙璇侊紝鍜屼笂涓€縐嶆柟娉曚笉鍚岀殑鏄紝榪欓噷騫朵笉鏄妸 token 浠ュ弬鏁扮殑褰㈠紡緗簬 HTTP 璇鋒眰涔嬩腑錛岃€屾槸鎶婂畠鏀懼埌 HTTP 澶翠腑鑷畾涔夌殑灞炴€ч噷銆傞€氳繃 XMLHttpRequest 榪欎釜綾伙紝鍙互涓€嬈℃€х粰鎵€鏈夎綾昏姹傚姞涓?csrftoken 榪欎釜 HTTP 澶村睘鎬э紝騫舵妸 token 鍊兼斁鍏ュ叾涓€傝繖鏍瘋В鍐充簡涓婄鏂規硶鍦ㄨ姹備腑鍔犲叆 token 鐨勪笉渚匡紝鍚屾椂錛岄€氳繃 XMLHttpRequest 璇鋒眰鐨勫湴鍧€涓嶄細琚褰曞埌嫻忚鍣ㄧ殑鍦板潃鏍忥紝涔熶笉鐢ㄦ媴蹇?token 浼氶€忚繃 Referer 娉勯湶鍒板叾浠栫綉绔欎腑鍘匯€?/p>
鐒惰€岃繖縐嶆柟娉曠殑灞€闄愭€ч潪甯稿ぇ銆俋MLHttpRequest 璇鋒眰閫氬父鐢ㄤ簬 Ajax 鏂規硶涓浜庨〉闈㈠眬閮ㄧ殑寮傛鍒鋒柊錛屽茍闈炴墍鏈夌殑璇鋒眰閮介€傚悎鐢ㄨ繖涓被鏉ュ彂璧鳳紝鑰屼笖閫氳繃璇ョ被璇鋒眰寰楀埌鐨勯〉闈笉鑳借嫻忚鍣ㄦ墍璁板綍涓嬶紝浠庤€岃繘琛屽墠榪涳紝鍚庨€€錛屽埛鏂幫紝鏀惰棌絳夋搷浣滐紝緇欑敤鎴峰甫鏉ヤ笉渚褲€傚彟澶栵紝瀵逛簬娌℃湁榪涜 CSRF 闃叉姢鐨勯仐鐣欑郴緇熸潵璇達紝瑕侀噰鐢ㄨ繖縐嶆柟娉曟潵榪涜闃叉姢錛岃鎶婃墍鏈夎姹傞兘鏀逛負 XMLHttpRequest 璇鋒眰錛岃繖鏍峰嚑涔庢槸瑕侀噸鍐欐暣涓綉绔欙紝榪欎唬浠鋒棤鐤戞槸涓嶈兘鎺ュ彈鐨勩€?/p>
Java 浠g爜紺轟緥
涓嬫枃灝嗕互 Java 涓轟緥錛屽涓婅堪涓夌鏂規硶鍒嗗埆鐢ㄤ唬鐮佽繘琛岀ず渚嬨€傛棤璁轟嬌鐢ㄤ綍縐嶆柟娉曪紝鍦ㄦ湇鍔″櫒绔殑鎷︽埅鍣ㄥ繀涓嶅彲灝戯紝瀹冨皢璐熻矗媯€鏌ュ埌鏉ョ殑璇鋒眰鏄惁絎﹀悎瑕佹眰錛岀劧鍚庤緇撴灉鑰屽喅瀹氭槸鍚︾戶緇姹傛垨鑰呬涪寮冦€傚湪 Java 涓紝鎷︽埅鍣ㄦ槸鐢?Filter 鏉ュ疄鐜扮殑銆傛垜浠彲浠ョ紪鍐欎竴涓?Filter錛屽茍鍦?web.xml 涓鍏惰繘琛岄厤緗紝浣垮叾瀵逛簬璁塊棶鎵€鏈夐渶瑕?CSRF 淇濇姢鐨勮祫婧愮殑璇鋒眰榪涜鎷︽埅銆?/p>
鍦?filter 涓璇鋒眰鐨?Referer 楠岃瘉浠g爜濡備笅
娓呭崟 1. 鍦?Filter 涓獙璇?Referer
|
1
2
3
4
5
6
7
8 |
// 浠?HTTP 澶翠腑鍙栧緱 Referer 鍊? String referer=request.getHeader("Referer"); // 鍒ゆ柇 Referer 鏄惁浠?bank.example 寮€澶? if((referer!=null) &&(referer.trim().startsWith(“bank.example”))){ chain.doFilter(request, response); }else{ request.getRequestDispatcher(“error.jsp”).forward(request,response); } |
浠ヤ笂浠g爜鍏堝彇寰?Referer 鍊鹼紝鐒跺悗榪涜鍒ゆ柇錛屽綋鍏墮潪絀哄茍浠?bank.example 寮€澶存椂錛屽垯緇х畫璇鋒眰錛屽惁鍒欑殑璇濆彲鑳芥槸 CSRF 鏀誨嚮錛岃漿鍒?error.jsp 欏甸潰銆?/p>
濡傛灉瑕佽繘涓€姝ラ獙璇佽姹備腑鐨?token 鍊鹼紝浠g爜濡備笅
|
1 |
<em><strong>娓呭崟 2. 鍦?filter 涓獙璇佽姹備腑鐨?lt;/strong></em> token |
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26 |
HttpServletRequest req = (HttpServletRequest)request; HttpSession s = req.getSession(); // 浠?session 涓緱鍒?csrftoken 灞炴€? String sToken = (String)s.getAttribute(“csrftoken”); if(sToken == null){ // 浜х敓鏂扮殑 token 鏀懼叆 session 涓? sToken = generateToken(); s.setAttribute(“csrftoken”,sToken); chain.doFilter(request, response); } else{ // 浠?HTTP 澶翠腑鍙栧緱 csrftoken String xhrToken = req.getHeader(“csrftoken”); // 浠庤姹傚弬鏁頒腑鍙栧緱 csrftoken String pToken = req.getParameter(“csrftoken”); if(sToken != null && xhrToken != null && sToken.equals(xhrToken)){ chain.doFilter(request, response); }else if(sToken != null && pToken != null && sToken.equals(pToken)){ chain.doFilter(request, response); }else{ request.getRequestDispatcher(“error.jsp”).forward(request,response); } } |
棣栧厛鍒ゆ柇 session 涓湁娌℃湁 csrftoken錛屽鏋滄病鏈夛紝鍒欒涓烘槸絎竴嬈¤闂紝session 鏄柊寤虹珛鐨勶紝榪欐椂鐢熸垚涓€涓柊鐨?token錛屾斁浜?session 涔嬩腑錛屽茍緇х畫鎵ц璇鋒眰銆傚鏋?session 涓凡緇忔湁 csrftoken錛屽垯璇存槑鐢ㄦ埛宸茬粡涓庢湇鍔″櫒涔嬮棿寤虹珛浜嗕竴涓椿璺冪殑 session錛岃繖鏃惰鐪嬭繖涓姹備腑鏈夋病鏈夊悓鏃墮檮甯﹁繖涓?token錛岀敱浜庤姹傚彲鑳芥潵鑷簬甯歌鐨勮闂垨鏄?XMLHttpRequest 寮傛璁塊棶錛屾垜浠垎鍒皾璇曚粠璇鋒眰涓幏鍙?csrftoken 鍙傛暟浠ュ強浠?HTTP 澶翠腑鑾峰彇 csrftoken 鑷畾涔夊睘鎬у茍涓?session 涓殑鍊艱繘琛屾瘮杈冿紝鍙鏈変竴涓湴鏂瑰甫鏈夋湁鏁?token錛屽氨鍒ゅ畾璇鋒眰鍚堟硶錛屽彲浠ョ戶緇墽琛岋紝鍚﹀垯灝辮漿鍒伴敊璇〉闈€€傜敓鎴?token 鏈夊緢澶氱鏂規硶錛屼換浣曠殑闅忔満綆楁硶閮藉彲浠ヤ嬌鐢紝Java 鐨?UUID 綾諱篃鏄竴涓笉閿欑殑閫夋嫨銆?/p>
闄や簡鍦ㄦ湇鍔″櫒绔埄鐢?filter 鏉ラ獙璇?token 鐨勫€間互澶栵紝鎴戜滑榪橀渶瑕佸湪瀹㈡埛绔粰姣忎釜璇鋒眰闄勫姞涓婅繖涓?token錛岃繖鏄埄鐢?js 鏉ョ粰 html 涓殑閾炬帴鍜岃〃鍗曡姹傚湴鍧€闄勫姞 csrftoken 浠g爜錛屽叾涓凡瀹氫箟 token 涓哄叏灞€鍙橀噺錛屽叾鍊煎彲浠ヤ粠 session 涓緱鍒般€?/p>
|
1 |
<em><strong>娓呭崟 3. 鍦ㄥ鎴風瀵逛簬璇鋒眰闄勫姞</strong> </em>token |
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62 |
function appendToken(){ updateForms(); updateTags(); } function updateForms() { // 寰楀埌欏甸潰涓墍鏈夌殑 form 鍏冪礌 var forms = document.getElementsByTagName('form'); for(i=0; i<forms.length; i++) { var url = forms[i].action; // 濡傛灉榪欎釜 form 鐨?action 鍊間負絀猴紝鍒欎笉闄勫姞 csrftoken if(url == null || url == "" ) continue; // 鍔ㄦ€佺敓鎴?input 鍏冪礌錛屽姞鍏ュ埌 form 涔嬪悗 var e = document.createElement("input"); e.name = "csrftoken"; e.value = token; e.type="hidden"; forms[i].appendChild(e); } } function updateTags() { var all = document.getElementsByTagName('a'); var len = all.length; // 閬嶅巻鎵€鏈?a 鍏冪礌 for(var i=0; i<len; i++) { var e = all[i]; updateTag(e, 'href', token); } } function updateTag(element, attr, token) { var location = element.getAttribute(attr); if(location != null && location != '' '' ) { var fragmentIndex = location.indexOf('#'); var fragment = null; if(fragmentIndex != -1){ //url 涓惈鏈夊彧鐩稿綋欏電殑閿氭爣璁? fragment = location.substring(fragmentIndex); location = location.substring(0,fragmentIndex); } var index = location.indexOf('?'); if(index != -1) { //url 涓凡鍚湁鍏朵粬鍙傛暟 location = location + '&csrftoken=' + token; } else { //url 涓病鏈夊叾浠栧弬鏁? location = location + '?csrftoken=' + token; } if(fragment != null){ location += fragment; } element.setAttribute(attr, location); } } |
鍦ㄥ鎴風 html 涓紝涓昏鏄湁涓や釜鍦版柟闇€瑕佸姞涓?token錛屼竴涓槸琛ㄥ崟 form錛屽彟涓€涓氨鏄摼鎺?a銆傝繖孌典唬鐮侀鍏堥亶鍘嗘墍鏈夌殑 form錛屽湪 form 鏈€鍚庢坊鍔犱竴闅愯棌瀛楁錛屾妸 csrftoken 鏀懼叆鍏朵腑銆傜劧鍚庯紝浠g爜閬嶅巻鎵€鏈夌殑閾炬帴鏍囪 a錛屽湪鍏?href 灞炴€т腑鍔犲叆 csrftoken 鍙傛暟銆傛敞鎰忓浜?a.href 鏉ヨ錛屽彲鑳借灞炴€у凡緇忔湁鍙傛暟錛屾垨鑰呮湁閿氭爣璁般€傚洜姝ら渶瑕佸垎鎯呭喌璁ㄨ錛屼互涓嶅悓鐨勬牸寮忔妸 csrftoken 鍔犲叆鍏朵腑銆?/p>
濡傛灉浣犵殑緗戠珯浣跨敤 XMLHttpRequest錛岄偅涔堣繕闇€瑕佸湪 HTTP 澶翠腑鑷畾涔?csrftoken 灞炴€э紝鍒╃敤 dojo.xhr 緇?XMLHttpRequest 鍔犱笂鑷畾涔夊睘鎬т唬鐮佸涓嬶細
|
1 |
<strong><em>娓呭崟 4. 鍦?HTTP 澶翠腑鑷畾涔夊睘鎬?lt;/em></strong> |
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15 |
var plainXhr = dojo.xhr; // 閲嶅啓 dojo.xhr 鏂規硶 dojo.xhr = function(method,args,hasBody) { // 紜繚 header 瀵硅薄瀛樺湪 args.headers = args.header || {}; tokenValue = '<%=request.getSession(false).getAttribute("csrftoken")%>'; var token = dojo.getObject("tokenValue"); // 鎶?csrftoken 灞炴€ф斁鍒板ご涓? args.headers["csrftoken"] = (token) ? token : " "; return plainXhr(method,args,hasBody); }; |
榪欓噷鏀瑰啓浜?dojo.xhr 鐨勬柟娉曪紝棣栧厛紜繚 dojo.xhr 涓瓨鍦?HTTP 澶達紝鐒跺悗鍦?args.headers 涓坊鍔?csrftoken 瀛楁錛屽茍鎶?token 鍊間粠 session 閲屾嬁鍑烘斁鍏ュ瓧孌典腑銆?/p>
CSRF 闃插盡鏂規硶閫夋嫨涔嬮亾
閫氳繃涓婃枃璁ㄨ鍙煡錛岀洰鍓嶄笟鐣屽簲瀵?CSRF 鏀誨嚮鏈変竴浜涘厠鍒舵柟娉曪紝浣嗘槸姣忕鏂規硶閮芥湁鍒╁紛錛屾病鏈変竴縐嶆柟娉曟槸瀹岀編鐨勩€傚浣曢€夋嫨鍚堥€傜殑鏂規硶闈炲父閲嶈銆傚鏋滅綉绔欐槸涓€涓幇鏈夌郴緇燂紝鎯寵鍦ㄦ渶鐭椂闂村唴鑾峰緱涓€瀹氱▼搴︾殑 CSRF 鐨勪繚鎶わ紝閭d箞楠岃瘉 Referer 鐨勬柟娉曟槸鏈€鏂逛究鐨勶紝瑕佹兂澧炲姞瀹夊叏鎬х殑璇濓紝鍙互閫夋嫨涓嶆敮鎸佷綆鐗堟湰嫻忚鍣紝姣曠珶灝辯洰鍓嶆潵璇達紝IE7+, FF3+ 榪欑被楂樼増鏈祻瑙堝櫒鐨?Referer 鍊艱繕鏃犳硶琚鏀廣€?/p>
濡傛灉緋葷粺蹇呴』鏀寔 IE6錛屽茍涓斾粛鐒墮渶瑕侀珮瀹夊叏鎬с€傞偅涔堝氨瑕佷嬌鐢?token 鏉ヨ繘琛岄獙璇侊紝鍦ㄥぇ閮ㄥ垎鎯呭喌涓嬶紝浣跨敤 XmlHttpRequest 騫朵笉鍚堥€傦紝token 鍙兘浠ュ弬鏁扮殑褰㈠紡鏀句簬璇鋒眰涔嬩腑錛岃嫢浣犵殑緋葷粺涓嶆敮鎸佺敤鎴瘋嚜宸卞彂甯冧俊鎭紝閭h繖縐嶇▼搴︾殑闃叉姢宸茬粡瓚沖錛屽惁鍒欑殑璇濓紝浣犱粛鐒墮毦浠ラ槻鑼?token 琚粦瀹㈢獌鍙栧茍鍙戝姩鏀誨嚮銆傚湪榪欑鎯呭喌涓嬶紝浣犻渶瑕佸皬蹇冭鍒掍綘緗戠珯鎻愪緵鐨勫悇縐嶆湇鍔★紝浠庝腑闂存壘鍑洪偅浜涘厑璁哥敤鎴瘋嚜宸卞彂甯冧俊鎭殑閮ㄥ垎錛屾妸瀹冧滑涓庡叾浠栨湇鍔″垎寮€錛屼嬌鐢ㄤ笉鍚岀殑 token 榪涜淇濇姢錛岃繖鏍峰彲浠ユ湁鏁堟姷寰¢粦瀹㈠浜庝綘鍏抽敭鏈嶅姟鐨勬敾鍑伙紝鎶婂嵄瀹抽檷鍒版渶浣庛€傛瘯绔燂紝鍒犻櫎鍒漢涓€涓笘瀛愭瘮鐩存帴浠庡埆浜鴻處鍙蜂腑杞蛋澶х瑪瀛樻涓ラ噸紼嬪害瑕佽交鐨勫銆?/p>
濡傛灉鏄紑鍙戜竴涓叏鏂扮殑緋葷粺錛屽垯鎶靛盡 CSRF 鐨勯€夋嫨瑕佸ぇ寰楀銆傜瑪鑰呭緩璁浜庨噸瑕佺殑鏈嶅姟錛屽彲浠ュ敖閲忎嬌鐢?XMLHttpRequest 鏉ヨ闂紝榪欐牱澧炲姞 token 瑕佸鏄撳緢澶氥€傚彟澶栧敖閲忛伩鍏嶅湪 js 浠g爜涓嬌鐢ㄥ鏉傞€昏緫鏉ユ瀯閫犲父瑙勭殑鍚屾璇鋒眰鏉ヨ闂渶瑕?CSRF 淇濇姢鐨勮祫婧愶紝姣斿 window.location 鍜?document.createElement(“a”) 涔嬬被錛岃繖鏍蜂篃鍙互鍑忓皯鍦ㄩ檮鍔?token 鏃朵駭鐢熺殑涓嶅繀瑕佺殑楹葷儲銆?/p>
鏈€鍚庯紝瑕佽浣?CSRF 涓嶆槸榛戝鍞竴鐨勬敾鍑繪墜孌碉紝鏃犺浣?CSRF 闃茶寖鏈夊涔堜弗瀵嗭紝濡傛灉浣犵郴緇熸湁鍏朵粬瀹夊叏婕忔礊錛屾瘮濡傝法绔欏煙鑴氭湰鏀誨嚮 XSS錛岄偅涔堥粦瀹㈠氨鍙互緇曡繃浣犵殑瀹夊叏闃叉姢錛屽睍寮€鍖呮嫭 CSRF 鍦ㄥ唴鐨勫悇縐嶆敾鍑伙紝浣犵殑闃茬嚎灝嗗鍚岃櫄璁俱€?/p>
鎬葷粨涓庡睍鏈?/strong>
鍙錛孋SRF 鏄竴縐嶅嵄瀹抽潪甯稿ぇ鐨勬敾鍑伙紝鍙堝緢闅句互闃茶寖銆傜洰鍓嶅嚑縐嶉槻寰$瓥鐣ヨ櫧鐒跺彲浠ュ緢澶х▼搴︿笂鎶靛盡 CSRF 鐨勬敾鍑伙紝浣嗗茍娌℃湁涓€縐嶅畬緹庣殑瑙e喅鏂規銆備竴浜涙柊鐨勬柟妗堟鍦ㄧ爺絀朵箣涓紝姣斿瀵逛簬姣忔璇鋒眰閮戒嬌鐢ㄤ笉鍚岀殑鍔ㄦ€佸彛浠わ紝鎶?Referer 鍜?token 鏂規緇撳悎璧鋒潵錛岀敋鑷沖皾璇曚慨鏀?HTTP 瑙勮寖錛屼絾鏄繖浜涙柊鐨勬柟妗堝皻涓嶆垚鐔燂紝瑕佹寮忔姇鍏ヤ嬌鐢ㄥ茍琚笟鐣屽箍涓烘帴鍙楄繕闇€鏃舵棩銆傚湪榪欎箣鍓嶏紝鎴戜滑鍙湁鍏呭垎閲嶈 CSRF錛屾牴鎹郴緇熺殑瀹為檯鎯呭喌閫夋嫨鏈€鍚堥€傜殑絳栫暐錛岃繖鏍鋒墠鑳芥妸 CSRF 鐨勫嵄瀹抽檷鍒版渶浣庛€?/p>