{"id":134,"date":"2021-04-07T11:52:10","date_gmt":"2021-04-07T03:52:10","guid":{"rendered":"https:\/\/choson_steven.lifenet.com.tw\/?p=134"},"modified":"2023-03-29T17:05:05","modified_gmt":"2023-03-29T09:05:05","slug":"xsscsrfreplay","status":"publish","type":"post","link":"https:\/\/choson.lifenet.com.tw\/?p=134","title":{"rendered":"XSS&CSRF&Replay"},"content":{"rendered":"\n

\u8de8\u7ad9\u8acb\u6c42\u507d\u9020\uff08Cross-Site Request Forgery\uff1aCSRF\uff09<\/strong>
\u8de8\u7ad9\u8acb\u6c42\u507d\u9020\uff08CSRF\uff09\u662f\u4e00\u500b\u5f88\u597d\u7684\u9078\u64c7\u3002\u50b3\u7d71\u7684CSRF\u653b\u64ca\u6703\u767c\u751f\u4ee5\u4e0b\u5148\u6c7a\u689d\u4ef6\uff1a<\/p>\n\n\n\n

    \n
  1. \u53d7\u5bb3\u7528\u6236\u5df2\u767b\u9304\u5230\u7cfb\u7d71\uff08\u4f8b\u5982\uff0c\u5728\u7dda\u9280\u884c\uff09\u3002<\/li>\n\n\n\n
  2. \u53d7\u5bb3\u7528\u6236\u55ae\u64ca\u5e36\u6709\u507d\u9020\u6216\u64cd\u7e31\u53c3\u6578\u7684\u60e1\u610f\u8d85\u93c8\u63a5\u3002<\/li>\n\n\n\n
  3. \u53d7\u5bb3\u7cfb\u7d71\u63a5\u53d7\u4f5c\u70baHTTP GET\u8acb\u6c42\u767c\u9001\u7684URL\u3002
    \u4ee5\u4e0b\u662f\u7de9\u89e3CSRF\u653b\u64ca\u7684\u6280\u5de7\uff1a<\/li>\n\n\n\n
  4. \u7cfb\u7d71\u4e0d\u61c9\u63a5\u53d7\u901a\u904eGET\u9032\u884c\u7684\u4ea4\u6613\u8acb\u6c42\u3002\u800c\u662f\u61c9\u901a\u904ePOST\uff0cPUT\u6216DELETE\u5b8c\u6210\u4e8b\u52d9\u3002RESTful API\u901a\u904e\u4ee5\u4e0b\u65b9\u5f0f\u4f7f\u7528HTTP\u52d5\u8a5e\/\u65b9\u6cd5\uff1aGET\u7528\u65bc\u67e5\u8a62\uff0cPOST\u7528\u65bc\u63d2\u5165\uff0cPUT\u7528\u65bc\u4fee\u6539\uff0cDELETE\u7528\u65bc\u522a\u9664\u3002<\/li>\n\n\n\n
  5. CSRF\u653b\u64ca\u4e5f\u53ef\u4ee5\u901a\u904eiframe\u5167\u7684HTTP\u5f62\u5f0f\u89f8\u767c\u3002\u56e0\u6b64\uff0c\u61c9\u57f7\u884c\u540c\u6e90\u653f\u7b56\u3002\u73fe\u4ee3Web\u700f\u89bd\u5668\u9ed8\u8a8d\u60c5\u6cc1\u4e0b\u555f\u7528\u540c\u6e90\u7b56\u7565\u3002<\/li>\n\n\n\n
  6. \u653b\u64ca\u8005\u53ef\u4ee5\u5f9e\u653b\u64ca\u5de5\u5177\u767c\u9001CSRF\u653b\u64ca\u3002\u6e1b\u8f15\u9019\u7a2e\u98a8\u96aa\u7684\u6700\u7d42\u65b9\u6cd5\u662f\u4ee5\u6bcf\u7a2eHTTP\u5f62\u5f0f\u5be6\u73fe\u5b58\u5132\u5728\u96b1\u85cf\u8f38\u5165\u4e2d\u7684\u8eab\u4efd\u9a57\u8b49\u4ee3\u78bc\u3002Microsoft ASP.NET MVC\u5f88\u597d\u5730\u652f\u6301\u6b64\u529f\u80fd\u3002<\/li>\n<\/ol>\n\n\n\n

    \u91cd\u64ad(Replay)<\/strong>
    \u91cd\u64ad\u53ef\u80fd\u7531\u4e2d\u9593\u4eba\uff0c\u60e1\u610f\u7528\u6236\u6216\u7121\u610f\u884c\u70ba\u89f8\u767c\u3002\u91cd\u64ad\u6d88\u606f\u53ef\u80fd\u6703\u6216\u53ef\u80fd\u4e0d\u6703\u88ab\u64cd\u7e31\u3002\u8a72\u554f\u984c\u4e26\u4e0d\u5efa\u8b70\u7de9\u89e3\u91cd\u653e\u653b\u64ca\u3002
    \u53c3\u8003
    \u8de8\u7ad9\u9ede\u8173\u672c\uff08XSS\uff09<\/a>
    \u8de8\u7ad9\u8acb\u6c42\u507d\u9020\uff08CSRF\uff09<\/a>
    \u9632\u6b62ASP.NET MVC\u61c9\u7528\u7a0b\u5e8f\u4e2d\u7684\u8de8\u7ad9\u9ede\u8acb\u6c42\u507d\u9020\uff08CSRF\uff09\u653b\u64ca<\/a>
    \u8ca1\u52d9\u5c0e\u5411\u7684Web\u61c9\u7528\u7a0b\u5e8f\u4e2d\u7684\u5e38\u898b\u5b89\u5168\u554f\u984c<\/a>
    \u540c\u6e90\u653f\u7b56<\/a>
    \u540c\u6e90\u7b56\u7565\uff1a\u73fe\u4ee3\u700f\u89bd\u5668\u4e2d\u7684\u8a55\u4f30<\/a>
    \u73fe\u4ee3\u700f\u89bd\u5668\u4e2d\u7684\u539f\u59cb\u7b56\u7565\u57f7\u884c<\/a>
    \u540c\u6e90\u653f\u7b56\u7684\u6b0a\u5a01\u6307\u5357<\/a>
    \u975c\u9ed8\u63d0\u4ea4POST\u8868\u55ae\uff08CSRF\uff09\u7684\u793a\u4f8b<\/a><\/p>\n\n\n\n

    \u8cc7\u6599\u4f86\u6e90\uff1a\u00a0Wentz Wu QOTD-20200520<\/a><\/p>\n\n\n\n

    PS:\u6b64\u6587\u7ae0\u7d93\u904e\u4f5c\u8005\u540c\u610f\u520a\u767b \u4e26\u4e14\u6388\u6b0a\u53ef\u4ee5\u7ffb\u8b6f\u6210\u4e2d\u6587<\/p>\n","protected":false},"excerpt":{"rendered":"

    \u8de8\u7ad9\u8acb\u6c42\u507d\u9020\uff08Cross-Site Request Forgery\uff1aCSRF\uff09\u8de8\u7ad9\u8acb\u6c42\u507d\u9020\uff08CSRF\uff09\u662f\u4e00\u500b\u5f88 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-134","post","type-post","status-publish","format-standard","hentry","category-cisspcertified-information-systems-security-professional"],"_links":{"self":[{"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/134","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=134"}],"version-history":[{"count":2,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/134\/revisions"}],"predecessor-version":[{"id":2907,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=\/wp\/v2\/posts\/134\/revisions\/2907"}],"wp:attachment":[{"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=134"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=134"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/choson.lifenet.com.tw\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=134"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}