SharePoint Security系列 之二 Cross-Site Request Forgery
什么是Cross-Site Request Forgery
=============================
Cross-Site Request Forgery(CSRF or XSRF)是一种欺骗受害者的浏览器, 使之代表受害者履行他所不希望做的动作. 比如说, 这种攻击可以导致转账, 修改密码, 或者购买物品. 对于绝大多数的站点而言, 进行这种动作的时候, 浏览器会自动地带上任何跟这个站点有关的认证信息. 如果受害者已经通过了认证来使用某个站点, 那么浏览器就不可能区分出"用户进行的合法的动作"和"通过CSRF弱点由攻击者发起的恶意的动作".
举例:
For example, imagine an online banking site that performs a transfer of funds action by calling a URL such as:
http://bigsafebank.com/transfer.do?acct=ATTACKER&amount=1000
This URL will transfer $1000 from a victim’s account into the attacker’s account if the victim is logged into their account within the BigSafeBank website. The attacker knows that there isn’t much chance of getting a user to click on that link due to its suspicious looking nature, so the attacker must fool the victim into clicking the link and executing the malicious action.
The attacker can create an HTML email with a tag such as:
<img src="http://bigsafebank.com/transfer.do?acct=ATTACKER&amount=1000" width="1" height="1" border="0">
When a victim views this HTML email, they will see an error indicating that the image could not be loaded within the browser, but the browser would still submit the transfer request to bigsafebank.com without requiring any further interaction from the user. Even though the image was rendered unsuccessfully, using the <img> tag, an automatic http request was made that contained the victim's credentials, allowing the server to perform the malicious action.
SharePoint 2010
============================
Out Of Box的SharePoint对这种攻击是免疫的. 因为SharePoint使用一种dynamic canary的方式来确保POST请求来自于服务器的相同的domain(比如说同一个站点).
如果你要issue 一个POST到sharepoint站点上, 你必须做两件事
- Send the canary with every postback or web service request.
- Validate the canary before acting on the postback or web service request.
其背后的原理如下:
使用SharePoint Master Page的所有页面都会带有一个叫做__REQUESTDIGEST的隐藏的表单元素. 这个元素的值包含canary的值. 在每个POSTBACK后, 都会自动地被发送到客户端.
如果攻击者在自己的网站上贴了一张图, 图片链接到http://sharepoint/_layouts/deleteweb.aspx?webid=1 , 那么当站点管理员不小心点击到这个图片后, 就会发送一个post请求到sharepoint, sharepoint会去检查这个请求是否带有__REQUESTDIGEST, 并且验证其是否合法.
由于攻击者自己的网站上不可能带有合法的这个表单元素, 所以这种攻击对SharePoint是无效的.
如果要是开发者自己书写代码, 那么为了预防这种攻击和实现功能还是有一些地方需要注意, 具体请参考这里.
参考资料
================
Tester Question: What is a cross-site request forgery attack? How do I test our website to see if it is vulnerable to this attack?
http://msdn.microsoft.com/en-us/testing/cc664492.aspx
Security Best Practices for Developers in SharePoint 2010