保护ajax请求完整性的最佳方法

2021-12-29 00:00:00 security php javascript ajax drupal

我正在构建一个 Drupal 网站,其中包含大量用户特定的信息,这些信息将使用 jQuery/ajax 发布.信息本身不是很敏感,重要的是要验证表单数据没有被 Firebug 等工具篡改,以及确保信息确实是从指定用户那里请求的.换句话说,我试图找出在使用 ajax 发布时保护数据完整性和真实性的最佳方法.

I am building a Drupal website with a lot of user-specific information that will be posted using jQuery/ajax. The information it self is not very sensitive, it is just important to verify that the form-data has not been tampered with tools like Firebug, as well as ensuring the information is really requested from the specified user. In other words, I am trying to figure out the best way to protect the integrity and authenticity of the data when posting with ajax.

理想情况下,我想使用一些众所周知的消息认证系统,比如 HMAC 算法.但由于这包含了一个对称密钥,我不知道如何加密 POST 数据而不暴露我的 javascript 文件中的密钥(显然任何人都可以看到).

Ideally I would like to use some well known message authentication system, like the HMAC algorithm. But since this incorporates a symmetric key, I don't see how I can encrypt the POST data without exposing the secret key in my javascript file (which obviously is visible to anyone).

如果我对这应该如何工作有错误的想法,请纠正我.

Please correct me if I have got the wrong idea about how this should work.

例如,我需要发送的信息

For example, info I need to send

field1=x&field2=y&uid=10

...然后计算数据的哈希值和密钥.这是否可以在不公开我的 javascript 代码中的哈希函数的情况下完成?

...then calculate the hash of the data together with a secret key. Is this possible to do without exposing the hash function in my javascript code?

CHECKSUM: hash(postdata, "secret_key")

... 最后将校验和附加到原始 postdata.

... and finally append checksum to original postdata.

field1=x&field2=y&uid=1&c=CHECKSUM

替代方案

我想到的另一种方法是使用登录用户的会话 ID.但是,这不会检查消息的完整性...

Alternative

An alternative I though of was using the session ID of the logged in user. This however would not check the integrity of the message...

使用 PHP 生成表单时,我可以使用以下内容生成隐藏输入

When generating form with PHP, I can generate a hidden input with following

CHECKSUM: hash(session id for the current user, "secretkey")

然后我会使用 ajax 发布的是

What I then would post using ajax is

field1=x&field2=y&uid=10&c=CHECKSUM

有了这个,验证适当的用户(再次伪代码)将是相当安全的

With this it would be fairly secure to authenticate the appropriate user (again pseudo-code)

ssid = SELECT ssid FROM sessions WHERE uid = $_POST[uid]
if(ssid && hash(ssid, "secretkey") == $_POST[c]) {
     //User OK
} else {
     //Invalid user
}

推荐答案

你不能做你想做的事.基本上,您试图验证不受信任和不受控制的客户端上的一个组件(您的表单)没有被同一客户端上的另一个组件篡改.您无法控制客户端.您可以想出各种方法来使某人更难在他们的客户端上执行此操作,但最终您必须向客户端公开您如何进行这些完整性检查.无论您在表单脚本中做什么,该客户端上的人都可以阅读和理解(它必须在客户端上运行,因此与客户端交互的任何人都可以对您正在做的任何事情进行逆向工程以恢复所使用的技术和任何密钥/etc 您必须启用您的方案).

You cannot do what you're trying to do. Basically, you're trying to verify that one component (your form) on an untrusted and uncontrolled client is not tampered with by another component on that same client. You don't control the client. You can come up with all sorts of methods to make it harder for someone to do this on their client, but in the end you must expose how you're doing those integrity checks to the client. Whatever you do in your form scripts can be read and understood by the person on that client (it has to run on the client, so whomever is interacting with the client can reverse engineer anything you're doing to recover the techniques used and any keys/etc that you have to enable your scheme).

Web 应用程序安全的基本规则是您无法控制客户端上发生的事情,因此您不能信任像这样的客户端验证/安全方案.

Basic rule of web application security is that you cannot control what's happening on the client, so you cannot trust client-side verification/security schemes like this.

最终,这种计划提供的保护不太可能值得花时间和投资来实施.决心打破它的人将能够做到.

In the end, it's unlikely that the protection offered by such a scheme would be worth the time and investment to implement it. Someone who is determined to break it will be able to.

相关文章