sessionStorage 与 cookie 中的 JWT 令牌?
Stormpath 有很多博客文章讨论应该如何使用 cookie 来存储 JWT,而不是 sessionStorage/localStorage:
There are a lot of blog posts from Stormpath that talk about how you ought to use cookies to store your JWT instead of sessionStorage/localStorage:
- https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
- https://stormpath.com/blog/token-auth-spa
- https://stormpath.com/blog/build-secure-用户界面使用 jwts
主要原因是,如果您加载的第 3 方 javascript 依赖项受到损害,它可以通过 sessionStorage/localStorage 窃取并将 JWT 传输到某个地方.
The main stated reason is that if a 3rd-party javascript dependency that you load is compromised that it can pilfer through sessionStorage/localStorage and transmit off the JWT to somewhere.
但这对我来说是一个令人困惑的原因.我了解攻击向量,但如果您有一个受损的 3rd-party javascript 依赖项,那么您是不是真的搞砸了,因为它可以监听/捕获您的用户在与您的应用程序交互时所做的任何事情?
But this is confusing as a reason to me. I understand the attack vector, but if you have a compromised 3rd-party javascript dependency, aren't you effectively screwed anyway, since it can listen-in/capture anything your users do as they interact with your app?
推荐答案
我是https://stormpath.com/blog/where-to-store-your-jwts-cookies-vs-html5-web-storage
当页面上存在 XSS 时,攻击者有权:
When XSS exist on a page, an attacker is privileged to:
- HTML5 网络存储(本地和会话)
- 未设置 httpOnly 标志的 Cookies
- 控制标签直到它被关闭并且能够提出未经授权的请求
您还可以开始制定攻击以绕过 XSRF 保护.
You can also start to formulate attacks to get around XSRF protection.
当存在 XSRF 漏洞时,攻击者有权:
When an XSRF vulnerability exists, an attacker is privileged to:
- 从第三方域发出未经授权的请求,前提是您可以将用户引诱到那里(或在存在 XSS 的情况下将其发送到那里).
您可以看到,当存在 XSS 漏洞时,您可以发出未经授权的请求,攻击者需要跳过更多的障碍来利用 XSRF.这意味着当 XSS 存在时(无论是否有 XSRF 保护),都会存在发出未授权请求的攻击向量.
You can see that when an XSS vulnerability exists, you are able to make unauthorized requests and an attacker would need to jump through some more hoops to exploit XSRF. This means that when XSS exists (regardless of XSRF protection or not), the attack vector of making unauthorized requests will exist.
希望这可以为我的下一点解决问题.
Hopefully, that clears things up for my next point.
与窃取代表用户身份和会话的无状态令牌相比,XSRF 攻击或未经授权的请求的影响和范围更小.泄露令牌意味着攻击者将拥有完全控制权,可以代表用户在他的时间、在他的机器上制定攻击.
An XSRF attacks or unauthorized requests has less impact and scope than stealing a stateless token that represents the user's identity and session. Leaking the token means that an attacker will have full control to formulate an attack on behalf of the user, on his time, on his machines.
总之,当你存在 XSS 时:
In conclusion, in presence of XSS when you:
在网络存储中存储访问令牌,在 XSS 存在期间使用您网站的任何用户的令牌都会受到损害.这意味着攻击者可以获得数以千计的有效访问令牌,并可能造成很多伤害(如果您将刷新令牌存储在 Web 存储中,则危害更大).用户也容易从自己的浏览器发出未经授权的请求.
store an access token in web storage, the tokens for any user that uses your site during the time of the existence of XSS is compromised. This means an attacker could get thousands of valid access tokens and can possibly do a lot of harm (even more if you store refresh tokens in web storage). The users are also vulnerable to making unauthorized requests from their own browser.
将访问令牌存储在 httpOnly cookie 中,任何用户的令牌都不会被泄露.但是,即使存在 XSRF 保护,用户也容易从自己的浏览器发出未经授权的请求.
store an access token in a httpOnly cookie, the tokens for any user are not compromised. But, the users are also vulnerable to making unauthorized requests from their own browser even in the presence of XSRF protection.
希望这些信息对您有所帮助.
Hope this information helps.
相关文章