服务器端CSRF防御研究

发布时间：2018-06-08 10:53

本文选题：跨站请求伪造 + Web应用程序　；参考：《江西师范大学》2014年硕士论文

【摘要】：近几年来,基于Web和数据库构架的应用程序的使用越来越广泛,尤其进入Web2.0时代以来,Web技术以突出的交互性和实时性等特点得到了人们的青睐。例如个人博客、社交网站、网上购物等新兴的交互型网络应用已成为人们生活的一部分,以此同时,Web技术也给Web应用程序带来了新的安全性问题。跨站请求伪造是目前Web应用中主要的安全威胁之一,攻击者构造一个恶意请求,并通过社会工程诱导合法用户访问,以达到在Web应用中以该用户的身份进行攻击者期望的操作目的。通过利用跨站请求伪造,攻击者往往能够进一步渗透目标Web应用,以至于对目标站点造成巨大的威胁。因此,如何有效地防御CSRF漏洞对保证Web应用程序的安全非常重要。本文首先分析了目前国内外Web安全技术,并对跨站请求伪造攻击紧密相关的核心技术进行了详细阐述,然后重点研究了常见的跨站请求伪造防御策略和防御工具的原理。针对当前CSRF防御方法的不足之处,本文研究设计了一个基于服务器端CSRF模块,该模块主要利用过滤器方式实现。该过滤器在J2EE工作平台设计,基于添加Token机制,运用J2EE编写Servlet过滤器以及JavaScript脚本技术实现。它通过拦截服务器端和客户端之间的请求与响应,并对这些信息进行处理验证。该模块的实现基于服务器端,不需要客户端浏览器的修改支持,利用JavaScript事件委托机制绑定表单的获取焦点和提交事件,能够有效处理动态创建的请求。最后通过实验结果表明该模块有效防御了Web应用的CSRF攻击,和其他防范工具相比,具有较好的可用性和有效性。
[Abstract]:In recent years, the application program based on Web and database architecture has been used more and more widely, especially since the entry of Web 2.0 era, the Web technology has been favored by people because of its outstanding interactive and real-time characteristics. Such as personal blog, social networking site, online shopping and other new interactive network applications have become a part of people's lives, and at the same time, Web technology has also brought new security problems to Web applications. Cross-station request forgery is one of the major security threats in Web applications. Attackers construct a malicious request and induce legitimate users to access it through social engineering. In order to achieve in the Web application as the user of the user for the purpose of the desired operation. By using cross-site request forgery, attackers are often able to penetrate the target Web application further and pose a great threat to the target site. Therefore, how to effectively defend CSRF vulnerabilities is very important to ensure the security of Web applications. Firstly, this paper analyzes the current domestic and foreign Web security technologies, and describes in detail the core technologies closely related to cross-station request forgery attacks. Then the principle of common cross-station request forgery defense strategy and defense tools are studied. In view of the shortcomings of the current CSRF defense methods, a server-side CSRF module is designed in this paper, which is mainly implemented by filter. The filter is designed in J2EE working platform, based on the mechanism of adding token, the servlet filter is written by J2EE and JavaScript script technology is implemented. It intercepts requests and responses between the server and the client and processes and verifies the information. The implementation of this module is based on the server side and does not need the modification support of the client browser. The JavaScript event delegation mechanism is used to bind the form to get focus and submit events. Finally, the experimental results show that the module is effective against CSRF attacks of Web applications, and has better availability and effectiveness compared with other preventive tools.
【学位授予单位】：江西师范大学
【学位级别】：硕士
【学位授予年份】：2014
【分类号】：TP393.08

【参考文献】