amanqaku

Ukhuseleko lweWebhu yeLaravel: Yintoni i-Cross-Site Application Forgery (CSRF)?

ukhuseleko lwewebhu

Kwesi sifundo seLaravel sithetha ngoKhuseleko lweWebhu kunye nendlela yokukhusela usetyenziso lwewebhu kwiCross-Site Application Forgery okanye kuhlaselo lweCSRF.

I-CSRF yinto ekhohlakeleyo eyenziwa ngumhlaseli, owenza izenzo egameni lomsebenzisi oqinisekisiweyo, onobungozi kukhuseleko lwewebhu. Ngethamsanqa, iLaravel ibonelela ngezixhobo zokuthintela olu hlobo lokuba sesichengeni.

Yintoni iCSRF?

I-CSRF ihlasela iiseshoni zabasebenzisi. Benza oku ngokukhohlisa umsebenzisi ukuba angenise isicelo ngokusebenzisa iithegi zefom efihliweyo okanye ii-URL ezinobungozi (imifanekiso okanye amakhonkco) ngaphandle kolwazi lomsebenzisi.

Olu hlaselo lukhokelela ekutshintsheni kwimeko yeseshoni yomsebenzisi, ukuvuza kwedatha, kwaye ngamanye amaxesha abahlaseli banokulawula idatha yomsebenzisi wokugqibela kwisicelo.

Lo mfanekiso ungasentla ubonisa imeko apho ukhuseleko lwewebhu lwaphulwa khona. Ixhoba lithumela isicelo ngokunqakraza kwikhonkco (efunyenweyo), ukuthumela isicelo kumncedisi wewebhusayithi oya kuvelisa iziphumo ezifunwa yi-hacker, oza kubamba ulwazi oluluncedo lokufikelela kunye nokuxhaphaza iseva yewebhusayithi.

Uzithintela njani izicelo zeCSRF

Ukuphucula i yokhuseleko kwiwebhu yezicelo zakho, kwiseshoni nganye yomsebenzisi, iLaravel ivelisa iithokheni ezikhuselekileyo ezisebenzisayo ukuqinisekisa ukuba umsebenzisi oqinisekisiweyo nguye ocela isicelo.

Ngenxa yokuba lo mqondiso utshintsha rhoqo xa iseshoni yomsebenzisi ihlaziywa, umhlaseli akakwazi ukufikelela kuyo.

Nanini na kukho isicelo sokutshintsha ulwazi lomsebenzisi kwicala lomncedisi (umva) njenge POSTPUTPATCHDELETE, kufuneka ubandakanye umyalelo @csrf kwifomu yesicelo blade HTML. I @csrf ke ngoko ngumyalelo Blade isetyenziselwa ukwenza umqondiso ofihliweyo oqinisekisiweyo sisicelo.

Umyalelo Blade sisivakalisi esisetyenziswa ngaphakathi kwenjini yetemplate yeLaravel ebizwa Blade . Ukwenza ifayile blade kufuneka unike igama - kwifom yethu yecala - ilandelwa kukwandiswa kwe-blade. Oku kuthetha ukuba ifayile iya kuba negama form.blade.php.

Ifayile isetyenzisiwe blade ukunikezela iimbono zabasebenzisi kwiphepha lewebhu.Kukho izikhokelo ezimbalwa zangaphambilidefinite okanye iblade shorthand syntax ongayisebenzisa. Umzekelo, @if jonga ukuba imeko yanelisiwe, @empty khangela ukuba iirekhodi azinanto, @auth khangela ukuba umsebenzisi uqinisekisiwe njalo njalo.

Kodwa masibuyele kumyalelo @csrf. Nantsi indlela oyisebenzisa ngayo:

<form method="POST" action="{{route('pay')}}">

    @csrf
    
</form>

Iinguqulelo zangaphambili zeLaravel zineendlela ezahlukeneyo zokuseta: zisebenza zombini kwaye zenza into enye.

Ileta yeendaba entsha
Ungaphoswa zezona ndaba zibalulekileyo kutshintsho. Bhalisa ukuze uzifumane nge-imeyile.
<form method="POST" action="{{route('pay')}}">
    
    <input type="hidden" name="_token" value="{{ csrf_token() }}" />
    
</form>

Xa ithokheni ye-CSRF ingekho kwisicelo sefom esingeniswayo okanye ukuba ibonakala ingasebenzi, iLaravel iphosa umyalezo wephutha othi "Iphepha Liphelelwe" ngekhowudi yesimo se-419.

Uqinisekiso lweCSRF lwenzeka njani kwaye lwenzeka phi

Isixhobo esiphakathi VerifyCsrfToken iphatha ukuqinisekiswa kwe-CSRF ngaphakathi kwesicelo seLaravel. I middleware ibhalisiwe kwi Kernel.php kwaye ibekwe kulawulo app/Http/Middleware. Oku kuthetha ukuba i middleware iqalwa ngenxa yezicelo ngaphakathi kwiwebhu, ayinxulumananga ne-APIs.

protected $middlewareGroups = [
        'web' => [
           .
           .
           .
           .
           .
            \App\Http\Middleware\VerifyCsrfToken::class,
        ],
    ];

I-Middleware ye-VerifyCsrfToken yandisa iklasi Illuminate\Foundation\Http\Middleware\VerifyCsrfToken, o.k. uqinisekiso lweCSRF lu defizifakwe eklasini.

Masimbe nzulu ukuze sifumanise ukuba iLaravel iluphatha njani uqinisekiso lweCSRF.

Ngaphakathi eklasini, sinomsebenzi tokensMatch.

protected function tokensMatch($request)
{
     $token = $this->getTokenFromRequest($request);

     return is_string($request->session()->token()) &&
            is_string($token) &&
            hash_equals($request->session()->token(), $token);
}

kwikhowudi imisela ukuba iseshoni kunye negalelo iithokheni zeCSRF ziyahambelana.

Umsebenzi wenza izinto ezimbini:

  1. ifumana $this->getTokenFromRequest uphawu olusuka kwisicelo esingenayo esincanyathiselwe ngentsimi efihlakeleyo okanye isihloko sesicelo. Ithokheni ikhutshiwe kwaye emva koko ibuyiselwe kuguquguquko lophawu.
protected function getTokenFromRequest($request)
{
    $token = $request->input('_token') ?: $request->header('X-CSRF-TOKEN');

    if (! $token && $header = $request->header('X-XSRF-TOKEN')) {
        try {
            $token = CookieValuePrefix::remove($this->encrypter->decrypt($header, static::serialized()));
        } catch (DecryptException $e) {
            $token = '';
            }
    }

    return $token;
}

Kwikhowudi fumana uphawu ukusuka kwisihloko

2. Phosa zombini ithokheni yesicelo kunye neseshoni kumtya uze usebenzise hash_equals eyakhelwe kwi-PHP ukuthelekisa ukuba zombini iintambo ziyalingana. Isiphumo salo msebenzi sihlala sihlala bool (yinyani) okanye (bubuxoki) .

Ercole Palmeri

Ileta yeendaba entsha
Ungaphoswa zezona ndaba zibalulekileyo kutshintsho. Bhalisa ukuze uzifumane nge-imeyile.
tags: ilaraveliphpUkhuseleko lwe-ITisoftweuyilo lwesoftwareuphuhliso lwesoftweUbunjineli beSoftware
26 April 2023 2:17 pm

Amanqaku amva

Izibonelelo zamaphepha okufaka imibala kuBantwana-ihlabathi lomlingo kuyo yonke iminyaka

Ukuphuhlisa izakhono zemoto ngokufaka imibala kulungiselela abantwana izakhono ezinzima ezifana nokubhala. Ukufaka umbala...

2 Meyi 2024

Ikamva lilapha: Njani iShishini lokuThumela liTshintsha uQoqosho lweHlabathi

Icandelo lomkhosi wasemanzini ligunya lokwenyani loqoqosho lwehlabathi, elithe lajonga kwimarike ye-150 yeebhiliyoni...

1 Meyi 2024

Abapapashi kunye ne-OpenAI batyikitya izivumelwano zokulawula ukuhamba kolwazi oluqhutywe yiArtificial Intelligence

NgoMvulo ophelileyo, i-Financial Times ibhengeze isivumelwano kunye ne-OpenAI. I-FT ikhupha iilayisensi kubuntatheli bayo obukumgangatho wehlabathi…

30 Aprili 2024

Iintlawulo ze-Intanethi: Nantsi indlela Iinkonzo zokusasaza ezikwenza ukuba uHlawule ngonaphakade

Izigidi zabantu zihlawula iinkonzo zokusasaza, zihlawula umrhumo wenyanga. Luluvo oluqhelekileyo ukuba…

29 Aprili 2024

Funda inguqulelo ngolwimi lwakho

Ileta yeendaba entsha
Ungaphoswa zezona ndaba zibalulekileyo kutshintsho. Bhalisa ukuze uzifumane nge-imeyile.

landela us

Amanqaku amva

tag

isondlo ukuhlaselwa kwe-cyber blockchain ingxoxo ncokola gpt ilifu ukhomyutha yamafu UkuThengiswa kweMpahla ukuhlaselwa kwe-cyber ukhuseleko lwe-cyber ilungelo lomthengi eCommerce Eneya isiganeko sokuyila gianfranco fedele uphando nefuthe ezintsha ngenkxaso-mali entsha ubuchule bokukhulisa inguqulelo yezonyango ukuzinza kokusungula Ukuveliswa kwetekhnoloji ingqiqo IOT U kufunda metaverse microsoft nft Akukho Mntu kwiLoop php mpendulo Robotics SEO SERP isoftwe uyilo lwesoftware uphuhliso lwesoftwe Ubunjineli beSoftware uzinzo qalisa thales Tutorial Vpn web3