FixVibe
Covered by FixVibehigh

Ukuvikelwa kwe-CSRF: Ukuvikela Ezinguqukweni Zezifunda Ezingagunyaziwe

I-Cross-Site Request Forgery (CSRF) isalokhu iwusongo olukhulu ezinhlelweni zokusebenza zewebhu. Lolu cwaningo luhlola ukuthi izinhlaka zesimanje ezifana ne-Django zikusebenzisa kanjani ukuvikela nokuthi izibaluli zezinga lesiphequluli ezifana ne-SameSite zinikeza kanjani ukuzivikela ngokujulile ezicelweni ezingagunyaziwe.

CWE-352

Umthelela

I-Cross-Site Request Forgery (CSRF) ivumela umhlaseli ukuthi akhohlise isiphequluli sesisulu ekwenzeni izenzo ezingafuneki kuwebhusayithi ehlukile lapho isisulu sigunyazwe khona njengamanje. Ngenxa yokuthi iziphequluli zifaka phakathi imininingwane ye-ambient efana namakhukhi ezicelweni, umhlaseli angakwazi ukwenza imisebenzi eshintsha isimo—njengokushintsha amagama ayimfihlo, ukususa idatha, noma ukuqalisa imisebenzi—ngaphandle kolwazi lomsebenzisi.

Imbangela

Imbangela eyinhloko ye-CSRF ukuziphatha okuzenzakalelayo kwesiphequluli sewebhu sokuthumela amakhukhi ahlotshaniswa nesizinda noma nini lapho isicelo senziwe kuleso sizinda, ngokunganaki umsuka wesicelo [S1]. Ngaphandle kokuqinisekisa okuqondile kokuthi isicelo siqaliswe ngamabomu kusuka kusixhumi esibonakalayo sohlelo lokusebenza uqobo, iseva ayikwazi ukuhlukanisa phakathi kwesenzo somsebenzisi esisemthethweni nesenziwe ngomgunyathi.

Izindlela Zokuvikela ze-Django CSRF

I-Django ihlinzeka ngohlelo lokuvikela olwakhelwe ngaphakathi ukuze kuncishiswe lezi zingozi ngokusebenzisa i-middleware nokuhlanganiswa kwesifanekiso [S2].

I-Middleware Activation

I-django.middleware.csrf.CsrfViewMiddleware inesibopho sokuvikela i-CSRF futhi ngokuvamile inikwa amandla ngokuzenzakalela [S2]. Kufanele ibekwe ngaphambi kokuthi noma iyiphi i-middleware yokubuka ethatha ukuthi ukuhlasela kwe-CSRF isivele isingathiwe [S2].

Ukusebenzisa Isifanekiso

Kunoma imaphi amafomu e-POST angaphakathi, onjiniyela kufanele bafake umaka we-{% csrf_token %} ngaphakathi kwe-<form> element [S2]. Lokhu kuqinisekisa ukuthi ithokheni eyingqayizivele, eyimfihlo ifakiwe esicelweni, iseva bese isiqinisekisa ngokumelene nesikhathi somsebenzisi.

Izingozi Zokuvuza Kwethokheni

Imininingwane yokusetshenziswa ebalulekile ukuthi i-{% csrf_token %} akumele ifakwe kumafomu aqondise ama-URL angaphandle [S2]. Ukwenza kanjalo kuzovuza ithokheni eyimfihlo ye-CSRF kunkampani yangaphandle, okungase kube sengozini yokuphepha kweseshini yomsebenzisi [S2].

Ukuzivikela Kwezinga Lesiphequluli: Amakhukhili eSameSite

Iziphequluli zesimanje zethule isibaluli se-SameSite sesihloko se-Set-Cookie ukuze sinikeze isendlalelo sokuzivikela esijulile [S1].

  • Kuqinile: Ikhukhi ithunyelwa kuphela ngokomongo womuntu wokuqala, okusho ukuthi isayithi kubha ye-URL ifana nesizinda sekhukhi [S1].
  • Lax: Ikhukhi ayithunyelwa ngezicelo ezingaphansi kwezinye izindawo (njengezithombe noma amafreyimu) kodwa ithunyelwa lapho umsebenzisi eya endaweni yoqobo, njengokulandela isixhumanisi esivamile [S1].

I-FixVibe iyihlolela kanjani

I-FixVibe manje ihlanganisa ukuvikelwa kwe-CSRF njengesheke elisebenzayo elinesango. Ngemva kokuqinisekiswa kwesizinda, i-active.csrf-protection ihlola amafomu ashintsha isimo, ihlola okokufaka okumise okwethokheni ye-CSRF kanye namasiginali wekhukhi ye-SameSite, bese izama ukuthunyelwa komsuka womgunyathi okunomphumela ophansi futhi ibika kuphela lapho iseva ikwamukela. Ukuhlola amakhukhi kuphinda kuhlabe umkhosi ngezibaluli ezibuthakathaka ze-SameSite ezehlisa ukuvikela kwe-CSRF ngokujulile.