CSRF的移动应用程序应用程序、CSRF
的现状
Alice使用网上银行的网站,它存储了她的凭据的cookie。
Cookie过期在夏娃发送给Alice一个恶意的URL随后导致爱丽丝从她的银行账户中提取资金,并将其发送给夏娃。
这一个共同的CSRF例如Web应用程序,但是,它是可行的它做移动应用这里面?
如果Alice用她的手机银行应用程序,它存储的cookie,然后访问从夏娃一个网站,也有类似的结果是什么?
将从本地(或混合动力)的应用程序的cookie Alice的移动设备上很容易受到操纵,或者是这些cookie通常沙盒装在设备上以某种方式?
我会假设在iOS,Android等饼干的工作等同于正常的浏览器,但是这是真正的情况?
编辑:
这个问题最初是为了在所有移动设备上通用。甚至一些例如创建JavaScript中的cookie,然后使用的PhoneGap或钛可能是相关的,我相信。阅读更多这个之后,我也很好奇,如果编译JavaScript的使用这些技术的人会影响到本地设备的饼干和如何保存它们。
使用Cookie是维持用户的凭据,这样他们就不必注销并与他们的银行账户,每次重新登录的要点。阅读更多关于这个问题后,好像有不同的方案对每个特定的设备,它实际上是可能的CSRF的应用程序。作为一个例子, Shared preferences 在Android中的沙子访问的值装箱为prevent其他应用程序。
解决方案将从本地(或混合动力)的应用程序的cookie Alice的移动设备上很容易受到操纵,或者是这些cookie通常沙盒装在设备上以某种方式?
CSRF攻击涉及到一个应用程序:浏览器。你提出的攻击包括两个独立的应用程序:银行应用程序和浏览器
一般来说,单独的应用程序是分开的。 Safari不与Firefox共享数据,即使这两个安装在同一OS X的计算机上。现在,有可能在一个或其他错误,可能允许JS来自由访问到OS文件系统,因此,允许在Safari Web站点以访问Firefox的数据(或反之亦然),但是,这不是真正涉及跨站请求伪造.C
同样的事情持有任何单独的应用程序,在任何现代的操作系统。
甚至一些例如创建JavaScript中的cookie,然后使用的PhoneGap或钛可能是相关的,我相信。
不是真的,任何超过有饼干Safari和Firefox有饼干某种程度上束缚。
它实际上可能CSRF的应用程序
欢迎您提供您的索赔的证据,或提供CSRF您的个人定义,将包括场景,如Safari浏览器攻击Firefox浏览器。
作为一个例子,共享preferences在机器人是沙访问的值盒装到prevent其它应用
正确的。这有一点做以CSRF。
在Android的情况下,它似乎是如何创建和存储的cookie确实很重要的攻击,它可以有漏洞。
再次欢迎您提供您的索赔的证据,或提供CSRF您的个人定义,将包括场景,如Safari浏览器攻击Firefox浏览器。
虽然对设备的物理访问导致安全问题
具有传送点技术,这将允许跨站请求伪造成使移动设备的物理上改变其位置,因此对进行物理访问的影响,还有待开发的。
The Situation:
Alice uses an online banking website which stores a cookie of her credentials.
Before the cookie expires, Eve sends Alice a malicious URL which subsequently causes Alice to withdraw money from her bank account and send it to Eve.
This a common CSRF example for web applications, but how feasible is it to do this inside of a mobile application?
What if Alice uses a banking application on her phone which stores a cookie and then visits a site from Eve which has a similar outcome?
Will a cookie on Alice's mobile device from a native (or hybrid) application be vulnerable to manipulation, or are these cookies typically sand boxed on the device somehow?
I would assume cookies on iOS, Android, etc. work the same as a normal browser, but is this actually the case?
EDIT:
This question was originally meant to be generic across all mobile devices. Even something such as creating a cookie in JavaScript and then using PhoneGap or Titanium could be relevant I believe. After reading more into this, I'm also curious if compiling the JavaScript using one of these other technologies would affect native devices' cookies and how they store them.
The main point of using cookies would be to maintain credentials of the user so they wouldn't have to log out and log back in every time with their bank account. After reading more about this issue, it seems like there are different scenarios for each particular device and it is in fact possible to CSRF an application. As an example, Shared Preferences in Android are sand boxed to prevent other applications from accessing the values.
解决方案Will a cookie on Alice's mobile device from a native (or hybrid) application be vulnerable to manipulation, or are these cookies typically sand boxed on the device somehow?
A CSRF attack involves one application: the browser. Your proposed attack involves two separate applications: the banking app and the browser.
Generally speaking, separate applications are separate. Safari does not share data with Firefox, even if both are installed on the same OS X machine. Now, there could be bugs in one or the other that might allow JS to have unfettered access to the OS filesystem and therefore allow a Web site in Safari to access Firefox's data (or vice versa), but this is not really related to a CSRF.c
The same thing holds for any separate applications, on any modern OS.
Even something such as creating a cookie in JavaScript and then using PhoneGap or Titanium could be relevant I believe.
Not really, any more than Safari having cookies and Firefox having cookies are somehow tied.
it is in fact possible to CSRF an application
You are welcome to provide evidence of your claims, or provide your personal definition of CSRF that would encompass scenarios like Safari attacking Firefox.
As an example, Shared Preferences in Android are sand boxed to prevent other applications from accessing the values.
Correct. This has little to do with CSRF.
In the case of Android, it does seem that how you create and store the cookies does matter in the attack and it can have vulnerabilities.
Again, you are welcome to provide evidence of your claims, or provide your personal definition of CSRF that would encompass scenarios like Safari attacking Firefox.
although physical access to the device leads to a security concern
Having teleporter technology, that would allow a CSRF to cause a mobile device to physically change its location and therefore have an impact on physical access, has yet to be developed.
