如何防止代币替换攻击?
问题描述:
假设我们有两个用户在进行以下操作-
Suppose we have two users doing following operation -
- User1向身份验证服务器请求访问令牌,并且也被授予.
- 现在,user1将令牌保存到localstorage/cookie中,以供将来的api访问.
- 现在User2向User1进行浏览,并获得有关access_token的一些信息.
- 现在User2使用user1的access_token调用api,并且无需登录即可获取访问权限.
现在我们可以通过任何方式验证令牌吗?
Now Can we validate the token anyhow?
答
您无法避免这种情况的发生.但是,令牌应具有到期时间,因此攻击者只能在该时间内访问.另外,如果您知道令牌已被盗,可以将其撤消,使其不再有效.
You can't avoid that happening. However, the token should have an expiration time, so the attacker will only have access during that time. Also, if you know that a token has been stolen, you can revoke it so it's no longer valid.
您可以采用更多的安全措施,例如将令牌与特定的IP地址相关联,或者甚至使用机器学习来检测异常行为的一些高级服务.
You could apply more security measures such as associating the token with a specific IP address, or some advanced services that even use machine learning to detect unusual behaviours.