CSRF 攻击检测和日志记录是安全防护的重要组成部分,能够帮助及时发现攻击行为、分析攻击模式并改进防护策略。
CSRF 攻击检测方法
1. 请求模式分析
// 检测异常请求模式 class CSRFAttackDetector { constructor() { this.requestHistory = new Map(); this.suspiciousPatterns = []; } analyzeRequest(req) { const userId = req.user?.id; const ip = req.ip; const userAgent = req.headers['user-agent']; const referer = req.headers.referer; const origin = req.headers.origin; // 检测可疑模式 const suspicious = { missingReferer: !referer && req.method !== 'GET', mismatchedOrigin: origin && referer && this.extractDomain(origin) !== this.extractDomain(referer), rapidRequests: this.checkRapidRequests(userId, ip), unusualUserAgent: this.checkUnusualUserAgent(userAgent), suspiciousReferer: this.checkSuspiciousReferer(referer) }; return suspicious; } extractDomain(url) { try { return new URL(url).hostname; } catch { return null; } } checkRapidRequests(userId, ip) { const key = `${userId}-${ip}`; const now = Date.now(); const history = this.requestHistory.get(key) || []; // 检查最近 10 秒内的请求数量 const recentRequests = history.filter(time => now - time < 10000); this.requestHistory.set(key, [...recentRequests, now]); return recentRequests.length > 20; // 阈值 } checkUnusualUserAgent(userAgent) { // 检测自动化工具的特征 const suspiciousPatterns = [ /bot/i, /crawler/i, /spider/i, /curl/i, /wget/i ]; return suspiciousPatterns.some(pattern => pattern.test(userAgent)); } checkSuspiciousReferer(referer) { if (!referer) return false; // 已知的恶意域名列表 const maliciousDomains = [ 'malicious-site.com', 'evil-attacker.net' ]; const domain = this.extractDomain(referer); return maliciousDomains.includes(domain); } }
2. 行为分析
// 用户行为分析 class BehaviorAnalyzer { constructor() { this.userProfiles = new Map(); } analyzeUserBehavior(userId, req) { const profile = this.userProfiles.get(userId) || this.createProfile(userId); // 更新用户行为数据 profile.requestCount++; profile.lastActivity = Date.now(); profile.requestTypes[req.method] = (profile.requestTypes[req.method] || 0) + 1; // 检测异常行为 const anomalies = { suddenActivitySpike: this.checkActivitySpike(profile), unusualRequestPattern: this.checkRequestPattern(profile, req), geographicAnomaly: this.checkGeographicAnomaly(profile, req.ip) }; this.userProfiles.set(userId, profile); return anomalies; } checkActivitySpike(profile) { const timeWindow = 60000; // 1 分钟 const threshold = 50; // 阈值 const recentActivity = profile.activityHistory.filter( time => Date.now() - time < timeWindow ).length; return recentActivity > threshold; } checkRequestPattern(profile, req) { // 检测不常见的请求模式 const commonPatterns = ['GET', 'POST']; return !commonPatterns.includes(req.method) && profile.requestTypes[req.method] === 1; } checkGeographicAnomaly(profile, ip) { // 检测地理位置异常(需要 IP 地理位置数据库) const currentLocation = this.getLocationFromIP(ip); if (profile.previousLocations.length > 0) { const distance = this.calculateDistance( profile.previousLocations[profile.previousLocations.length - 1], currentLocation ); // 如果距离过大且时间很短,可能是异常 const timeDiff = Date.now() - profile.lastLocationCheck; return distance > 1000 && timeDiff < 3600000; // 1000km, 1小时 } return false; } }
日志记录系统
1. 结构化日志记录
// CSRF 事件日志记录器 class CSRFLogger { constructor() { this.logs = []; this.logFile = 'csrf-events.log'; } logCSRFEvent(event) { const logEntry = { timestamp: new Date().toISOString(), eventType: event.type, // 'attempt', 'blocked', 'detected' userId: event.userId, ip: event.ip, userAgent: event.userAgent, request: { method: event.method, path: event.path, headers: this.sanitizeHeaders(event.headers) }, detection: { reason: event.reason, confidence: event.confidence, patterns: event.patterns }, metadata: { sessionId: event.sessionId, referer: event.referer, origin: event.origin } }; this.logs.push(logEntry); this.writeToFile(logEntry); this.sendAlert(logEntry); } sanitizeHeaders(headers) { // 移除敏感信息 const sanitized = { ...headers }; delete sanitized.cookie; delete sanitized.authorization; return sanitized; } writeToFile(logEntry) { const logLine = JSON.stringify(logEntry) + '\n'; fs.appendFileSync(this.logFile, logLine); } sendAlert(logEntry) { // 发送告警通知 if (logEntry.eventType === 'blocked' || logEntry.detection.confidence > 0.8) { this.notifySecurityTeam(logEntry); } } notifySecurityTeam(logEntry) { // 集成告警系统(如 Slack、Email、PagerDuty) console.log('🚨 CSRF Attack Alert:', logEntry); } }
2. 实时监控
// 实时 CSRF 攻击监控 class CSRFMonitor { constructor() { this.detector = new CSRFAttackDetector(); this.behaviorAnalyzer = new BehaviorAnalyzer(); this.logger = new CSRFLogger(); this.alertThreshold = 10; // 10 分钟内超过 10 次攻击 } monitorRequest(req, res, next) { const suspicious = this.detector.analyzeRequest(req); // 检查是否有可疑模式 const hasSuspiciousPattern = Object.values(suspicious).some(v => v); if (hasSuspiciousPattern) { this.logger.logCSRFEvent({ type: 'detected', userId: req.user?.id, ip: req.ip, userAgent: req.headers['user-agent'], method: req.method, path: req.path, headers: req.headers, reason: suspicious, confidence: this.calculateConfidence(suspicious), patterns: Object.keys(suspicious).filter(k => suspicious[k]), sessionId: req.sessionID, referer: req.headers.referer, origin: req.headers.origin }); // 根据置信度决定是否阻止请求 if (this.calculateConfidence(suspicious) > 0.7) { return res.status(403).send('Request blocked due to suspicious activity'); } } next(); } calculateConfidence(suspicious) { // 计算攻击置信度 const weights = { missingReferer: 0.3, mismatchedOrigin: 0.4, rapidRequests: 0.5, unusualUserAgent: 0.2, suspiciousReferer: 0.8 }; let confidence = 0; for (const [key, value] of Object.entries(suspicious)) { if (value && weights[key]) { confidence += weights[key]; } } return Math.min(confidence, 1.0); } }
集成到应用中
// Express 中间件集成 const csrfMonitor = new CSRFMonitor(); // 应用 CSRF 监控中间件 app.use(csrfMonitor.monitorRequest.bind(csrfMonitor)); // CSRF 防护中间件 app.use((req, res, next) => { if (['GET', 'HEAD', 'OPTIONS'].includes(req.method)) { return next(); } // 验证 CSRF Token const token = req.body._csrf || req.headers['x-csrf-token']; if (token !== req.session.csrfToken) { csrfMonitor.logger.logCSRFEvent({ type: 'blocked', userId: req.user?.id, ip: req.ip, userAgent: req.headers['user-agent'], method: req.method, path: req.path, headers: req.headers, reason: { invalidToken: true }, confidence: 0.9, patterns: ['invalidToken'], sessionId: req.sessionID, referer: req.headers.referer, origin: req.headers.origin }); return res.status(403).send('Invalid CSRF token'); } next(); });
日志分析和报告
// 日志分析工具 class CSRFLogAnalyzer { constructor(logger) { this.logger = logger; } generateReport(timeRange = '24h') { const logs = this.filterLogsByTime(timeRange); return { summary: { totalAttempts: logs.length, blockedAttempts: logs.filter(l => l.eventType === 'blocked').length, detectedAttempts: logs.filter(l => l.eventType === 'detected').length, uniqueIPs: new Set(logs.map(l => l.ip)).size, uniqueUsers: new Set(logs.filter(l => l.userId).map(l => l.userId)).size }, topAttackers: this.getTopAttackers(logs), commonPatterns: this.getCommonPatterns(logs), timeline: this.getAttackTimeline(logs) }; } getTopAttackers(logs, limit = 10) { const ipCounts = {}; logs.forEach(log => { ipCounts[log.ip] = (ipCounts[log.ip] || 0) + 1; }); return Object.entries(ipCounts) .sort((a, b) => b[1] - a[1]) .slice(0, limit) .map(([ip, count]) => ({ ip, count })); } getCommonPatterns(logs) { const patternCounts = {}; logs.forEach(log => { log.detection.patterns.forEach(pattern => { patternCounts[pattern] = (patternCounts[pattern] || 0) + 1; }); }); return Object.entries(patternCounts) .sort((a, b) => b[1] - a[1]); } getAttackTimeline(logs) { const timeline = {}; logs.forEach(log => { const hour = new Date(log.timestamp).getHours(); timeline[hour] = (timeline[hour] || 0) + 1; }); return timeline; } }
CSRF 攻击检测和日志记录系统应该与防护措施结合使用,形成完整的安全防护体系。定期分析日志数据可以帮助改进防护策略和及时发现新的攻击模式。