后端换前端、令牌盗窃和安全：在现代 Web 应用程序的危险水域中航行

探索单页应用程序 (SPA) 中的安全挑战，以及后端换前端 (BFF) 模式如何提供针对令牌盗窃和 XSS 攻击的强大解决方案。

In the ever-evolving landscape of web application security, staying ahead of threats is paramount. The dynamics around Backend-for-Frontend (BFF), token theft, and overall security are constantly shifting, demanding a proactive approach.

在不断发展的 Web 应用程序安全领域，保持领先地位至关重要。后端换前端 (BFF)、令牌盗窃和整体安全性的动态不断变化，需要采取积极主动的方法。

The SPA Security Paradox

SPA 安全悖论

Single-Page Applications (SPAs) have revolutionized user experience with their speed and interactivity. However, this progress introduces a critical security challenge: securely storing access tokens in the browser. Unlike traditional server-side applications, SPAs rely on storing tokens in the browser, making them vulnerable to attacks like Cross-Site Scripting (XSS).

单页应用程序 (SPA) 以其速度和交互性彻底改变了用户体验。然而，这一进展带来了一个关键的安全挑战：在浏览器中安全地存储访问令牌。与传统的服务器端应用程序不同，SPA 依赖于在浏览器中存储令牌，这使得它们容易受到跨站点脚本 (XSS) 等攻击。

The Problem: Tokens in the Frontend

问题：前端的令牌

SPAs, being "public clients," can't securely store secrets. Storing tokens in localStorage, sessionStorage, or memory exposes them to XSS attacks. Malicious code can easily access and exfiltrate these tokens, granting attackers full account access.

SPA 作为“公共客户”，无法安全地存储秘密。将令牌存储在 localStorage、sessionStorage 或内存中会使它们遭受 XSS 攻击。恶意代码可以轻松访问和窃取这些令牌，从而授予攻击者完全帐户访问权限。

Attack Vectors: Single-Execution and Persistent Token Theft

攻击向量：单次执行和持续令牌盗窃

Attackers employ various methods. Single-execution token theft involves JavaScript code scanning storage locations for tokens. Persistent token theft continuously steals tokens, even bypassing refresh token rotation by acting as a "heartbeat signal" to avoid detection.

攻击者采用各种方法。单次执行令牌盗窃涉及 JavaScript 代码扫描令牌的存储位置。持续的令牌盗窃会不断窃取令牌，甚至通过充当“心跳信号”来绕过刷新令牌轮换以避免检测。

Defensive Measures and Their Limitations

防御措施及其局限性

While short token lifespans and refresh token rotation offer some protection, they're not foolproof. Persistent token theft, in particular, can circumvent these measures. Current OAuth2 guidelines suggest in-memory storage with web worker sandboxing, but even this has limitations.

虽然较短的令牌生命周期和刷新令牌轮换提供了一些保护，但它们并不是万无一失的。特别是持续的代币盗窃可以规避这些措施。当前的 OAuth2 指南建议使用 Web Worker 沙箱进行内存存储，但即使这样也有局限性。

Acquisition of New Tokens: Bypassing Token Storage Altogether

获取新代币：完全绕过代币存储

A particularly insidious attack involves attackers initiating their own Authorization Code Flow using hidden iframes, exploiting the user's active session with the token provider. The prompt=none parameter enables silent authentication, making it difficult to distinguish from legitimate requests.

一种特别阴险的攻击涉及攻击者使用隐藏的 iframe 启动自己的授权代码流，利用用户与令牌提供商的活动会话。 Prompt=none 参数启用静默身份验证，使其难以与合法请求区分开。

The Backend-for-Frontend (BFF) Pattern: A Robust Solution

后端换前端 (BFF) 模式：稳健的解决方案

The Backend-for-Frontend (BFF) pattern offers a compelling solution by moving token management back to the server. This approach mitigates the risks associated with storing tokens in the browser, enhancing security without sacrificing the benefits of SPAs.

后端换前端 (BFF) 模式通过将令牌管理移回服务器来提供引人注目的解决方案。这种方法降低了与在浏览器中存储令牌相关的风险，增强了安全性，同时又不牺牲 SPA 的优势。

The Persistent Threat of XSS: A Reality Check

XSS 的持续威胁：现实检验

Despite advancements in browser security and developer awareness, XSS remains a significant threat. Modern attacks exploit new vectors, bypassing traditional protective measures. Supply chain attacks, compromised browser extensions, and DOM-based attacks are particularly concerning.

尽管浏览器安全性和开发人员意识有所进步，XSS 仍然是一个重大威胁。现代攻击利用新的载体，绕过传统的保护措施。供应链攻击、受损的浏览器扩展和基于 DOM 的攻击尤其令人担忧。

Supply Chain Attacks: The Silent Epidemic

供应链攻击：无声的流行病

Modern SPAs integrate hundreds of npm packages, making them vulnerable to supply chain attacks. A single compromised package can lead to complete code execution in the browser. Content Security Policy (CSP) can't distinguish between legitimate and compromised packages, exacerbating the risk.

现代 SPA 集成了数百个 npm 包，使其容易受到供应链攻击。单个受感染的包可能会导致浏览器中完整的代码执行。内容安全策略 (CSP) 无法区分合法包和受损包，从而加剧了风险。

Ocean Protocol Controversy: A Reminder of Governance and Transparency

海洋协议争议：治理和透明度的提醒

The recent dispute involving Ocean Protocol Foundation, Fetch.ai, and SingularityNET underscores the importance of governance and transparency in cryptocurrency alliances. Allegations of token misuse and fund mismanagement highlight the potential risks and challenges in decentralized ecosystems.

最近涉及海洋协议基金会、Fetch.ai 和 SingularityNET 的纠纷凸显了加密货币联盟中治理和透明度的重要性。对代币滥用和资金管理不善的指控凸显了去中心化生态系统的潜在风险和挑战。

While the Berachain network restart due to a Balancer V2 vulnerability might seem unrelated, it's another piece of the puzzle. These events highlight the need for continuous vigilance and robust security practices.

虽然由于 Balancer V2 漏洞而导致的 Berachain 网络重启似乎无关，但这是另一个难题。这些事件凸显了持续保持警惕和强有力的安全实践的必要性。

Final Thoughts

最后的想法

The world of web application security is a wild ride, isn't it? From SPA vulnerabilities to crypto controversies, there's always something new to keep us on our toes. Staying informed, adopting best practices like the BFF pattern, and maintaining a healthy dose of skepticism are key to navigating these treacherous waters. So, keep your wits about you, and let's build a more secure digital future, one line of code at a time!

Web 应用程序安全的世界是一场疯狂的旅程，不是吗？从 SPA 漏洞到加密货币争议，总有一些新事物让我们保持警惕。及时了解情况、采用 BFF 模式等最佳实践以及保持适当的怀疑态度是应对这些危险水域的关键。因此，请保持警惕，让我们一次一行代码构建一个更安全的数字未来！