1 thought on “CSRF (cross -domain request forgery)”
Gregg
Cross -site request attacks. Simply put, it is the browser that the attacker deceives users through some technical means to visit a website they have certified and perform some operations (such as sending emails, sending messages, and even property operations such as transfer and purchasing goods To. Because the browser has been certified, the website that is accessed will be considered as real user operations. This uses a loophole in user identity verification in the web: Simple authentication can only ensure that the request from a browser from a user, but it cannot guarantee that the request itself is voluntarily issued by the user. It you can understand the CSRF attack: the attacker stole your identity and send malicious requests in your name. What CSRF can do includes: send emails, send messages, steal your account, even buy goods, virtual currency transfer ... Causes: personal privacy leakage and property security. It can be seen from the figure above that to complete a CSRF attack, the victim must complete two steps in order: The login to the trusted website A and generate cookies locally. It without logging out A, visit the dangerous website B. Seeing this, you may say, "If I am not satisfied with one of the above two conditions, I will not be attacked by CSRF." Yes, it is true, but you can't guarantee that the following situations will not happen: 1. You can't guarantee that you will no longer open a Tab page and visit another website after you log in to a website. . You can't guarantee that you will expire immediately after you turn off your browser. Your local cookie expires immediately, and your last session has ended. 3. The so -called attack website in the figure above may be a trustworthy website that is trusted with other vulnerabilities. 1 1. Submit the verification code Prot a random number or letter verification code to the form, and to effectively curb the CSRF attack by interacting with the interaction of users and applications. 2.Referr Check (Referrs: Sign request source) The check that if the request comes from the normal page, it is likely to be a CSRF attack. 3.Token verification In the form of a parameter in the HTTP request to add a random token, and build a interceptor on the server side to verify this token. If there is no token or or or The content of Token is incorrect, and it is believed that it may be the CSRF attack and reject the request. token requires enough random The sensitive operation should use post instead of get. Submitting in the form of form form can avoid token leakage. 4. Customized attributes in the HTTP header and verify This this method also uses Token and verified. This is not to place the Token in the form of HTTP in the form of parameters, but put it on it Go to the custom attributes in the HTTP head. Through this class, you can add the HTTP head attribute to all the requests of this class at one time, and put the Token value in it. This solves the inconvenience of adding token to the request in the request. At the same time, the address bar of the browser is not recorded through the request's address, and you don't have to worry about the token leaked to other websites through Referrs. CSRF filter: Referer check if it is a non -normal page request, it is most likely a CSRF attack. The custom request header "Suppleter", which is encrypted according to telephone, mailbox, date, special character, base64 front desk, and background filter analysis.
Cross -site request attacks. Simply put, it is the browser that the attacker deceives users through some technical means to visit a website they have certified and perform some operations (such as sending emails, sending messages, and even property operations such as transfer and purchasing goods To. Because the browser has been certified, the website that is accessed will be considered as real user operations. This uses a loophole in user identity verification in the web: Simple authentication can only ensure that the request from a browser from a user, but it cannot guarantee that the request itself is voluntarily issued by the user.
It you can understand the CSRF attack: the attacker stole your identity and send malicious requests in your name. What CSRF can do includes: send emails, send messages, steal your account, even buy goods, virtual currency transfer ... Causes: personal privacy leakage and property security.
It can be seen from the figure above that to complete a CSRF attack, the victim must complete two steps in order:
The login to the trusted website A and generate cookies locally.
It without logging out A, visit the dangerous website B.
Seeing this, you may say, "If I am not satisfied with one of the above two conditions, I will not be attacked by CSRF." Yes, it is true, but you can't guarantee that the following situations will not happen:
1. You can't guarantee that you will no longer open a Tab page and visit another website after you log in to a website.
. You can't guarantee that you will expire immediately after you turn off your browser. Your local cookie expires immediately, and your last session has ended.
3. The so -called attack website in the figure above may be a trustworthy website that is trusted with other vulnerabilities.
1 1. Submit the verification code
Prot a random number or letter verification code to the form, and to effectively curb the CSRF attack by interacting with the interaction of users and applications.
2.Referr Check (Referrs: Sign request source)
The check that if the request comes from the normal page, it is likely to be a CSRF attack.
3.Token verification
In the form of a parameter in the HTTP request to add a random token, and build a interceptor on the server side to verify this token. If there is no
token or or or The content of Token is incorrect, and it is believed that it may be the CSRF attack and reject the request.
token requires enough random
The sensitive operation should use post instead of get. Submitting in the form of form form can avoid token leakage.
4. Customized attributes in the HTTP header and verify
This this method also uses Token and verified. This is not to place the Token in the form of HTTP in the form of parameters, but put it on it Go to the custom attributes in the HTTP head. Through this class, you can add the HTTP head attribute to all the requests of this class at one time, and put the Token value in it. This solves the inconvenience of adding token to the request in the request. At the same time, the address bar of the browser is not recorded through the request's address, and you don't have to worry about the token leaked to other websites through Referrs.
CSRF filter:
Referer check if it is a non -normal page request, it is most likely a CSRF attack.
The custom request header "Suppleter", which is encrypted according to telephone, mailbox, date, special character, base64 front desk, and background filter analysis.