1 thought on “SpringSecurity's CSRF protection mechanism”
Tricia
CSRF (Cross-Site Request Forgery), Chinese name: Cross-site request forgery This you can understand CSRF attack: the attacker stole your identity and send malicious requests in your name. What CSRF can do includes: send emails, send messages, steal your account, even buy goods, virtual currency transfer ... The problems caused include: personal privacy leakage and property security. CSRF's attack method has been proposed by foreign security personnel in 2000, but in China, it was not followed until 2006. In 2008, many large communities and interactive websites at home and abroad revealed that CSRF vulnerabilities revealed respectively. For example: Nytimes (New York Times), (a large Blog website), YouTube and Baidu Hi ... and now, many sites on the Internet are still unprepared, so that the security industry calls CSRF " Sleeping giant ".
It can be seen from the above figure that to complete a CSRF attack, the victim must complete three steps in turn: 1. Log in to the trust website A and generate cookies locally. 2. In the case of not to log in, visit the dangerous website B.
The main strategy in the industry's current defense CSRF attack: verifying the HTTP Referer field; adding token and verifying to the request address; custom attributes and verification in the HTTP head. 1) Verify the HTTP Referer field According to the HTTP protocol, there is a field in the HTTP head called Referer, which records the source address of the HTTP request. Under normal circumstances, the request to access a limited -limited page comes from the same website, requesting the Referer value in the background request to verify its referer value. If it is a domain name starting with its own security website, it means that the request is legal. If Referred is other websites, it may be the hacker's CSRF attack and reject the request. 2) Add token to the request address and verify The CSRF attack is successful because hackers can completely forge the user's request. All user verification information in the request is existed in cookies. Therefore, hackers can directly use the user's own cookies without knowing these verification information to pass security verification. To resist CSRF, the key is to put the information that the hacker cannot forge in the request, and the information does not exist in cookies. You can add a random token to the HTTP request in the form of a parameter, and create a interceptor on the server to verify this token. If there is no token or token in the request Essence 3) Customized attributes in HTTP header and verify This method also uses token and verify. Unlike the previous method, it is not to place the Token in the form of parameters in HTTP. In the request, it was placed in the custom attributes of the HTTP head.
org .security.web.csrf. CSRF, also known as cross -site request forgery, will verify whether all post requests contain the system generated CSRF token information. Report an error. It has the effect of preventing CSRF attacks. (1. Generate token 2. Verify token) 1) Open CSRF protection
CSRF (Cross-Site Request Forgery), Chinese name: Cross-site request forgery
This you can understand CSRF attack: the attacker stole your identity and send malicious requests in your name. What CSRF can do includes: send emails, send messages, steal your account, even buy goods, virtual currency transfer ... The problems caused include: personal privacy leakage and property security.
CSRF's attack method has been proposed by foreign security personnel in 2000, but in China, it was not followed until 2006. In 2008, many large communities and interactive websites at home and abroad revealed that CSRF vulnerabilities revealed respectively. For example: Nytimes (New York Times), (a large Blog website), YouTube and Baidu Hi ... and now, many sites on the Internet are still unprepared, so that the security industry calls CSRF " Sleeping giant ".
It can be seen from the above figure that to complete a CSRF attack, the victim must complete three steps in turn:
1. Log in to the trust website A and generate cookies locally.
2. In the case of not to log in, visit the dangerous website B.
The main strategy in the industry's current defense CSRF attack: verifying the HTTP Referer field; adding token and verifying to the request address; custom attributes and verification in the HTTP head.
1) Verify the HTTP Referer field
According to the HTTP protocol, there is a field in the HTTP head called Referer, which records the source address of the HTTP request. Under normal circumstances, the request to access a limited -limited page comes from the same website, requesting the Referer value in the background request to verify its referer value. If it is a domain name starting with its own security website, it means that the request is legal. If Referred is other websites, it may be the hacker's CSRF attack and reject the request.
2) Add token to the request address and verify
The CSRF attack is successful because hackers can completely forge the user's request. All user verification information in the request is existed in cookies. Therefore, hackers can directly use the user's own cookies without knowing these verification information to pass security verification. To resist CSRF, the key is to put the information that the hacker cannot forge in the request, and the information does not exist in cookies. You can add a random token to the HTTP request in the form of a parameter, and create a interceptor on the server to verify this token. If there is no token or token in the request Essence
3) Customized attributes in HTTP header and verify
This method also uses token and verify. Unlike the previous method, it is not to place the Token in the form of parameters in HTTP. In the request, it was placed in the custom attributes of the HTTP head.
org .security.web.csrf.
CSRF, also known as cross -site request forgery, will verify whether all post requests contain the system generated CSRF token information. Report an error. It has the effect of preventing CSRF attacks. (1. Generate token 2. Verify token)
1) Open CSRF protection
) Pages need to add token value