What is a CRSF
Creating an address, such as removing a link to a blog on a blog site, and then enticing an existing user to click on a malicious link, can result in the user unknowingly deleting a blog that was previously posted on the site by hand. This method of building malicious links and using the victim’s hand to cause damage is called CSRF- Cross-site request forgery.
Browser Cookie Policy
Classification of cookies
Cookies are divided into two types according to whether the expiration time is set or not. The ones without expiration time are Session cookies. Firefoox marks which cookies are Session cookies. But when you close the browser, it’s erased. Third party cookies, also known as local cookies, are stored locally and can be used throughout the expiration period.
CSRF implementation principle
General user operations can only be carried out after login. CSRF makes use of user login cookies to make users send deletion requests to blog websites in their malicious websites. For example, users are asked to click on a site linked to a hacker. The hacker adds a graphic link to the site that actually sends a deletion request to the blog site:
</p> <img SRC ="http://csdn.com?delete=10">
</html>
Copy the codeTo achieve this, we also need to use the cookie after the user logs in to the CSDN. As mentioned in the previous discussion about the same Origin policy, tags such as IMG and IFrame are not affected by the same origin policy. Therefore, when sending a request to the CSDN, Csdn-related cookies will be submitted together (which cookies will be submitted depends on cookie scope), so CSDN will mistakenly think that the user is operating after verifying the cookie, and in fact, the user has deleted his own article unconsciously.
In older versions of Internet Explorer, Safari forbids sending cookies when img or iframe tags are requested, but the latest firefox and other major browsers like Chrome allow cookies.
For the old version of IE, session cookies are allowed to be sent. If you want to send local cookies, you need to contain P3P in the HTTP header returned by the website to the browser, so that local cookies will be allowed to be sent the next time you visit the website.
The same origin policy is implemented by the browser. As long as the request is sent to the browser, the same origin policy and cross domain are not used!
practice
I found a get request on my blog:
To initiate an access local request:
CSRF defense
Scheme 1 Verification code
The operation requires customer interaction. And the way CSRF did it without the customer’s knowledge
Scheme 2 Referer Check
The most common application of Referer Check is to prevent image theft and determine whether the request is reasonable by checking the source of the request. For example, by embedding the address of the visiting blog on the attacker’s website, Referer is the address of the attacker’s website. In this way, it can be largely determined that this is a CSRF attack, but the defects of this method are: The server does not always get the Referer information.
Scheme three constructs the unpredictability URL
CSRF can successfully attack, the essence of which is that the requested URL is guessed by the attacker. If the requested URL is unpredictable, the attacker will have no way to start. The most common way to do this is to add a token parameter to the URL. The token can be stored in a user’s cookie, and the server also stores the customer’s token value. Because CSRF attacks only exploit login cookies, they do not obtain the specific value of the cookie (unless the user is also attacked by XSS, causing the cookie to leak, which does not help).
The token should be placed in the submission form and the server session at the same time. Within the validity period, as long as the server session is not used (i.e. the user does not submit the form, which requires the server to provide a solution to determine whether a session has been used), the same token should be used. Otherwise, the token needs to be regenerated and saved to the form and session.
Tokens should also be kept confidential and should not appear in urls because they can be obtained via referer, one should be placed in a form as much as possible, sensitive actions should be changed from GET to POST, and a form or AJAX form should be submitted to avoid token disclosure.
Scheme 4: SameSite Cookie to prevent CSRF attacks
Methods to prevent CSRF attacks already include CSRF token verification and Referer request header verification. To address this problem at its source, Google has drafted a draft to improve the HTTP protocol by adding a SameSite attribute to the set-cookie response header, which identifies the Cookie as a “same-site Cookie.” A peer cookie can only be used as a first-party cookie, not a third-party cookie. SameSite has two attribute values, respectively is Strict and Lax www.cnblogs.com/ziyunfei/p/…