CSRF(Cross-site Request Forgery)

CSRF(Cross-site Request Forgery)

The principle of

Sends cross-site requests to the attacked site using the user’s login status on a third-party site

Train of thought

1. Set the SRC attribute of img to initiate the request

2. Construct a hidden form to initiate a Post request

3. Use the HRREF of a label

How to verify the existence of CSRF vulnerability

Reference method (to be verified) :

Use CSRFTester to test, grab all links and form information, modify the corresponding form information, and resubmit. If the modified test request is successfully accepted by the website server, CSRF vulnerability exists.

defense

1. Set the samesite property of the cookie to Strict or Lax

2. The server verifies the source site of the request (Referer, Origin)

3. Use the CSRF Token

4. Add secondary authentication (use a separate payment password)