This article was first published in the public number [programmer reading], welcome attention.
CSRF is a common Web attack, but there are still many friends who do not understand the concept of CSRF and do not pay attention to the damage CSRF may cause to their site. Therefore, today we will talk about the concept of CSRF in this article, so that we can have a comprehensive understanding of CSRF.
What is a CSRF
Cross-site Request Forgery, also known as one Click Attack/Session Riding, CSRF/XSRF is a very common Web attack. However, many partners in the development of the project may not have such security awareness, so there will be some CSRF vulnerabilities, to the attacker can take advantage of the opportunity, once the Web site is attacked, often cause serious harm to the Web site.
The harm of CSRF
What are the specific hazards of CSRF? We need to understand how CSRF attacks.
CSRF attacks can be summarized as follows: A CSRF attacker steals your identity and sends malicious requests on your behalf.
Such as using your account to send emails, send messages, steal your account, delete your personal information, buy goods, virtual currency or bank transfer.
In short, it will cause personal privacy leakage and property loss.
The principle of CSRF
In A CSRF attack, there are three roles: victim (User), trusted website (the attacked website with CSRF vulnerability is assumed to be Web A), and attacker (Web B). The principle of CSRF is shown as follows:
From the diagram above, we can see that to trigger a CSRF attack, two conditions must be met:
- Normal login
Web AAnd generated locallyCookie. - In no exit
Web ALogin status is entered in the caseWeb BAnd triggers a request for a construct.
Let’s assume that the Web A site has A list of articles that allow users to delete their own articles using HTTP GET links as follows:
https://www.article.com/article_list.php?action=delete&article_id=1
Copy the codeIf A user logs in to Web A and visits Web B without logging out, A request to delete an article can be constructed on Web B through the following statement. If the user clicks the following picture on Web B, his or her article will be deleted.
<img src="https://www.article.com/article_list.php?action=delete&article_id=1">
Copy the codeThe code above uses GET, which can easily be forged by other sites. If you change it to Post, for example, in Web A, you change the code to delete articles to:
< form method = "POST" name = "article" action = "https://www.article.com/article_list.php" > < input type = "hidden" name = "action" value="delete"> <input type="hidden" name="article_id" value="1"> </form>Copy the codeAlthough the code was changed to A Post request in Web A, it is also possible to forge the corresponding Post request in Web B, as follows:
< HTML > <head> <script type="text/javascript"> function BTN (){iframe = document.frames["delArticle"]; The iframe. Document. Submit (" article "); } < / script > < / head >Copy the code
< body onload = "BTN ()" > < iframe name = "delArticle display" = "none" > < form method = "POST" name = "article" action ="www.article.com/article_lis..."> <input type="hidden" name="action" value="delete"> <input type="hidden" name="article_id" value="1"> < iframe > < / body > < / HTML >
Nowadays, when we open the browser, we can visit thousands of websites. Therefore, after logging in at one site, we can visit another site. This kind of situation often happens.
How to defense
From the above introduction, we should understand the principle of CSRF. Only after understanding the principle, can we know how to defend against such attacks. We mainly introduce the following three methods.
Verification code
Verification code is an effective method to defend against CSRF attacks. The idea is that each operation requires the user to enter a verification code.
CSRF attack is to construct network request in the attack site of the attacker and trigger it without the user’s knowledge. By forcing the user to enter the verification code, the user can know what is being operated and thus prevent the attack.
One problem with this approach is that each operation forces the user to enter a verification code, so the user experience is not good, so it is not commonly used, and can only be used as an auxiliary preventive measure.
Check the HTTP Referer field
Even if we know that the CSRF attacker is coming from another site, such as in the diagram above, where We see Web B attacking Web A, we can avoid CSRF attacks by detecting the source of the request.
In the HTTP request, the data in the Referer field is the address of the previous request, so we can detect whether the field is our own site address by obtaining the Referer field, so as to avoid CSRF attacks.
However, this method has its own limitations, we often can not get the value of the Referer field.
- Users banned it for privacy reasons
RefererField information. - from
HTTPSJump to theHTTPFor security reasons, browsers do not sendRefererField. - Some plug-ins allow customization
RefererThe field information can therefore be forged.
Although detecting the Referer field in HTTP is not effective in preventing CSRF attacks, it can be used as a way to detect CSRF attacks.
CSRF Token
Neither the use of captcha nor the detection of HTTP Referer seems to be a good solution to CSRF attacks.
The essence of CSRF attack is that the attacker can guess the parameters needed to construct a request. Then, to defend against CSRF, the method is to make the parameters unguessable. At present, a relatively effective and common method is to add a random unpredictable token, which can be placed in the cookie of session or client. The token is worn when the request is submitted, so an attack cannot know about the token and therefore cannot forge the request.
Note the following when using the CSRF token to defend against CSRF attacks:
tokenSecrecy and randomness make it unpredictable.- use
token, you need to use a formpostCue, not followurlAvoid exposure.
summary
In this article, we give a comprehensive explanation of CRSF, and also introduce several methods to defend against CSRF attack. In practical application, we may choose appropriate methods according to our actual situation.
This article was first published in the public number [programmer reading], welcome attention.
