What is a CSRF attack

CSRF stands for Cross Site Request Forgery. Different from the XSS attack above, CSRF does not invade the target website. Its core principle is to forge requests from trusted users.

For example: User A has just logged into A bank’s website in his browser. When user A receives an email, he clicks on it and finds A link in it (never mind the link…). “, his curiosity drove him to open the link, and it happened that the default browser he set was the browser he had just logged in to the bank. After clicking it, he found nothing he wanted, but he received A message from the bank: “Credit card number XXXX successfully transferred 1024 yuan”. At that time, user A was stupid…

This is a typical CSRF attack. Let’s analyze the flow of this attack:

  1. Victim loginA web site, the login credentials are saved incookie;
  2. The attacker induces the victim to click on the url, which leads to the attacker’s own website.
  3. After the victim entered the site, the site executed aA web siteTransfer request, similarhttps://bank.com/transferable?amount=1024&to= [attacker prepared their own id, let users turn here];
  4. The first step when executing the above requestcookieWill be carried over the request, the server verifies that it is ok, executes the transfer logic, over;

The above is just for the analysis principle, in fact, it can’t be that simple, but the core principle is basically this;

To insert a little extra topic here, before I understand the knowledge, think the browser when step 3 should have the same origin policy to prevent the request, in fact the more the same-origin policy related knowledge after I found the same-origin policy only can stop the script reads the request as a result, in fact, after the request is sent to the side, the back-end still perform…

Characteristics of CSRF attacks

  • Attacks are generally launched on third party websites, not the websites being attacked;
  • Instead of stealing data directly, the attack uses the victim’s login credentials on the targeted site to submit the action as the victimcookieEtc.).

How do I defend against CSRF attacks

  1. Server-side authenticationOriginandRefererWhether the request header is from this site;
  2. Join one at a timecsrf token, the attacker can not get;
  3. Requests with higher security, such as the above transfers, can be addedVerification code,Verification code for SMS messagesEqual secondary verification;
  4. httpResponse headersset-cookienewsame-siteProperties;

Here how to prevent just to train of thought, specific implementation we can refer to other articles through these keywords, at present, the fourth way of thinking may be a little poor compatibility, a version is the first 1,2,3 kinds of combined use to prevent.