Cross-site request forgery
CSRF(Cross-site request forgery)
The attacker has stolen your identity and sent malicious requests on your behalf
Attack mode: To complete a CSRF attack, the victim must complete two steps in sequence
- Log in to trusted website A and generate a cookie locally.
- Without logging out of site A, visit dangerous site B. Site B contains forged malicious requests that can request site A. At this time, you can use A's cache in the browser
cookie
.
Attack instance
Attack scenario
Alice is a victim of the original text, she uses a bank site http://unsafe/
there is session fixation
vulnerability, Mallory
the attacker, he wants to theft Alice
of deposits in banks, and Alice
will click Mallory
send her web connection (may be due Alice know Mallory, or her own Security awareness is not strong).
Attack steps:
Hacker:Mallory
Visithttp://unsafe/
and get a sessionID(session_id)
, for example, the server returns the form:Set-Cookie: session_id=0D6441FEA4496C2
Hacker:Mallory
Iuser:Alice
sent an email: "Our bank has launched a new service, please click here for the first experience:http://unsafe/?SID=0D6441FEA4496C2
"user:Alice
Click and log in.- Because the session ID of the server does not change, now
Hacker:Mallory
click onhttp://unsafe/?session_id= I_WILL_KNOW_THE_SID
, he would haveuser:Alice
identity can do whatever they want.
defense:
Application automatically generates a user for each active session CSRF「令牌」
. This token is used to verify 经过身份验证的用户
whether it is向应用程序发出请求的用户
.
Whenever you define in your application HTML
when the form, should be included in a hidden form CSRF
tag field for service The client-side CSRF filter can verify whether the CSRF token in the form is the session_id
same as the token stored in the session , even if the form is forged in the email and your identity credentials are stolen in advance session_id
. But he can't forge a random one CSRF令牌
. So it can be effective Prevent the above situation unless your terminal is completely hijacked.
According to the above examples, there are two key considerations during the development process:
- After logging in successfully, update the session_id to verify whether the format of the session_id is legal.
- When receiving a sensitive operation, it is not only necessary to verify the identity certificate, but also to verify
经过身份验证的用户
whether it is向应用程序发出请求的用户
true. Otherwise,session_id
exposure means that the login permission is fully exposed.
Other scenes
Attack scenario 1: The simplest: the server receives any session ID. The process is as follows:
Hacker:Mallory
It is found thathttp://unsafe/
any session ID is received, and the session ID is carried to the server through the query parameter of the URL address, and the server does not checkHacker:Mallory
ToUser:Alice
send an e-mail, he could pretend to be banks to promote their new business, for example, "the Bank launched a new service, the first to experience please click:http://unsafe/?SID= I_WILL_KNOW_THE_SID, I_WILL_KNOW_THE_SID
isHacker:Mallory
selected a session ID.User:Alice
Was attracted, clickedhttp://unsafe/?SID= I_WILL_KNOW_THE_SID
, as usual, entered my account and password to log in to the bank website.- Because the session ID of the server does not change, now
Hacker:Mallory
click onhttp://unsafe/?SID= I_WILL_KNOW_THE_SID
, he would have aUser:Alice
identity. You can do whatever you want.
Attack Scenario 2: cross-site cookie (cross-site cooking) use loopholes in the browser, even if http://good
it is safe, however, because the browser management cookie
vulnerabilities,
allow a malicious Web site http://evil/
can send to your browser http://good
cookie` of. The process is as follows:
Hacker:Mallory
ToUser:Alice
send a message "There is an interesting site:http://evil
a lot of fun, try"User:Alice
Visit this link, this site will be a session ID value ofI_WILL_KNOW_THE_SID
thehttp://good/
fieldcookie
is set to the browser.Hacker:Mallory
IUser:Alice
sent another email: "Our bank has launched a new service, please click to experience it first:http://good/
"- If you
User:Alice
log in,Hacker:Mallory
you can use this ID