Cross-site request forgery
CSRF(Cross-site request forgery)The attacker has stolen your identity and sent malicious requests on your behalf
Attack mode: To complete a CSRF attack, the victim must complete two steps in sequence
- Log in to trusted website A and generate a cookie locally.
- Without logging out of site A, visit dangerous site B. Site B contains forged malicious requests that can request site A. At this time, you can use A's cache in the browser
cookie.
Attack instance
Attack scenario
Alice is a victim of the original text, she uses a bank site http://unsafe/there is session fixationvulnerability, Mallorythe attacker, he wants to theft Aliceof deposits in banks, and Alicewill click Mallorysend her web connection (may be due Alice know Mallory, or her own Security awareness is not strong).
Attack steps:
Hacker:MalloryVisithttp://unsafe/and get a sessionID(session_id), for example, the server returns the form:Set-Cookie: session_id=0D6441FEA4496C2Hacker:MalloryIuser:Alicesent an email: "Our bank has launched a new service, please click here for the first experience:http://unsafe/?SID=0D6441FEA4496C2"user:AliceClick and log in.- Because the session ID of the server does not change, now
Hacker:Malloryclick onhttp://unsafe/?session_id= I_WILL_KNOW_THE_SID, he would haveuser:Aliceidentity can do whatever they want.
defense:
Application automatically generates a user for each active session CSRF「令牌」. This token is used to verify 经过身份验证的用户whether it is向应用程序发出请求的用户 .
Whenever you define in your application HTMLwhen the form, should be included in a hidden form CSRFtag field for service The client-side CSRF filter can verify whether the CSRF token in the form is the session_idsame as the token stored in the session , even if the form is forged in the email and your identity credentials are stolen in advance session_id. But he can't forge a random one CSRF令牌. So it can be effective Prevent the above situation unless your terminal is completely hijacked.
According to the above examples, there are two key considerations during the development process:
- After logging in successfully, update the session_id to verify whether the format of the session_id is legal.
- When receiving a sensitive operation, it is not only necessary to verify the identity certificate, but also to verify
经过身份验证的用户whether it is向应用程序发出请求的用户true. Otherwise,session_idexposure means that the login permission is fully exposed.
Other scenes
Attack scenario 1: The simplest: the server receives any session ID. The process is as follows:
Hacker:MalloryIt is found thathttp://unsafe/any session ID is received, and the session ID is carried to the server through the query parameter of the URL address, and the server does not checkHacker:MalloryToUser:Alicesend an e-mail, he could pretend to be banks to promote their new business, for example, "the Bank launched a new service, the first to experience please click:http://unsafe/?SID= I_WILL_KNOW_THE_SID, I_WILL_KNOW_THE_SIDisHacker:Malloryselected a session ID.User:AliceWas attracted, clickedhttp://unsafe/?SID= I_WILL_KNOW_THE_SID, as usual, entered my account and password to log in to the bank website.- Because the session ID of the server does not change, now
Hacker:Malloryclick onhttp://unsafe/?SID= I_WILL_KNOW_THE_SID, he would have aUser:Aliceidentity. You can do whatever you want.
Attack Scenario 2: cross-site cookie (cross-site cooking) use loopholes in the browser, even if http://goodit is safe, however, because the browser management cookievulnerabilities,
allow a malicious Web site http://evil/can send to your browser http://goodcookie` of. The process is as follows:
Hacker:MalloryToUser:Alicesend a message "There is an interesting site:http://evila lot of fun, try"User:AliceVisit this link, this site will be a session ID value ofI_WILL_KNOW_THE_SIDthehttp://good/fieldcookieis set to the browser.Hacker:MalloryIUser:Alicesent another email: "Our bank has launched a new service, please click to experience it first:http://good/"- If you
User:Alicelog in,Hacker:Malloryyou can use this ID