I. Introduction
Cross-Site Request Forgeries (CSRF) means that an attacker can force an authenticated user to update some status, such as unexpected personal information or setting information, by setting a trap, which is a passive attack; There are the following hazards:
1. Use the authenticated user authority to update the setting information;
2. Use authenticated user rights to purchase goods and transfer virtual currency;
3. Make use of the authenticated user authority to make comments on the message board;
Second, the attack principle:
Step 1: Verify that the user visits website A with CSRF vulnerability, and website A will return a cookie to the user, so that the user can log in later;
Step 2: At this time, the user opens a website B with attack codes in the same browser, and website B returns some attack codes, which require requesting website A;
Step 3: After receiving these offensive codes, the browser sends a request to website A according to the request of website B, carrying the cookie information without the user's knowledge. Website A does not know that the request is actually initiated by B, so it will process the request according to the cookie information and permissions of the authenticated user;
3. Browser cookie policy
As mentioned above, the reason why website B can pass the verification of website A is because website B successfully sends cookies. There are two types of browser cookies, one is a temporary cookie, called a Seesion Cookie; the other is a 'Third-party Cookie', also called a 'local cookie'. The difference between the two is that the Third-party Cookie is the Expireid time specified by the server when the Set-Cookie is set. The cookie will only expire after the Expire time, so this cookie will be saved locally; while the Session Cookie has no Expire time, so Session cookies expire when the browser is closed.
In the browser process, if a website sets a session cookie, then in the browser process declaration cycle, even if the browser opens a new tab page, the session cookie is still valid. Session cookies are stored in the browser process memory space; third-party cookies are stored locally.
If a browser loads resources from another domain from a page of one domain, some browsers will block Third-party due to security considerations (the p3p policy will have side effects, and the browser will no longer intercept the sending of third-party cookies). Sending of cookies.
4. Defense against CSRF
1. Verify the Referer check;
Checking whether the request is from a legitimate 'source' is the same as 'preventing image hotlinking'. However, there is no guarantee that the server can get the referer field every time. For example, if you jump from https to http, the referer will not be sent;
2. Use mobile phone or email verification code;
3. Use post request for important data and fill in the form for verification, but the saboteur may forge the form submission.
4、Anti CDRF Token
The industry respects this method. Add a token field to the request, such as: www.hao123.com?name=abc&age=123&token=[random(seed)]; the token is the secret of the client and browser, and others do not know. Generally, the confidentiality and randomness of the token must be guaranteed.