CSRF forges cross-domain requests

Language 2023-10-05 08:20:03 views: null

Article directory

1. What is a forged cross-domain request?

Cross-site request forgery (English: Cross-site request forgery), often abbreviated as Cross-site request forgery CSRF, is an attack method that coerces users to perform unintended operations on the web application they are currently logged in to. Compared with cross-site scripting (XSS), XSS takes advantage of the user's 指定网站trust, while CSRF takes advantage of the website's 网页浏览器trust in the user.

2. Attack methods

Since the browser has been authenticated, the visited website will be run as a real user operation.

legend:
Insert image description here

Note: Simple authentication can only guarantee that the request is sent from a user's browser, but it cannot guarantee that the request itself is voluntarily issued by the user.

3. Defense measures

1. Check the Referer field

There is a Referer field in the HTTP header, which is used to indicate the address from which the request comes. When handling sensitive data requests, generally speaking, the Referer field should be under the same domain name as the requested address.

Legend:
Insert image description here
Note: Although the http protocol has clear regulations on the content of this field, it cannot guarantee the specific implementation of the visiting browser, nor can it guarantee that the browser will not have security vulnerabilities affecting this field. And there is also the possibility of attackers attacking some browsers and tampering with their Referer fields.

2. Add verification token

Since the essence of CSRF is that the attacker deceives the user to access the address set by himself, if the user's browser is required to provide the data as a verification when accessing sensitive data, the attacker will no longer be able to run a CSRF 不保存在cookieattack 攻击者无法伪造.

legend:
Insert image description here

Note: During normal access, the client browser can correctly obtain and return this pseudo-random number, but in a deceptive attack through CSRF, the attacker has no way of knowing the value of this pseudo-random number in advance, and the server will Because the value of the verification token is empty or wrong, this suspicious request is rejected.

Guess you like

Origin blog.csdn.net/change_any_time/article/details/128793754
Recommended
NetBSD bans submission of code generated by AI
Ranking
Talk dubbo of LRUCache
Chapter 1 Learning Summary
Introduction to Virtualization
pytorch 调用lstm
Six modules
[8086] The natural number of 1 to 36 into a 6x6 two-dimensional array of line-sequentially, and then print out the lower left half of the triangular array
mybatis mapper mapping file $ # {} {} understanding and
C language input and output buffer
c language floating-point input and output
andorid P version compatible, refer to Huawei
Daily
More
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)

Code World

© 2018 codetd.com