Article directory
1. What is a forged cross-domain request?
Cross-site request forgery (English: Cross-site request forgery), often abbreviated as Cross-site request forgery CSRF
, is an attack method that coerces users to perform unintended operations on the web application they are currently logged in to. Compared with cross-site scripting (XSS), XSS takes advantage of the user's 指定网站
trust, while CSRF takes advantage of the website's 网页浏览器
trust in the user.
2. Attack methods
Since the browser has been authenticated, the visited website will be run as a real user operation.
legend:
Note: Simple authentication can only guarantee that the request is sent from a user's browser, but it cannot guarantee that the request itself is voluntarily issued by the user.
3. Defense measures
1. Check the Referer field
There is a Referer field in the HTTP header, which is used to indicate the address from which the request comes. When handling sensitive data requests, generally speaking, the Referer field should be under the same domain name as the requested address.
Legend:
Note: Although the http protocol has clear regulations on the content of this field, it cannot guarantee the specific implementation of the visiting browser, nor can it guarantee that the browser will not have security vulnerabilities affecting this field. And there is also the possibility of attackers attacking some browsers and tampering with their Referer fields.
2. Add verification token
Since the essence of CSRF is that the attacker deceives the user to access the address set by himself, if the user's browser is required to provide the data as a verification when accessing sensitive data, the attacker will no longer be able to run a CSRF 不保存在cookie
attack 攻击者无法伪造
.
legend:
Note: During normal access, the client browser can correctly obtain and return this pseudo-random number, but in a deceptive attack through CSRF, the attacker has no way of knowing the value of this pseudo-random number in advance, and the server will Because the value of the verification token is empty or wrong, this suspicious request is rejected.