What is CRSF
Construction of an address, for example, is to remove a link to a blog site blog, and then convince the user has logged on to the site click on a malicious link could cause a user through their own hands will ever published in the site's blog unknowingly delete the case. This construct a malicious link, under the guise of the hands of the victim's loss CSRF- attack called cross-site request forgery.
Browser Cookie Policy
cookie classification
cookie classified according to the presence or absence set the expiration times of the two, did not set an expiration time for the Session Cookie (session cookie), firefoox which marked cookie is a session cookie, that cookie stored in the memory space, the life cycle of the browser process They are valid, but a close the browser was erased. Another set an expiration time is called third-party Cookie, also known as local cookie, stored locally, can be used in the expiration time.
The principle CSRF
General user operations need to be after logging, csrf is the use of the user's login cookie, allowing users to send a request to delete the blog site in their own malicious Web site. For example, let users click on the link hacker sites, hackers in the site plus a picture link, the link is actually sending a request to delete the blog site:
恶意网站
<html>
<p>这是黑客诱导客户访问的恶意网站地址</p>
<img src = "http://csdn.com?delete=10">
</html>To achieve this also need to use the cookie after the user logs csdn, talk about same-origin policy prior to the time said, img iframes. Like labels not affected by the same-origin policy, so when sending a request to csdn, will csdn related cookie are to be submitted up (which will be submitted cookie cookie needs to be determined by the scope), so csdn after authentication cookie mistaken for a user in operation, the user is actually deleted your article in the unconscious.
The old version ie, safari is prohibited img, iframe tag when sending the cookie request, but the latest firefox and chrome and other mainstream browsers are allowed.
For the old version ie et is allowed to send session cookie, if you want to send a local cookie, need to return to the browser HTTP header contains a P3P site, the cookie allows sending local time so that the next visit.
Origin policy is implemented in the browser, as long as the request is made browser, and cross-domain origin policy to use less than the!
practice
I find a get request (blog thumbs request) in his blog:
From the map you can see thumbs up with a bunch of cookie verification request to the background, and now I write a new interface, which interface with the img tag cross-domain access request (provided that csdn is logged in, or not get the cookie validation);
Start to access the local request:
The above local interface is really because of the access request csdn cookie loaded with some of the csdn, which should include the validation of the landing field, so that the corresponding service should succeed, and the next thing I read blog really check one more point like.
CSRF defense
A program codes
Compelling need to interact with customers in order to operate. Complete with CSRF attack if the customer without the knowledge of the way with cake
Option II Referer Check
The most common application is to prevent pictures Daolian Referer Check, by looking at the source of the request if the request is reasonable, such as embedded address to access the blog through the attacker's Web site, that referer is the attacker's site address, so to a large extent can be judged this is a CSRF attack, but the drawback of this approach is: the server does not always take into Referer information.
Option Three construction unpredictability URL
CSRF attacks can succeed, it is because the nature of the request URL attacker to guess, if the requested URL is unpredictable, the attacker will not start. Now the most common way is to join a token parameter in the URL. Cookie may be present in the user's token, there is also a server token value corresponding to the client. Because CSRF attacks just use login cookie, cookie and can not obtain specific values (unless the user is also XSS attacks, resulting in cookie leakage, it serves no purpose).
token should be placed at the same time submit the form to the server session, the effective period of time, as long as the server session is not being used (that is, the user does not submit the form, this requires the server to provide a program to determine whether a session has been used), are use the same token, otherwise the need to regenerate the token, and save the form and the session.
It should also be noted that confidentiality token, should not appear in the url, because by referer acquired, in a form as possible, by the operation of the GET sensitive to the POST, a form or forms submitted in the form of AJAX avoided token leak.
Scenario four: SameSite Cookie, prevent CSRF attacks
Measures to prevent CSRF attacks have CSRF token Referer request header checksum verification. To solve this problem at the source, Google drew up a draft to improve the HTTP protocol, and that is for the Set-Cookie response header SameSite new property, which is used to indicate the cookie is a "cookie with the station", with the station only cookie as a first-party cookie, not as a third party cookie. SameSite has two attribute values, respectively, Strict and the Lax
https://www.cnblogs.com/ziyunfei/p/5637945.html