CSRF whole Cross Site Request Forgery, cross-site request forgery domain. This attack relative to XSS, SQL injection and other attacks was discovered relatively late, took off today in terms of this attack and ways to avoid.
Attack process
-
Abc suppose a user logs on to operate the bank's website, and also visited the attacker pre-configured website.
-
abc clicked on a particular link to the attacker's site, the link is
http://www.bank.com/xxxxpointing to the bank, the bank will transfer money server will operate according to the parameters of this link carries. -
Bank transfer server before performing the operation will be carried out to verify whether SESSION logged in, but because of abc has logged a link to your bank's website, the attacker also
www.bank.com, so the attack will carry the session id link to the bank server. -
Since the session id is correct, so the bank will determine if the operation is initiated by me, to perform transfer operations.
Show
According to the above description, we look at the process to simulate the attack.
-
There
www.bank.comwithwww.hacker.comuser login abcwww.bank.comclicked on the site after thewww.hacker.comtrick of clicks on links never want -
This link to
www.bank.comrequest to initiate a post. Since the domain name requestwww.bank.com, the request carrieswww.bank.comthe session id.
www.hacker.com的代码
<!DOCTYPE html>
<html lang="en"> <head> <meta charset="UTF-8"> <title>Title</title> </head> <body> <form method="post" action="http://www.bank.com/transfer.php"> <input type="hidden" name="from" value="abc"> <input type="hidden" name="money" value="10000"> <input type="hidden" name="to" value="hacker"> <input type="button" onclick="submit()" value="点击抽大奖"> </form> </body>Can be found www.hacker.comin the Web page contains a www.bank.comrequest to initiate the post. And no hidden form, there is only one button the user clicks the trick.
Complete example code can github found on. Portal .
prevention
You can see from the above example csrf attacks. Hackers can not get a cookie, there is no way for the content returned by the server for resolution. Only thing to do is to send a request to the server. The server data changes by sending a request. In the above example an attacker induce users to click the link to transfer operation so that the amount of the victim's bank database has changed.
Understand the principles and objectives of csrf attacks, we proposed two means of defense
referer verification
According to the HTTP protocol, is included in the http request header in a referer of the field, which records the original address of the http request. Under normal circumstances, the implementation of the transfer operation post requests www.bank.com/transfer.phpshould click on the www.bank.comoperation of the web page button to trigger, this time transfer the referer request should be www.bank.com. and if you want to be csrf hacker attacks, can only own site www.hacker.comrequest forgery on. request forgery referer is www.hacker.com. so we referer request by comparing the post is not www.bank.comcan determine whether the request is legitimate.
In this way verification is relatively simple, as long as the site developer to check in before you can post requests referer, but due to the referer is provided by the browser. Although not required by the protocol http referer value of tampering, but security must not cross a website guaranteed by others.
token verification
It is found from the above style, an attacker to forge the transfer form, then the site may be added in a random token to validate .token form submitted to the server along with the request for additional data to the server is determined by the token verification value post request is legitimate. Since the attacker is no way to get information to the page, so it has no way of knowing the value of the token. so no fake form the token value. the server can determine the request was forged.