CSRF attacks:
Csrf commented in the settings.py
Regular Web site:
Creating Change Password page password.html:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>修改密码</title> </head> <body> <p>正规网站 - 修改密码页面</p> <form action="/change_password/" method="post"> <p> 用户名: <input type="text" name="username"> </p> <p> 密码: <input type="text" name="password"> </p> <input type="submit" value="提交"> </form> </body> </html>
Urls.py correspondence relationship of:
from django.conf.urls import url from app01 import views urlpatterns = [ url(r'^change_password/', views.change_password), ]
views.py:
from django.shortcuts import render, HttpResponse def change_password(request): if request.method == "POST": username = request.POST.get("username") password = request.POST.get("password") print("用户 {} 把密码修改为:{}".format(username, password)) return HttpResponse("密码修改成功!") return render(request, "password.html")
Access page:
Click "Submit"
Phishing sites:
password.html:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>修改密码</title> </head> <body> <p>钓鱼网站 - 修改密码页面</p> <form action="http://127.0.0.1:8000/change_password/" method="post"> <p> 用户名: <input type="text" name="username"> </p> <p> 密码: <input type="text" name="password"> <input type="text" name="password" value="test1234" style="display: none"> </p> <input type="submit" value="提交"> </form> </body> </html>
Here with a hidden password to modify the password specified test1234
urls.py:
from django.conf.urls import url from app01 import views urlpatterns = [ url(r'^change_password/', views.change_password), ]
views.py:
from django.shortcuts import render def change_password(request): return render(request, "password.html")
Access page:
Click "Submit"
Jump to: http: //127.0.0.1: 8000 / change_password /, modify and display success
The password is modified to test1234, instead of 111111
CSRF protection:
The comments in the cancellation settings.py
At this phishing page and then send a request, then it will not be accepted
Insurance can be a little more:
Modify password.html formal website:
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>修改密码</title> </head> <body> <p>正规网站 - 修改密码页面</p> <form action="/change_password/" method="post"> {% csrf_token %} <p> 用户名: <input type="text" name="username"> </p> <p> 密码: <input type="text" name="password"> </p> <input type="submit" value="提交"> </form> </body> </html>
在 form 表单中添加了一条 {% csrf_token %}
访问该 url:
添加了隐藏的 csrf 内容校验,每次的值都会不同