Python - Django - CSRF

Others 2019-08-03 23:45:44 views: null

CSRF attacks:

Csrf commented in the settings.py

Regular Web site:

Creating Change Password page password.html:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>修改密码</title>
</head>
<body>

<p>正规网站 - 修改密码页面</p>

<form action="/change_password/" method="post">
    <p>
        用户名:
        <input type="text" name="username">
    </p>
    <p>
        密码:
        <input type="text" name="password">
    </p>

    <input type="submit" value="提交">
</form>

</body>
</html>

Urls.py correspondence relationship of:

from django.conf.urls import url
from app01 import views

urlpatterns = [
    url(r'^change_password/', views.change_password),
]

views.py:

from django.shortcuts import render, HttpResponse


def change_password(request):
    if request.method == "POST":
        username = request.POST.get("username")
        password = request.POST.get("password")
        print("用户 {} 把密码修改为:{}".format(username, password))
        
        return HttpResponse("密码修改成功!")

    return render(request, "password.html")

Access page:

Click "Submit"

 

Phishing sites:

password.html:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>修改密码</title>
</head>
<body>

<p>钓鱼网站 - 修改密码页面</p>

<form action="http://127.0.0.1:8000/change_password/" method="post">
    <p>
        用户名:
        <input type="text" name="username">
    </p>
    <p>
        密码:
        <input type="text" name="password">
        <input type="text" name="password" value="test1234" style="display: none">
    </p>

    <input type="submit" value="提交">
</form>

</body>
</html>

Here with a hidden password to modify the password specified test1234

urls.py:

from django.conf.urls import url
from app01 import views

urlpatterns = [
    url(r'^change_password/', views.change_password),
]

views.py:

from django.shortcuts import render


def change_password(request):
    return render(request, "password.html")

Access page:

Click "Submit"

Jump to: http: //127.0.0.1: 8000 / change_password /, modify and display success

The password is modified to test1234, instead of 111111

 

CSRF protection:

The comments in the cancellation settings.py

At this phishing page and then send a request, then it will not be accepted

Insurance can be a little more:

Modify password.html formal website:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>修改密码</title>
</head>
<body>

<p>正规网站 - 修改密码页面</p>

<form action="/change_password/" method="post">
    {% csrf_token %}
    <p>
        用户名:
        <input type="text" name="username">
    </p>
    <p>
        密码:
        <input type="text" name="password">
    </p>

    <input type="submit" value="提交">
</form>

</body>
</html>

在 form 表单中添加了一条 {% csrf_token %}

访问该 url:

添加了隐藏的 csrf 内容校验,每次的值都会不同

 

Guess you like

Origin www.cnblogs.com/sch01ar/p/11295352.html
Recommended
Ranking
PAT Level B 1094 Google's Recruitment (20 points) Python
Old Wei wins the offer to take you to learn --- brush (integer number 31. 1 appears) title series
Bilibili: Barrage Screening: Baijiaxing: Import XML directly
개체 배열 중복 제거
matplotlib—patches.Circle
[Observation] It is also a cordless vacuum cleaner, why does Dyson V10 dare to sell 4990 yuan?
0410
Apache Kafka message delivery reliability analysis
How hotel occupancy records inquiry etj
Essential knowledge for getting started with speculating in spot silver
Daily
More
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)

Code World

© 2018 codetd.com