Django csrf
Full CSRF (Cross Site Request Forgery) cross-site request forgery. Also known as One Click Attack and Session Riding, often abbreviated as CSRF or XSRF. You can interpret it this way: attackers (hackers, phishing sites) stolen your identity, to your name send malicious requests, which include sending e-mail, send messages, theft accounts, purchases, bank transfers, so that your personal loss of privacy and loss of property.
CSRF principle
1, users log on and trust the website A
2, validated, Cookie generated at the user A
case 3, A user does not log out of the site, access to dangerous websites B
4, B site requires access to Web site A third site, issued a request
. 5, at the request of the site B, Cookie browser generated with site visit a a
. 6, site a request is issued by the user does not know or site B issues, since the browser will automatically take the user cookies, so site a processing request based on a user's privileges, so the site B to achieve the purpose of the simulated user operation
As can be seen from the above step, to complete a CSRF attack, the victim must in order to complete the following two steps:
A trusted login sites, and Cookie generated locally
without logout of A, B access to dangerous Web sites
to see here, you might ask: If I am not satisfied with a more than two conditions, I would not be CSRF attacks. Yes, it does, but you can not guarantee the situation will not happen
After you log in you can not guarantee that a website is no longer open a tab page and visit other sites
that you can not guarantee that after you close your browser, your local Cookie will expire soon, you last session has ended
above the so-called attack website, is probably a phishing site
CSRF attack instance
heard so much, and we may also foggy, we could listen to the concept of CSRF is not enough to understand, here I will give an example to let everyone have a deeper understanding of CSRF.
Let's assume that there CSRF vulnerabilities Alipay, I Alipay account is wl, the attacker's PayPal account is xxx, then we request by way of a web page can account http://zhifubao.com/withdraw?account=lyq&amount=10000&for=wl the wl of 10,000 yuan to my other account wl go above. Usually after this case, the request is sent to the Alipay server, the server will first verify whether the request is from a legitimate session, and the session of the user has successfully logged in. Attacker Alipay also account xxx, the above URL until he can transfer the operation, so he can send a request to http://zhifubao.com/withdraw?account=lyq&amount=10000&for=xxx Alipay background. But the request is coming from the attacker instead I wl, so you can not pass safety certification, so the request is invalid. In this case, the attacker xxx think of using CSRF way, he made a website, put the following code in the website: http:? //Zhifubao.com/withdraw account = lyq & amount = 10000 & for = xxx, and through the website link lured me to visit his website. When I succumbed to temptation will point into, the above request will be sent from my own browser to Alipay, and this request will be included with my browser cookie. In most cases, the request will fail because Alipay asked me to authentication information, but if I just visited Alipay soon, not yet closed Alipay page, my browser cookie there my authentication information, the request will get a response from my account to transfer 10,000 yuan xxx account, but I did not know.
Settings.py find MIDDLEWARE enter this list to find 'django.middleware.csrf.CsrfViewMiddleware', this field
This line sets csrf if it will fail commented csrf
Now I have written in django an HTML form when I click submit changes to the submission becomes POST reported csrf then you will find a 403 error
This is because the django does not provide protection because Referer value is mistaken for CSRF attacks, denial of access to how to solve this problem?
Can add {% csrf_token%} check when you will find in the following form in the form of a plurality of data input which is {% csrf_token%} automatically provide data conversion confirmation browser
If successful it can normally access error, access is denied
Then jump page you will find time to visit a success
