What is CSRF attack?
CSRF (Cross-site request forgery) , that is, cross-site request forgery, referring to the hacker induce users to click on a link to open the hacker site, then hackers use user currently logged on to initiate cross-site request.
For example, you click a hacker in a forum carefully selected pictures of the little sister, you click, enter a new page.
Then congratulations, you are attacked :)
You may be curious, how suddenly it was attacked? Then we take a look at dismantling When you click the link, the hackers behind what had been done thing.
You might do three things. They are listed below:
1. automatically send a GET request
Hackers pages which may have some code like this:
<img src="https://xxx.com/info?user=hhh&count=100">
复制代码Automatically send get request, it is worth noting that this request will automatically bring about xxx.com of cookie information (this assumes you have logged in over-xxx.com) into the page.
If there is no corresponding server side authentication mechanism, it may be that the requesting user is a normal, by carrying a corresponding Cookie, then various corresponding operations may be remittance and other malicious actions.
2. automatically sends a POST request
Hackers may have their own fill up a form, write a script for some automatic submission.
<form id='hacker-form' action="https://xxx.com/info" method="POST"> <input type="hidden" name="user" value="hhh" /> <input type="hidden" name="count" value="100" /> </form> <script>document.getElementById('hacker-form').submit();</script> 复制代码Will also carry the corresponding user cookie information, let the server mistaken for a normal user in operation, so that all kinds of malicious operation becomes possible.
3. Click Send induce a GET request
On the hacker's site, you may put a link to click on the drive you:
<a href="https://xxx/info?user=hhh&count=100" taget="_blank">点击进入修仙世界</a> 复制代码When clicked, automatically send a get request, and the next 自动发 GET 请求part of empathy.
This is the CSRFprinciple of the attack. And XSSattacked contrast, CSRF attacks do not require the user to malicious code injection current page htmldocument, but the jump to a new page, use the server validation vulnerability and logged before the user to simulate the user to operate.
Precautions
1. Using the Cookie properties SameSite
CSRF攻击The important part is automatically sent at the target site Cookie, then this is a Cookie simulate the user's identity. Therefore, in Cookiethe above article is under the guard of choice.
Exactly, there is a critical among the Cookie field, you can make some restrictions for carry Cookie's request, this field is SameSite.
SameSiteIt can be set to three Strictvalues, , Laxand None.
a. In the Strictmode, the browser request carries a complete ban on third-party Cookie. Such as requesting sanyuan.comsite can only sanyuan.comrequest to the domain name which carry Cookie, requests are not on other sites.
b. In the Laxmode, you loose a little, but only in get 方法提交表单cases or a 标签发送 get 请求the case could carry Cookie, other circumstances can not.
c. In Nonethe model, which is the default mode, the request is automatically carried Cookie.
2. Verify the source site
This requires the use of two fields in the request header: Origin and Referer .
Which, Origin contains only the domain name information, and Referer contains the 具体URL path.
Of course, both of which are can be forged by Ajax to custom request header, slightly inferior safety.
3. CSRF Token
DjangoAs a back-end framework for Python, if it is to develop the students had to know, in its template (template) in the development of the form, often accompanied by this line of code:
{% csrf_token %}
复制代码This is CSRF Tokena typical application. Its principle is that what is it?
First, when the browser sends a request to the server, the server generates a string, which is implanted into the page returned.
If you want the browser then sends a request, it is necessary to bring this string, and then the server to verify the legality, if not the law of substandard response. This string is CSRF Tokenusually a third-party site can not get this token, therefore, is to be rejected to the server.
to sum up
CSRF (Cross-site request forgery), that is, cross-site request forgery, referring to the hacker induce users to click on a link to open the hacker site, then hackers use the current user's login status to initiate cross-site request.
CSRFAttacks usually have three ways:
- Automatic GET request
- Automatic POST request
- Click Send induce a GET request.
Precautions:利用 Cookie 的 SameSite 属性 , 验证来源站点and CSRF Token.