What is CSRF attack?
CSRF (Cross-site request forgery) , that is, cross-site request forgery, referring to the hacker induce users to click on a link to open the hacker site, then hackers use user currently logged on to initiate cross-site request.
For example, you click a hacker in a forum carefully selected pictures of the little sister, you click, enter a new page.
Then congratulations, you are attacked :)
You may be curious, how suddenly it was attacked? Then we take a look at dismantling When you click the link, the hackers behind what had been done thing.
You might do three things. They are listed below:
1. automatically send a GET request
Hackers pages which may have some code like this:
<img src="https://xxx.com/info?user=hhh&count=100">
复制代码
Automatically send get request, it is worth noting that this request will automatically bring about xxx.com of cookie information (this assumes you have logged in over-xxx.com) into the page.
If there is no corresponding server side authentication mechanism, it may be that the requesting user is a normal, by carrying a corresponding Cookie, then various corresponding operations may be remittance and other malicious actions.
2. automatically sends a POST request
Hackers may have their own fill up a form, write a script for some automatic submission.
<form id='hacker-form' action="https://xxx.com/info" method="POST"> <input type="hidden" name="user" value="hhh" /> <input type="hidden" name="count" value="100" /> </form> <script>document.getElementById('hacker-form').submit();</script> 复制代码
Will also carry the corresponding user cookie information, let the server mistaken for a normal user in operation, so that all kinds of malicious operation becomes possible.
3. Click Send induce a GET request
On the hacker's site, you may put a link to click on the drive you:
<a href="https://xxx/info?user=hhh&count=100" taget="_blank">点击进入修仙世界</a> 复制代码
When clicked, automatically send a get request, and the next 自动发 GET 请求
part of empathy.
This is the CSRF
principle of the attack. And XSS
attacked contrast, CSRF attacks do not require the user to malicious code injection current page html
document, but the jump to a new page, use the server validation vulnerability and logged before the user to simulate the user to operate.
Precautions
1. Using the Cookie properties SameSite
CSRF攻击
The important part is automatically sent at the target site Cookie
, then this is a Cookie simulate the user's identity. Therefore, in Cookie
the above article is under the guard of choice.
Exactly, there is a critical among the Cookie field, you can make some restrictions for carry Cookie's request, this field is SameSite
.
SameSite
It can be set to three Strict
values, , Lax
and None
.
a. In the Strict
mode, the browser request carries a complete ban on third-party Cookie. Such as requesting sanyuan.com
site can only sanyuan.com
request to the domain name which carry Cookie, requests are not on other sites.
b. In the Lax
mode, you loose a little, but only in get 方法提交表单
cases or a 标签发送 get 请求
the case could carry Cookie, other circumstances can not.
c. In None
the model, which is the default mode, the request is automatically carried Cookie.
2. Verify the source site
This requires the use of two fields in the request header: Origin and Referer .
Which, Origin contains only the domain name information, and Referer contains the 具体
URL path.
Of course, both of which are can be forged by Ajax to custom request header, slightly inferior safety.
3. CSRF Token
Django
As a back-end framework for Python, if it is to develop the students had to know, in its template (template) in the development of the form, often accompanied by this line of code:
{% csrf_token %}
复制代码
This is CSRF Token
a typical application. Its principle is that what is it?
First, when the browser sends a request to the server, the server generates a string, which is implanted into the page returned.
If you want the browser then sends a request, it is necessary to bring this string, and then the server to verify the legality, if not the law of substandard response. This string is CSRF Token
usually a third-party site can not get this token, therefore, is to be rejected to the server.
to sum up
CSRF (Cross-site request forgery), that is, cross-site request forgery, referring to the hacker induce users to click on a link to open the hacker site, then hackers use the current user's login status to initiate cross-site request.
CSRF
Attacks usually have three ways:
- Automatic GET request
- Automatic POST request
- Click Send induce a GET request.
Precautions:利用 Cookie 的 SameSite 属性
, 验证来源站点
and CSRF Token
.