20170813-CSRF CSRF

Others 2020-01-19 20:12:45 views: null

CSRF

CSRF is an acronym for Cross Site Request Forgery, and translates to cross-site request forgery.

  1. Cross-Site: As the name suggests, it is from one site to another.
  2. Request: the HTTP request.
  3. Forgery: Here it can be understood as imitation, camouflage.
  • Taken together means: to initiate a request to a web site B from site A, and this request is the result of a disguise, camouflage operation to achieve the aim is to make the request originated from the site looks like a B, that is and let B site where the server-side mistakenly thought the request was initiated from your site, rather than initiating from the a site.
  • CSRF attacks are hackers cheat the trust of victims by means of cookie server, but hackers can not get the cookie, the cookie can not see the content. In addition, the results returned by the server, because the browser same-origin policy restrictions, the hacker can not be parsed. Accordingly, hackers can not get anything from the returned results, he can do it is to send a request to the server to execute the command request, as described, to change the value of data directly to the server, instead of steal data server. So, we want to protect the object of those services can generate data changes directly, and for reading data service, you do not need the CSRF protection.

principle

CSRF

Source: CSRF attack works and nodejs realization and defense

 As can be seen from the figure, pretend to initiate a request from the A site, two steps must be completed sequentially:

  1. Log in to trusted sites A, and generates Cookie locally.

  2. In the case of A is not out of, access to dangerous websites B.
  

  • The reason to pretend to originate from the A site, because Cookie is not sent across domains. The above is the binding of this example: if the request is directly transmitted from the A site to the B site server, then B is not sent to the server site A together with the cookies produced.
  • Why do you want to send Cookie? This is because the server after the user logs some of the information will be placed in the user's Cookie returned to the client, and the client to the server along with the request that require authentication when resources will Cookie, Cookie server by reading the information for user authentication, will make the right response after certification.
  • Some require authentication to access resources when the B site A Web server, if there is no Cookie information, the server is to deny access, then the B site can not be malicious. And falsified requests AB website, you can send Cookie A website with A to server, this time on the server considers that the request is legitimate, it will give the correct response, this time, B to achieve the purpose of the site .

harm

Attackers stole your identity to send malicious request on your behalf. CSRF can do things include: to send the name of your e-mail, messaging, steal your account, and even the purchase of goods, virtual currency transfer ...... problems caused include: disclosure of personal privacy and property safety.

How to prevent CSRF attacks

CSRF attacks have been able to succeed because hackers can completely fake user request that all user authentication information is present in a cookie, so hackers can directly use the cookie in the user's without knowing the authentication information to pass safety verification. To resist the CSRF, the key is to put information hackers can not be forged in the request.

For critical operations using the post method:

Now the browser for security reasons, the default has done a certain limit, form tag requests sent to other sites will be blocked

Use Code:

Forcing the user to interact with the application in order to complete the final request. For example: every time the user submits the form behavior are required to complete a verification code

Add the address in the request token and authentication Anti CSRF Token

  1. When the server receives the route request, it generates a random number, when rendering a page request to the random number embedded in the page (typically buried in form form, <input type = "hidden" name = "_ csrf_token" value = "xxxx" >)
  2. Server provided setCookie, to the random number as a session or cookie into the user's browser Species
  3. When a user sends bring GET or POST request _csrf_token parameter (for Form submission form can be directly, as it will automatically submit all input to the background in the current form, including _csrf_token)
  4. Backstage after receiving the request resolution requests the cookie obtain the value _csrf_token, and then make a comparison and user requests _csrf_token submitted, if they are equal indicate that the request is legitimate.

note:

  1. Token best in Session. If the Token is stored in Cookie, the user's browser to open many pages (open the same page multiple times). After some pages are using Token consumed new Token will be re-implanted, but those old Tab page corresponding to the HTML or old Token. This will make the user feel why a few minutes before opening page can not be submitted properly
  2. Minimize the use of GET. If the attacker on our website uploaded a picture, the user is actually sending the images to load when the attacker's server request, the request will be represented with a referer url of the page where the current picture. And if you use the GET method to the interface, then the URL of the form:
    HTTPS: //xxxx.com/gift giftId = ...?

That is equivalent to the attacker gained _csrf_token, a short time can use this token to operate other GET interface.

  1. Since the user's Cookie is easy due to the XSS vulnerability of websites to steal, so the program must be in the absence of XSS situation was safe.

Detection Referer:

Referer, according to the HTTP protocol, there is a field called Referer HTTP header, it records the source address of the HTTP request. Server by checking the value of the Referer, if it is determined
that the site Referer is not a page, but a page of an external site, then we can determine that the request is illegal

This method is to prevent the realization of the principle picture hotlinking

  • Pros: the obvious benefit of this approach is simple, ordinary website developers do not need to worry about CSRF vulnerabilities, only we need to unify all security-sensitive requests an additional interceptors to check the value in the last Referer on it. Especially for the currently existing system, you do not need to change any existing code and logic of the current system, there is no risk, very convenient.
  • Cons: Referer value is provided by the browser, although there are clear demands on the HTTP protocol, but each browser may differ for specific implementation of Referer, does not guarantee that the browser itself is not a security vulnerability. Use Referer verification value, is to rely on the safety of third parties (ie browser) to guarantee, in theory, this is not safe. For some low version of the browser, there are already several ways to tamper Referer value

Custom properties in the HTTP header

This method is also used for authentication and token, and a method for the difference is that here is not placed in the token as a parameter in the HTTP request, but put it in the custom HTTP header attribute's. XMLHttpRequest by this class, the class can be a one-time request to all the HTTP header plus csrftoken property, and into which the token value.

reference:

Understanding of CSRF (cross-site request forgery) of

On CSRF attacks

XSS Cross Site Scripting CSRF attacks and cross-site request forgery attacks study concluded. \

CSRF attacks principle and the realization and defense nodejs

CSRF attacks response to it

Guess you like

Origin www.cnblogs.com/baimeishaoxia/p/12215299.html
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com