Verify HTTP Referer field
According to the HTTP protocol, there is a field called Referer HTTP header, it records the source address of the HTTP request. Under normal circumstances, a request to access a security-restricted pages from the same site, such as the need to access http:? //Bank.example/withdraw account = bob & amount = 1000000 & for = Mallory, the user must first log in bank.example, then by click the button on the page to trigger the transfer event. At this time, Referer value of the transfer request would be the URL of the page where the transfer button, usually in the beginning of the domain address bank.example. If a hacker to implement CSRF attack on the bank's website, he can at his own request construction site, when a user sends a request to the bank's website by hackers, Referer of the request is directed hackers own site. Therefore, to defense CSRF attack, the site only need to ask the bank for each transfer Referer verify its value, if the domain name is bank.example beginning, then the request is a request from their own bank site, is legitimate. If the site Referer other words, it is possible that hackers CSRF attacks, reject the request.
The obvious advantage of this method is simple, ordinary website developers do not need to worry about CSRF vulnerabilities, only need to unify all security-sensitive requests an additional interceptors to check the value in the last Referer on it. Especially for the currently existing system, you do not need to change any existing code and logic of the current system, there is no risk, very convenient.
However, this method is not foolproof. Referer value is provided by the browser, although there are clear demands on the HTTP protocol, but each browser may differ for specific implementation of Referer, it does not guarantee that the browser itself is not a security vulnerability. Use Referer verification value, is to rely on the safety of third parties (ie browser) to guarantee, in theory, this is not safe. In fact, for some browsers, such as IE6 or FF2, there are already a number of ways to tamper Referer value. If bank.example site support IE6 browser, the hacker can put Referer value of the user's browser is set to the address at the beginning of bank.example domain name, so that you can verify, to perform CSRF attacks.
Even using the latest browser, hackers can not tamper Referer value, this method is still in question. Because Referer value will record the user's access to the source, some users believe that this would violate their own privacy, especially some groups worry that some of the information within the organization will Referer value in the network leaked to the outside network. Thus, the user himself can set the browser so that it no longer provides Referer when sending the request. When they normally visit the bank website, the site Referer value because the request did not think that CSRF attacks, denial of access to legitimate users.
Add token verification request and the address
CSRF attacks have been able to succeed because hackers can forge entirely the user's request, the request for all user authentication information is present in a cookie, so hackers can directly use the cookie in the user's own without knowing the authentication information to pass security validation. To resist CSRF, wherein the key information into the hackers can not be forged in the request, and the information is not present in the cookie. May be added token randomly generated as a parameter in the HTTP request, and the establishment of an interceptor server side to authenticate the token, if the request is not token or token not correct, it is considered likely CSRF attacks reject the request .
This method is safer than some of the Referer check, token can be generated and placed into the session after the user has logged out of the session and then the token at each request, to compare with the request token, but difficulties method is how to join request token as a parameter. For after GET request, token will be attached to the request address, this URL becomes http: // url? csrftoken = tokenvalue. For POST requests, in a form to be appended to the end, so that the put token request is added as a parameter. However, in a site, where you can accept the request very much, for each request to add token is very troublesome, and it is easy to miss, commonly used method is every time the page loads, use javascript to traverse dom whole trees for all the labels and the form of a dom added token. Such a request will solve most, but for the dynamically generated html code after the page is loaded, this method has no effect, the programmer need to manually add the token in coding.
Another disadvantage is that this method is difficult to guarantee the security token itself. Especially in some forums like site allows users to publish their own content, hackers can publish your own personal website at the address above. Because the system will be back at this address plus token, a hacker can get this token on its own website, and we can immediately launch a CSRF attack. To avoid this, the system can be increased is determined in a token when added, if the link is a link to their own site, the token is added later, if it is not applied on the outside network. However, even without this additional csrftoken as a parameter in the request, the hacker site also can be obtained by this token value Referer to launch a CSRF attack. This is also the reason some users prefer to manually close the browser Referer function.
Custom properties in the HTTP header and validate
This method is also used for authentication and token, and a method for the difference is that here is not placed in the token as a parameter in the HTTP request, but put it in the custom HTTP header attribute's. XMLHttpRequest by this class, the class can be a one-time request to all the HTTP header plus csrftoken property, and into which the token value. This solves the ways to join in the request token inconvenience the same time, by XMLHttpRequest requested address will not be recorded into the address bar of the browser, do not worry token leak to other sites go through Referer.
However, limitations of this method is very large. Ajax XMLHttpRequest to methods typically used for topical asynchronous page refresh requests are not all suitable for initiating this class, but the class obtained by the requested page can not be recorded at the browser so as to perform forward, backward, refreshing , collections and other operations, inconvenience to the user. In addition, the legacy system no CSRF protection is to use this approach to protection, all requests should be changed XMLHttpRequest request, so almost to rewrite the entire site, which is undoubtedly the price is not acceptable
