What is a CSRF attack?

 
What is CSRF?

CSRF-Cross-site Request Forgery literally refers to Cross-site Request Forgery, which is usually used for this type of WEB site vulnerability, that is, on a page of a malicious site, urge visitors to request a URL of your website (usually POST data) to change the server data. This type of attack relies on forms on your web pages. Vulnerable forms are vulnerable to attacks. Visitors to your website may be attacked as follows:

* Logs of attackers outside your website (for example, Slashdot );
* Modify the settings of attackers on your website (for example, Google );
* Modify your hardware firewall;
* Use the attacker's logon information to post comments or messages on your website;
* An anonymous message is sent using the IP address of the attacker;
* Transfer funds to another user account.

CSRF attacks are typical for websites that use cookies to record logon information. However, such attacks also work for pages (such as intranets) that allow access from an IP address.

CSRF attacks usually use JavaScript (but not limited to JavaScript) to automatically submit forms across sites-the form data can be hidden, and the submit button can be disguised as a link or a scroll bar.

How to Prevent CSRF Vulnerabilities

* Determine whether CGI that accepts server data that can be changed only accepts POST parameters, but does not accept GET parameters. By default, some server languages accept parameters submitted in both ways;
* Make sure that the form is submitted to process your own form. You can use a hidden field to store the MD5 string, this string is the result after MD5 is performed on the login cookie data and the key stored on the server. The form data is accepted only when the MD5 string is correct;
* You can also add a more rigorous method: Add a hidden timestamp field to the form and include it in the hash string. If the timestamp exceeds a certain time, the form has expired. When the form expires, a method is provided to allow the user to resubmit the form. For example, the user still enters the data filled in the form, but uses a new hash string.

A PHP form example with the form code:
<? Php
$ Key = y8s4Z 7m2; // MD5 encryption key
$ Time = time (); // current time
$ Hash = md5 ($ time. $ key); // hash string
?>
<Form method = "post" action = "comment. php">
<P> Your name: <input type = "text" name = "person_name"/> </p>
<P> Comment: <br/> <textarea name = "comment" rows = "10" cols = "60"> </textarea> </p>
<Input type = "hidden" name = "time" value = "<? Php echo $ time;?> "/>
<Input type = "hidden" name = "hash" value = "<? Php echo $ hash;?> "/>
<P> <input type = "submit" name = "comment" value = "Submit Comment"/> </p>
</Form>
Code of the comment. php background handler after the form is submitted:

<? Php
$ Key = y8s4Z 7m2; // key, consistent with the preceding
$ Expire = 1800; // form expiration time: half an hour
$ My_hash = md5 ($ _ POST [time]. $ key); // The correct hash string
If ($ my_hash! = $ _ POST [hash]) // The hash string is incorrect.
Die (illegal form submission .);
If (time ()-$ _ POST [time]> $ expire ){
// The form has expired. A new Timestamp and hash string are generated. The display form allows users to submit the form again. (Omitted here)
//....
}
// After the Form Verification is passed, you can accept the data submitted by the form and perform other operations.
//....
?>
Do not protect your website users from CSRF attacks by using the Referer header information.

References:
Html # CSRF href = "http://www.squarefree.com/securitytips/web-developers.html#CSRF" target = _ blank>Security tips for web developers