What is a csrf attack?

Csrf-Cross-Site Request Forgery literally refers to cross-site Request Forgery, usually used for this type of web siteVulnerabilitiesThat is, on a malicious website page, the visitor is prompted to request a URL of your website (usually using the post data method), so as to change the server data. This type of attack relies on forms on your web pages. Vulnerable forms are vulnerable to attacks. Visitors to your website may be attacked as follows:

* Logs of attackers outside your website (for example, Slashdot );
* Modify the settings of attackers on your website (for example, Google );
* Modify your hardware firewall;
* Use the attacker's logon information to post comments or messages on your website;
* An anonymous message is sent using the IP address of the attacker;
* Transfer funds to another user account.

Csrf attacks are typical for websites that use cookies to record logon information. However, such attacks also work for pages (such as intranets) that allow access from an IP address.

Csrf attacks usually use JavaScript (but not limited to Javascript) to automatically submit forms across sites-the form data can be hidden, and the submit button can be disguised as a link or a scroll bar.

How to Prevent csrfVulnerabilities

* Determine whether CGI that accepts server data that can be changed only accepts post parameters, but does not accept get parameters. By default, some server languages accept parameters submitted in both ways;
* Make sure that the form is submitted to process your own form. You can use a hidden field to store the MD5 string, this string is the result after MD5 is performed on the login cookie data and the key stored on the server. The form data is accepted only when the MD5 string is correct;
* You can also add a more rigorous method: Add a hidden timestamp field to the form and include it in the hash string. If the timestamp exceeds a certain time, the form has expired. When the form expires, a method is provided to allow the user to resubmit the form. For example, the user still enters the data filled in the form, but uses a new hash string.