Python full Stack series---XSS cross-site scripting attacks and CSRF (XSRF) attacks

XSS Cross-site scripting attack: A malicious attacker inserts malicious script code into a Web page, and when the user browses to the page, the script code embedded inside the Web is executed to achieve the purpose of malicious attacks on the user.

For example, some forums allow users to speak freely without detecting the user's input data, which is displayed directly on the page.

If the user enters some CSS style code, the HTML table code, displayed on the page, will change the layout of the page.

If you enter some JS code to get other users ' files, or to modify local files, you can send user cookies and other information to your computer to impersonate the user login

Can usually be handled by the function Htmlspecialchars (PHP) or the regular or template itself

XSRF (CSRF) cross-site request forgery:

Reproduced from this site, the analysis is very good

CSRF Attack Instances:

The victim Bob has a deposit at the bank, and by sending a request to the bank's website Http://bank.example/withdraw?account=bob&amount=1000000&for=bob2 can make Bob 1000000 of the deposit is transferred to BOB2 's account. Typically, after the request is sent to the Web site, the server verifies that the request is from a valid session and that the user Bob of the session has successfully logged in.

The hacker Mallory himself has an account with the bank and knows that the URL above can transfer money. Mallory can send a request to the bank by itself: Http://bank.example/withdraw?account=bob&amount=1000000&for=Mallory. But this request comes from Mallory, not Bob, who cannot pass security authentication, so the request will not work.

At this time, Mallory think of using CSRF attack way, he first make a website, put the following code in the site: src= "http://bank.example/withdraw?account=bob&amount=1000000 &for=mallory "and lured Bob to visit his website by advertising. When Bob visits the site, the above URLs are sent from Bob's browser to the bank, which is sent to the bank server with a cookie from Bob's browser. In most cases, the request fails because he requires BOB's authentication information. However, if Bob had just visited his bank shortly after, the session between his browser and the bank's website had not expired, and the browser's cookie contained Bob's authentication information. At this point, the tragedy occurred, the URL request will be answered, the money will be transferred from Bob's account to Mallory's account, and Bob was not informed. After Bob found that the account was less money, even if he went to the bank to check the log, he can only find that there is a legitimate request from his own transfer of funds, without any traces of attack. And Mallory can get the money and go unpunished.

One of the interception methods: Token

The success of the CSRF attack is because the hacker can completely forge the user's request, all the user authentication information in the request is in the cookie, so the hacker can directly use the user's own cookie to pass the security authentication without knowing the authentication information. The key to defending against CSRF is to put in the request information that the hacker cannot forge, and that the information does not exist in the cookie. A randomly generated token can be added as a parameter in an HTTP request, and an interceptor is established on the server side to verify the token, and if no token or token content is incorrect in the request, it may be rejected as a CSRF attack.

Python uses token to process code: (since the token data does not exist in the cookie, the user cannot directly use the cookie to impersonate the login status to send the request, the user must first get a request for that page to obtain token, You can then enclose the token submission data request. Of course, this method is not completely preventable)

In the front-end, the form form adds data to the INPUT:_XSRF hidden tag, and also generates a COOKIE:_XSRF for that user to be stored in the user's cookie.

This token can be passed through the form form, or the token data can be passed to the server for identification via AJAX

classCsrfhandler (Baserequesthandler): DefGet(Self, *args, * *Kwargs): Self.render ('csrf.html') def post (self,*args, * *Kwargs): Self.write ('Submit') Settings={    'Template_path':' views',    'Static_path':'statics',    'Cookie_secret':'Dafawafawfaw',    'xsrf_cookies': True,}

View CodeForm

<form action="/CSRF"Method="Post">        {% Raw xsrf_form_html ()%}        <input type="text"Name="nm"/> <input type="Password"Name="Pawd"> <input type="Submit"Value="Submit"> </form>

View CodeJs

function GetCookie (name) {varR = Document.cookie.match ("\\b"+ name +"=([^;] *) \\b"); returnR? r[1]: undefined;} Jquery.postjson=function (URL, args, callback) {ARGS._XSRF= GetCookie ("_XSRF"); $.ajax ({url:url, data: $.param (args), DataType:"text", type:"POST", Success:function (response) {Callback (eval ("("+ Response +")")); }});};

View Code

Python full Stack series---XSS cross-site scripting attacks and CSRF (XSRF) attacks