The best "CSRF protection" brings you into the circle of prawns!

The best "CSRF protection" brings you into the circle of prawns!
CSRF
The best "CSRF protection" brings you into the circle of prawns! What is CSRF?

CSRF, usually known as Cross-site request forgery (CSRF), is a type of malicious website attack. A Cross-Site Request Forgery Attack forces the login user's browser to send forged HTTP requests, including the user's session cookie and other authentication information, to a vulnerable web application. This allows attackers to force the user's browser to send requests to vulnerable applications, which are considered as legitimate requests by the application. Compared with XSS, CSRF attacks are often less popular (so the resources to guard against them are quite scarce) and difficult to prevent. Therefore, XSS attacks are considered to be more dangerous than XSS attacks.

CSRF Attack Process Overview
The best "CSRF protection" brings you into the circle of prawns!

Access the trusted Website C, C write cookies in your browser, And You Access Site B containing attack code. Site B sends A request to site A as your identity, this request has not been approved by you or is not what you want to send.

What are the dangers of CSRF?

 

CSRF can do many things with the identity of a visitor, including but not limited to personal information leakage, and may also endanger property security.

 

Common CSRF attacks

Common attack methods can be roughly divided into the following types:

1. Img Tag GET request

   For example, you can change the password of a currently logged-on user.

   Uploading out-of-site images ...... (3)]

2. Active submission of Flash or hidden forms

    <form action="//rasp.oneasp.com/account/modifyPassword">    <input type="hidden" name="new" value="123"/>  form>  <script>document.forms[0].submit()script>

   How to defend CSRF

   Currently, most protection CSRF instances are verified and restricted on the server side. The client solution is relatively small and the implementation cost is high. The following methods are used on the server:

3. Token Verification

   This method can filter more than 95% of CSRF, put a token when the form is submitted, the server verifies whether the token is valid. Only valid token requests are allowed. Otherwise, the current operation is rejected. However, this method also has some limitations. For some GET requests (such as GET requests that obtain the current user information) to add token verification, you may need to change the backend API.

4. Referer Verification

   Generally, some private APIs can deny referer that is not the current origin. When the whitelist of trusted sites is known, APIs that are shared by multiple sites (such as permission systems) you can set a list of accessible origins. Note that no referer or referer is correct in many request headers.

5. Hide token
   Include a unique token in a hidden field. This will enable the token to be sent through the HTTP Request body to prevent it from being contained in the URL and exposed. This unique token can also be contained in a URL or as a URL parameter. However, the huge risk of this method is that the URL will be exposed to attackers, so that the secret token will be leaked.

    

   CSRF protection in Flaskflask-wtf

   After Flask 0.9.0, you can use Flask-WTF to defend against CSRF attacks. Flask-WTF enables csrf protection for all submitted forms by default.

   Wtf token

   <form method="post" action="https://www.oneasp.com">     {{ form.csrf_token }} form>

   Tokan of non-wtf

   When using a non-WTF form, you can place the token in a hidden field and submit it with the form.

   <form method="post" action="https://www.oneasp.com">     <input type="hidden" name="csrf_token" value="{{ csrf_token() }}" /> form>

   AJAX token

   The Ajax token can be placed in a hidden domain or another tag. the token is obtained through js and submitted with Ajax requests.

   <Script type = "text/javascript"> var csrftoken = "{csrf_token ()}} "// or var csrftoken = $ ('meta [name = csrf-token] '). attr ('content') $. ajaxSetup ({beforeSend: function (xhr, settings) {if (! /^ (GET | HEAD | OPTIONS | TRACE) $/I. test (settings. type )&&! This. crossDomain) {xhr. setRequestHeader ("X-CSRFToken", csrftoken) }}) script>

    

   Custom logic after failed CSRF Verification

   Flask provides the decorator @ csrf. error_handler to support customization of returned information when the CSRF verification fails.

   @csrf.error_handler def csrf_error(reason):     return render_template('csrf_error.html', reason=reason), 400