Home > Developer > Web Develop

2. Security vector in Web application--csrf/xsrf (cross-site request forgery)

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

The concept of CSRF can be divided into two categories: XSS and obfuscation agents.

The "proxy" in the obfuscation agent refers to the user's browser. CSRF is based on the way the browser works. After a user logs on to a site, the user's information is stored in a cookie (session cookie or persistent cookie), and through either of these two cookies, the browser tells the site that this is a really user request.

The use of XSS plus obfuscation agent to achieve the ability to attack the user formally CSRF core.

CSRF allows users to unknowingly, using their own real user information, to execute a hacker implanted malicious script or link, causing abnormal operation.

Block CSRF

Use three methods to block CSRF:

(1) Token verification:

ASP. NET MVC provides a good way to prevent csrf attacks by verifying that users voluntarily submit data to the site for defensive purposes. The simplest way to do this is to insert a hidden INPUT element with a unique value in each form request. @Html. AntiForgeryToken (), the method generates an input control of type hidden with an encrypted value. The value matches another value that is stored in the user's browser as a session cookie, and when the form is submitted, Actionfilter verifies that the two values match (adding the Validateantiforgerytoken attribute on the corresponding action). This approach prevents most CSRF attacks, but does not provide a good defense against all csrf.

(2) Get request for idempotent

If an operation is idempotent, repeated operations are performed without changing the result of the execution. In general, the use of Post requests to modify the database or the content on the site, you can effectively defend against all CSRF attacks.

(3) Httpreferrer Verification

Httpreferrer validation is handled through Actionfilter. You need to customize the filter and determine in the filter whether the FilterContext.HttpContext.Request.UrlReferrer.Host is the same as the site name.

2. Security vector in Web application--csrf/xsrf (cross-site request forgery)

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More