Analysis and Prevention of CSRF attacks

Add the following tag {% csrf_token %} to the Django form. Otherwise, an error occurs when submitting the form to prevent CSRF Attacks: <form action = "/summit_question" method = "post"> ...... </Form> <! -- Error --> Forbidden (403) CSRF verification failed. Request aborted. CSRF stands for Cross-site request forgery, that is, Cross-site Request forgery. When a malicious website is accessed, a forged request will be generated and sent to the server. The cookie of the user may remain in the forged request, and the server cannot distinguish the authenticity of the request, therefore, data is submitted or even modified, causing loss to users. If James suffers from a severe CSRF attack, it is assumed that James got up in the morning and logged on to shopping.com. After logging on, he opened a malicious code (malicious) in the new tag) website, and click a button or image in it. When we returned to shopping.com, we found that the money in his account was less than $1000. The above is just the assumption that the general shopping website will not be so simple. Try to see how it works: James successfully logged on to shopping.com, and his browser saved a cookie generated by the browser. Note that some login information or authorization information is saved in this cookie. At the same time, we assume that the interface for transferring $123456 from the shopping.com server to the Account "1000" is: http://shopping.cm/Transfer.html?toAccount=123456&money=1000 The generated HTTP request may be: GET http://shopping.cm/Transfer.html?toAccount=123456&money=1000 ... Cookie: XXXXXXXXXX... the Untitled attacker specially wrote a link with an image, which can be in the following format: <a href = "daoluan.net"> </A> James clicked to open the cookie, and then submitted the cookie when the browser tried to load the image. After the server receives this request and verifies that the cookie is correct, it modifies the data, that is, transfers $123456 to the Account "1000". Yes, the above form of HTTP request will be generated during image loading. E-commerce shopping.com does not simply send http get request transfers. The genes of http get determine that it must expose parameters to links. So what is the security point POST? Write a form whose method is POST to achieve the goal. The above is a serious issue. A better case for CSRF is that James can log on to a website and submit a comment.There are two ways to prevent CSRF:Checks the referer field in the HTTP header. The server can check whether the referer is its own site. If not, the service will be rejected. Embed a hidden field (tpye = "hidden") in the form to detect the value of the hidden field when the form is submitted. The value of the hidden field can be the value generated by md5 hash, some information about the form, or a password on the server. Another feasible solution is that the server generates a one-time string for each form. Django uses this method. After the form is submitted, the server checks whether the value is valid. The combination of the two. The first method is easy to crack. It is good to modify the referer field in the HTTP header. In addition, it is said that the user can set the browser to ignore the referer. The second method adds pressure on the server database, in addition, you must set the expiration time of the hidden Domain value. In summary, the second method is more desirable. CSRF attacks usually call JavaScript to automatically submit cross-site forms. However, a malicious site does not need JavaScript to allow users to submit forms to another site because the forms can be hidden, the button can be disguised as a button. To put it bluntly, HTTP is a stateless protocol. For the previous request and the next request, the web server cannot distinguish whether it comes from the same browser (user ). There are still many websites doing this: Using session to save sessions on the server, combined with the cookie of the client browser, to put it simply, the cookies saved by the client browser have a one-to-one relationship with the session stored on the server. As long as a third party obtains the cookie value saved by the client browser, the next attack will be easy. Recently, a school library application was developed on the Prestige public platform to search books and query users' borrowing conditions in the library. It should be impossible to open interfaces with schools, this is actually a CSRF-like attack. If you are a Chinese teacher, you can follow the public account betalife. Reference: http://www.squarefree.com/securitytips/web-developers.html#CSRF mess 2013-07-23 http://daoluan.net/blog