Brief analysis on CSRF attack

I. Introduction of CSRF

CSRF (Cross-site request forgery cross-site requests forgery), also known as "one click Attack" or session riding, is usually abbreviated as CSRF or XSRF, which is a malicious use of the site.

CSRF is a Web browser-dependent, obfuscated proxy attack (deputy attack).

CSRF compared with the previous said XSS, there are less, the prevalence is not high, but once the emergence, is a great hazard, difficult to defend (because of the impact of business and user experience). The nature of the CSRF attack is that the attacker steals the identity of a legitimate user and makes illegal operations in the name of the user.

Second, CSRF advanced

There are two types of cookies held by browsers: one is "sesion cookie", also known as "temporary cookie", and the other is "Third-party cookie", also known as "local Cookie". The difference between the two is that the Third-party cookie is the server specified expire time at Set-cookie, only the cookie expires after expire time, so the cookie is stored locally; Session The cookie does not specify a expire time, so closing the browser will void the Session cookie.

In the process of browsing the site, if a site set up a Session cookie, then in the browser process for the life cycle, a timely browser heart open a tab page, session cookie is also valid, session The cookie is stored in the memory space of the browser process. CSRF attacks are built on top of the conversation.

To summarize, a csrf attack requires two conditions:

1. CSRF attack is established in the browser and server session;

2, deceive users to access the attack URL;

Browsers also have some security policy defenses, IE is safe to consider, by default, the browser in the ,<iframe>,<scrtpt>,<link> and other tags to send third-party cookies. In Firefox, the default policy is to allow third-party cookies to be sent.

P3p

P3P is a standard known as the Personal Privacy Security Platform Project (the Platform for Privacy Preferences) that protects online privacy and allows Internet surfers to choose whether to be collected and used by third parties when browsing the Web. If a site does not comply with the P3P standard, then the cookie about it will be automatically rejected, and P3P can also automatically detect how many cookies are embedded. P3P was developed by the Global Information Alliance network.

With the development of Internet, the development of e-commerce is also very rapid. This new approach to trade, which gives people unimaginable convenience, also brings with it the hassle of past cash-trading patterns-revealing personal privacy data through the Internet. (Platform for Privacy Preferences) is a new technology that can provide this privacy protection strategy and is being embraced by more and more technical people.

Java implementation: Adding a response in the response header

Response.setheader ("P3P", "cp=/" CURa ADMa DEVa Psao psdo our BUS UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP cor/"");

Be careful not to misuse the P3P attribute to avoid a security risk.

The essential reason for the success of the CSRF attack is that all parameters of the important operation can be guessed by the attacker.

III. Defense of the CSRF

3.1 Verification Code

The CAPTCHA is the most concise and effective defense method against CSRF attacks. However, given the user experience, it is best to use the verification code in an important operation. So at the time of payment can be seen once again enter the password or verification code requirements.

3.2 Obfuscation parameters

CSRF attacks are mostly attacked by constructing URLs, so you can add random numbers or confusion to URL requests.

http://www. Xxxxxx.com/xxxxx.php?url= Rhfk000yh1ercqswbvudjjv3ru5qictgytrai04fzhnncmgnz8oyoc3xljslxxilk4uhf91jvgzefuxujpj4izlofzkfzglb7bu_ Tzmwaisla9d2-f4ndeuyqyp8uvxhbw1w0wy.7y_ Ifkr5qzwy8bhcwkzwhaqhwky5bwji64qt7jhzk8shfgmqx-oco3zgkfyt8-p1ta-bzzjdsrp5qfhpgmssxh9lqrzd_ssxh9vutr1dssxej_ Syzx8ssxej_lmimaz1c_ Hz4xl54xpmucyr1wgvy0.thdxnhf1pw6vnhd1pfkyth7buy-b5hm4njd0mvq1i7qzmy4o5h00tlnbty-b5hdyn1m3pwdkn1rlnwnlp10zpwb0ugw4tarqnhd0 Uy-b5h00uyw-tvpgujys0ap_pypoglw4tarqn6ksuwyk0zw-thdguh7_5h00xmfqtvn_ U6kstjykp101rhnyp1c0mywgujyznh04n161p1dspfkgtdqlpgf-uan1t1ys0an3ijd9mvp-tlprxgk-rhdsr1vsih-brwdyn1m3pwdkn1rlnwnlp10zpwber V-1n-pfrw0erlkzuvwdmlwrxgk-rwnknjcerlw1tv-brmngc10hmmpfumpdth78mvrwnbubty-8ihn1iankfhf1haq9ubnz0apzm1ylpjrk &ck=2818.174.177.351.22.678.292.1631

3.3 Token

Request to join token is the best way to defend csrf at present, the frame level of the application is high, the user's session validity is not too long.

Token defense focuses on the generation, preservation, validation, and invalidation of tokens.

1, token generation: Timestamp + random number, length 16--20 bit, time stamp is to determine whether token is invalid;

2, token can only be used once, and only in the important operation of the check token;

3, Token Save: Backstage: Distributed cache system; Front page Label: <meta name= "Csrf_token" content= "14232454567687456486796"/>;

4. Construct a secure link URL via JavaScript, with token;

This article is from the "dream to think XI" blog, please be sure to keep this source http://qiangmzsx.blog.51cto.com/2052549/1674208

Brief analysis on CSRF attack