CSRF Attack and Defense and CSRF AttacK Defense

Source: Internet
Author: User
Tags csrf attack

CSRF Attack and Defense and CSRF AttacK Defense
1. Introduction

The full name of CSRF is Cross-site request forgery. Its Chinese name is a Cross-site request forgery (counterfeit Cross-site request ])

CSRF is an attack that allows you to perform unintentional operations on a web application that has been logged on. Compared with XSS, CSRF uses the system's trust in page browsers, while XSS uses the system's trust in users.


2. CSRF attack principles

The following figure shows the principle of CSRF Attacks:

Http://www.game.com/Transfer.php? ToUserId = 11 & vMoney = 1000


In this caseMalicious attackersThe website also constructs a similar link:

1. images can be hidden. Third-party articles are automatically accessed as soon as the page is opened:

2. You can also use js for corresponding operations.

Http://www.game.com/Transfer.php? ToUserId = 20 & vMoney = 1000 # toUserID is the attack account ID


1. If the client has verified and logged on to www.game.com, the client browser saves the verification cookie of the game website.

2. The client then tabs on another page to access the website of a malicious attacker and access the game website from a link constructed by the website of the malicious attacker.

3. the browser will carry the cookie of the game website for access. If you click it, there will be no 1000 game virtual coins.

3.2 medium-level CSRF attacks

The game website administrator recognizes the vulnerability and will upgrade and improve it.

Changed the data submitted by the link GET to the data submitted by the form.

// Submit a Data Form
<Form action = ". /Transfer. php "method =" POST "> <p> toUserId: <input type =" text "name =" toUserId "/</p> <p> vMoney: <input type = "text" name = "vMoney"/> </p> <input type = "submit" value = "Transfer"/> </p> </form>


Transfer. php

1 <? Php2 session_start (); 3 if (isset ($ _ REQUEST ['touserid'] & isset ($ _ REQUEST ['vmoney']) # verify 4 {5 // corresponding transfer operation 6} 7?>


Malicious attackers will observe the form of the website and perform corresponding tests.

First malicious attackers use (http://www.game.com/Transfer.php? ToUserId = 20 & vMoney = 1000.

At this time, the changes made by the game website do not take any preventive effect, and malicious attackers only need to perform attacks as above.


1. The error of website developers is that $ _ POST is not used to receive data. When $ _ REQUEST can receive data from POST and GET, this vulnerability occurs.

3.3 high-level CSRF attacks

This time, game website developers once again recognize errors and will perform the next improvement and upgrade. POST will be used to receive data.

Transfer. php

1 <? Php2 session_start (); 3 if (isset ($ _ POST ['touserid'] & isset ($ _ POST ['vmoney']) # verify 4 {5 // corresponding transfer operation 6} 7?>


Can a malicious attacker launch an attack at this time? That's impossible.

Malicious attackers forge an identical transfer form based on the game virtual coin transfer form and embed it into iframe.

Nested page: (the user accesses the page of the malicious attacker host, that is, the new page of the tab)

<! DOCTYPE html> 


Form page: (xsrf.html)

<!DOCTYPE html>



When a client accesses a webpage of a malicious attacker, it is vulnerable to attacks.


CSRF attacks are caused by the Web's implicit authentication mechanism! Although the Web authentication mechanism can ensure that a request comes from a user's browser, it cannot guarantee that the request is sent with user approval.


4. CSRF defense method

Server-side defense:

1. POST is used for receiving important data interactions. Of course, POST is not a panacea. you can crack it by forging a form.

2. Use the verification code to verify the verification code as long as it involves data interaction. This method can completely solve CSRF. However, for the sake of user experience, the Website Cannot add verification codes to all operations. Therefore, the verification code can only be used as an auxiliary method and cannot be used as a major solution.

3. Verify the HTTP Referer field, which records the source address of the HTTP request. The most common application is image anti-leech. PHP can adopt APache URL Rewrite Rules for defense, can refer to: http://www.cnblogs.com/phpstudy2015-6/p/6715892.html

4. Add and verify the token for each form

(Cookie or session can be used for construction. Of course, this token only targets CSRF attacks. Therefore, XSS attacks must be solved. Otherwise, XSS may steal client cookies ])

The reason why CSRF attacks are successful is that attackers can forge user requests and all user authentication information in the request is stored in cookies, therefore, attackers can directly use their cookies to pass security authentication without knowing the authentication information. We can see that the key to defending against CSRF attacks is:Information that cannot be forged by attackersAnd the information does not exist in the Cookie.

In view of this, we will generate a random number key for each form and create an interceptor on the server side to verify this token. If the request does not contain a token or the token content is incorrect, the request may be rejected due to a CSRF attack.

Because this token is random and unpredictable and invisible, malicious attackers cannot forge this form to launch CSRF attacks.


1. Make sure that each form on the same page contains its own unique token.

2. After verification, the corresponding random number must be deleted.

Construct Token. calss. php

1 <? Php 2 class Token 3 {4/** 5 * @ desc get random number 6*7 * @ return string return random number string 8 */9 private function getTokenValue () 10 {11 return md5 (uniqid (rand (), true ). time ()); 12} 13 14/** 15 * @ desc obtain the key 16*17 * @ param $ tokenName string | pair with the key value to be saved to the session (identifier, ensure uniqueness) 18*19 * @ return array return the key value stored in the session 20 */21 public function getToken ($ tokenName) 22 {23 $ token ['name'] = $ tokenName; # First put $ tokenName into the array 24 sessio N_start (); 25 if (@ $ _ SESSION [$ tokenName]) # determine whether the user has stored the session26 {# Yes, the stored key 27 $ token ['value'] =$ _ SESSION [$ tokenName]; 28 return $ token; 29} 30 else # No, generate the key and save 31 {32 $ token ['value'] = $ this-> getTokenValue (); 33 $ _ SESSION [$ tokenName] = $ token ['value']; 34 return $ token; 35} 36} 37 38} 39 # Test 40 $ csrf = new Token (); 41 $ name = 'form1 '; 42 $ a = $ csrf-> getToken ($ name); 43 echo "<pre>"; 44 print_r ($ a); 45 echo "</pre> "; 46 echo "<pre>"; 47 print_r ($ _ SESSION); 48 echo "</pre>"; die; 49 50?>

Used in the form:


1 <? Php 2 session_start (); 3 include ("Token. class. php "); 4 $ token = new Token (); 5 $ arr = $ token-> getToken ('transfer'); # ensure uniqueness (identifier) 6?> 7 <form method = "POST" action = ". /transfer. php "> 8 <input type =" text "name =" toUserId "> 9 <input type =" text "name =" vMoney "> 10 <input type =" hidden "name = "<? Php echo $ arr ['name']?> "Value =" <? Php echo $ arr ['value']?> "> 11 <input type =" submit "name =" submit "value =" Submit "> 12 </from>





1 <? Php 2 # transfer Form Verification 3 session_start (); 4 if ($ _ POST ['transfer'] == _ SESSION ['transger ']) # verify the key 5 {6 if (& isset ($ _ POST ['touserid'] & isset ($ _ POST ['vmoney']) # verify 7 {8 // corresponding transfer operation 9} 10} 11 else12 {13 return false; 14} 15 16?>


The method is as follows:

1. the user accesses a form page.

2. The server generates a Token and stores it in the user's Session or the Cookie of the browser. [XSS attacks are not considered here]

3. the Token parameter is attached to the page form.

4. After the user submits the request, the server verifies that the Token in the form is consistent with the Token in the user Session (or Cookies). It is a legal request, not an illegal request.


5. References

1. CSRF attack methods

2. CSRF attack on Web Security


(The above are some of your own opinions. If you have any shortcomings or errors, please point them out)

Author: The leaf with the wind http://www.cnblogs.com/phpstudy2015-6/

Address: http://www.cnblogs.com/phpstudy2015-6/p/6771239.html

Disclaimer: This blog post is original and only represents the point of view or conclusion I have summarized at a certain time in my work and study. When reprinting, please provide the original article link clearly on the Article Page


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.