Csrf Attack and Defense

Overview

 

Csrf is short for cross site request forgery, and Chinese is Cross Site Request Forgery. Next we will share with you the principles, implementation methods, and defense methods of this attack;

 

Principles of csrf attacks

 

By deploying attack code and related data on a malicious website, and then guiding authorized users of the target website to access the malicious website, the browser has obtained the user authorization ticket of the target website, therefore, malicious websites can execute pre-deployed code to submit data to the target website so that the target website can perform some write operations, for example, you can delete the data of the target website and submit junk data to the target website. However, this process is performed silently in the background and users have no idea.

 

Here is an example:

 

Suppose www.t.com is the target website and there is a page www.t.com/blog/delete.aspx? Id = 123 indicates the operation to delete a blog post whose ID is 123;

Then attackers can deploy the following code on the malicious website www.a.com/csrfpage.aspxpage:

<Form ID = "csrffrm" Action = "http://www.t.com/blog/delete.aspx" target = "hideiframe"> <input name = "ID" type = "hidden" value = "123"/> </Form>

<IFRAME name = "hideiframe" style = 'display: none'> </iframe>

<SCRIPT>

Document. getelementbyid ("csrffrm"). Submit ();

</SCRIPT>

 

Attackers can then use various methods to attract users who have successfully logged on to www.t.com and click

 

Csrf attack Conditions

 

According to the above principle, we can see that the following conditions must be met for the implementation of csrf Attacks:

 

1. You need to know the directory of the target system and related parameter names. In fact, it is not difficult to meet this condition, the attacker detects the system directory using the related "system directory rainbow table", or the attacker is also one of the users of the target system, so it is easier to understand the target system;

2. A website that executes malicious code may be a website deployed by an attacker in advance, or the XSS vulnerability of a malicious website may be exploited by attackers;

3. Users of the target system are required to log on and obtain valid operation permissions. At the same time, users are tempted to access malicious websites;

 

The implementation of csrf attacks must meet these three conditions. Because these conditions are not so easily met, they are easily ignored by developers.

 

Protection Policy for csrf attacks

 

1. Use the verification code

I remember that on the previous 12306 website, I had to enter a disgusting verification code every time I checked the ticket. The purpose of this verification code was to prevent the machine from refreshing the ticket. Of course, it could also effectively prevent csrf attacks, however, if each operation requires the user to enter the verification code, the user may crash and the user experience is very poor;

 

2. Check Referer (source)

Besides the verification code, you can also check whether the Referer is from the same source. If the Referer is from the same source, this operation is credible. This method is usually used to prevent image leeching, however, sometimes the Referer is not so reliable, and the server is not. For example, if the user enables the browser's privacy policy, the browser may block the sending of referer, the server may not be able to obtain this value, so this method does not comply with scientific and rigorous principles;

 

3. Use token (random token)

The server generates a random token and saves it. It can be saved in the session set of the server, the cookie of the client, or the page view status, due to the same-origin policy of the browser, the malicious Website Cannot read the cookie and page view status of the target website, submit the random token along with the form, and verify the validity of the random token on the server;

 

Csrf Attack and Defense