Flask uses token to defend against csrf cross-site attacks

Flask uses token to defend against csrf cross-site attacks

As a pytoner engineer, you often need to write web files. Then you are at risk of being attacked. For example, for Csrf attacks, I will not describe csrf in detail here. I think you should also know it. Flask itself provides plug-ins, and some communities also provide some protection on csrf over simple tokens.

In the figure, Browse is A browser, WebServerA is A trusted website/attacked website A, and WebServerB is A malicious website/attacked website B.
(1) At the beginning, the user opens the browser, accesses trusted website A, and enters the user name and password to log on to website.
(2) website A verifies user information. After user information is verified, website A generates Cookie information and returns it to the browser.
(3) After successfully logging on to website A, the user can request website A normally.
(4) Before you exit website A, open a tab in the same browser to access website B.
(5) website B returns some aggressive code after seeing someone.
(6) The browser prompts the user to carry Cookie (including sessionId) information and request website A without knowing it. Such requests may update passwords and add users.

From the above CSRF attack principle, we can see that to complete a CSRF attack, the attacker needs to complete two steps:

1. log on to trusted website A and generate a cookie locally.

2. Access dangerous website B without logging out of account.

Here, you may say, "If I do not meet one of the above two conditions, I will not be attacked by CSRF ". Yes, but you cannot guarantee that the following situations will not happen:

1. You cannot guarantee that you will not open a tab page and access another website after logging on to a website.

2. You cannot guarantee that your local Cookie will expire immediately after your browser is closed, and your last session has ended. (In fact, closing the browser cannot end a session, but most people mistakenly think that closing the browser is equivalent to quitting the login/end session ......)

3. The so-called attack website in may be a trusted and frequently accessed website with other vulnerabilities.

Currently, common csrf defense methods include adding random token strings to a form, and adding a refer Source Judgment to a token, another method is the XMLHttpRequest request. You do not need to add a header to the form. However, the problem arises. If your website used to dynamically load data frequently, that is, ajax loading, so it is easy to use XMLHttpRequest to add the previous respone returned token in the Request body. There are also some super-stupid methods, that is, adding a verification code, I believe that this method is not available in every form on a website. This will make people crazy.

Some friends have used Django and tornado. They can simply enable csrf defense. The implementation method is similar. The difference lies in the degree of encapsulation. Adding csrf later will not change much for the project... ...

Body:

Python

 @app.before_requestdef csrf_protect():    if request.method == "POST":        token = session.pop('_csrf_token', None)        if not token or token != request.form.get('_csrf_token'):            abort(403) def generate_csrf_token():    if '_csrf_token' not in session:        session['_csrf_token'] = some_random_string()    return session['_csrf_token']

Register the above function that generates random tokens in the global variables of flask.

Python

app.jinja_env.globals['csrf_token'] = generate_csrf_token

This is how the webpage template is introduced ~

Python

<form method=post action="">    <input name=_csrf_token type=hidden value="{{ csrf_token() }}">