Home > Others

CSRF Utilization and defense

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Protection against CSRF: critical operation only accepts POST request verification code verification

If a verification code is used, then each operation requires the user to interact, so it is not as useful as token.

But if you make any move on a website, entering a verification code can seriously affect the user experience, so the captcha usually appears only in sensitive operations , or when it is registered.

Detection refer

There is a connection between the common Internet page and the page, For example, you in www.baidu.com should be unable to find the link to www.google.com, such as you in the forum message, then no matter where you redirect after the message, the previous URL will contain the message input box, the previous URL will remain in the new page header file Referer

By checking the value of the referer, we can determine whether the request is legitimate or illegal, but the problem is that the server is not always able to accept the value of Referer, so refere check is typically used to monitor the occurrence of CSRF attacks, rather than defending against attacks.

Token

The current mainstream approach is to use tokens to defend against CSRF attacks. The following analysis CSRF attack to understand why token can effectively

The condition for the CSRF attack to succeed is that the attacker is able to predict all parameters to construct a legitimate request. So, based on the principle of unpredictability, we can encrypt the parameters to prevent CSRF attacks.

Another more general practice is to keep the original parameter unchanged, add a parameter token, and its value is random. This way the attacker could not construct a legitimate request for an attack because he did not know the token.

Token usage Principles

Token to be enough random ———— only This is unpredictable token is a one-time, that is, every request to update token ———— This can increase the difficulty of the attack, increase the difficulty token to pay attention to confidentiality ———— sensitive operation using post, Prevent tokens from appearing in URLs

CSRF Utilization and defense

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More