What is a csrf attack?

Source: Internet
Author: User
Tags csrf attack

Csrf-Cross-Site Request Forgery literally refers to cross-site Request Forgery, usually used for this type of web siteVulnerabilitiesThat is, on a malicious website page, the visitor is prompted to request a URL of your website (usually using the post data method), so as to change the server data. This type of attack relies on forms on your web pages. Vulnerable forms are vulnerable to attacks. Visitors to your website may be attacked as follows:

* Logs of attackers outside your website (for example, Slashdot );
* Modify the settings of attackers on your website (for example, Google );
* Modify your hardware firewall;
* Use the attacker's logon information to post comments or messages on your website;
* An anonymous message is sent using the IP address of the attacker;
* Transfer funds to another user account.

Csrf attacks are typical for websites that use cookies to record logon information. However, such attacks also work for pages (such as intranets) that allow access from an IP address.

Csrf attacks usually use JavaScript (but not limited to Javascript) to automatically submit forms across sites-the form data can be hidden, and the submit button can be disguised as a link or a scroll bar.

How to Prevent csrfVulnerabilities

* Determine whether CGI that accepts server data that can be changed only accepts post parameters, but does not accept get parameters. By default, some server languages accept parameters submitted in both ways;
* Make sure that the form is submitted to process your own form. You can use a hidden field to store the MD5 string, this string is the result after MD5 is performed on the login cookie data and the key stored on the server. The form data is accepted only when the MD5 string is correct;
* You can also add a more rigorous method: Add a hidden timestamp field to the form and include it in the hash string. If the timestamp exceeds a certain time, the form has expired. When the form expires, a method is provided to allow the user to resubmit the form. For example, the user still enters the data filled in the form, but uses a new hash string.

 

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.