Help you: how to avoid CSRF attacks

We reported yesterday that Princeton University researchers said they found that many of the world's famous sites contain CSRF attack vulnerabilities, and even ING is no exception, in the most serious case, attackers can leave the victim's account empty. CSRF is an attack that spoofs client requests. CSRF stands for Cross Site Request Forgery, meaning Cross-Site Request Forgery.

 

The above text may not elaborate on the CSRF attack method. For example, if you log on to the credit card website first, your authentication information is recorded on the website, for example, you can use cookies or other methods. Then, you can access the website that looks like a YouTube website, which has been processed by hackers. Although it is a YouTube website, it is also normal for you to feel that YouTube may even have a normal video, but this webpage (such as through flash, video, or script) the hacker may send an email with your credit card website authentication information to the hacker's mailbox. In this way, the hacker obtains your authentication information and can take over your account.

CSRF is a type of vulnerability that is hard to prevent. According to my understanding, there is no good method to monitor CSRF. Some feasible preventive methods:

Do not use online banking. Since I don't need online banking, hackers will naturally find it hard for me to be helpless. (Just a joke :))
Change the password periodically. Regular password modification is always the most recommended method in security science.
After accessing sensitive websites (such as credit cards and online banking), you can actively clear historical records, cookie records, form records, and password records, and restart your browser to access other websites.
Keep the browser updated, especially the security patch. At the same time, pay attention to the updates of operating systems, anti-virus, firewall and other software.
Do not use websites with unknown origins. We recommend that you use the site authentication function of ms ie7 or google toolbar to identify illegal websites.
Use some browsers with the "Privacy Browser" function, such as Safari. The "private browsing" function allows users to surf the Internet without leaving any trace, and the browser does not store cookies and any other information. Therefore, CSRF cannot obtain useful information.
Ie8 calls it "InPrivate browsing ". Chrome is called "Incognito mode ".
If the browser prompts a warning message "the link and certificate domain name do not match", do not continue browsing, immediately close the browser or return to the previous page (if you are a web developer or hacker, when I do not say ).
Manage the cookies of the browser. For example, in IE6.0, open the "tools-> Internet Options-> privacy" dialog box, the following six levels are set: "block all cookies", "high", "medium", "medium", "low", and "accept all cookies, you only need to drag the slider to easily set the URL. Click the "edit" button at the bottom and enter a specific URL in "website address, you can set it to allow or deny them from using cookies.
Disable or restrict the use of Java programs and ActiveX Controls (may cause access errors on some normal sites ).
Regularly Clear history records by finding buttons such as "clear form" and "Clear password" in the options of the browser, and clicking regularly. We recommend that you clear history records once a week.

In fact, these tricks are not mysterious at all. They are mainly used to improve their security awareness and hide sensitive information to prevent hackers from accessing them.