Java uses JSP servlet to prevent CSRF attack implementation method

Background:

1.CSRF knowledge

CSRF (Cross-site request forgery cross-site solicitation forgery, also known as "one click Attack" or session riding, usually abbreviated as CSRF or XSRF, is a malicious use of the site. Although it sounds like a cross-site script (XSS), it is very different from XSS and is almost at odds with the way it is attacked. XSS leverages trusted users within the site, while CSRF leverages trusted sites by disguising requests from trusted users. Compared to XSS attacks, csrf attacks are often less prevalent (and therefore have very few resources to protect against them) and are difficult to guard against, so they are considered more dangerous than XSS.

A common workaround:

Cookie Hashing: A random cookie is added to each form request and is at risk of being stolen due to an XSS vulnerability in the site.

HTTP Refer: You can route requests from the server to spoof them so that they look legitimate, and this method does not effectively prevent attacks.

CAPTCHA: A random verification code is used in each form submitted by the user, allowing the user to fill out a random string on the picture in a text box and detect it after the form is submitted.

Token Tocken: One-time tokens are destroyed after they have finished their work and are more secure.

2. Generate an encrypted random number in the JSP form and pass it to the Serlet for verification.

Here's how to fix it:

1. Generate a random number.

<%

SecureRandom random=securerandom.getinstance ("sha1prng");

Long Seq=random.nextlong (); String random= "" +SEQ; Session.setattribute ("Random_session", random);

%>

2. Pass comparison values using hidden fields.

<input type= "hidden" name= "Random_form" value=<%=random%>></input>

3. The servlet controller gets the parameter comparison.

   String random_form=request.getparameter ("Random_form");   String random_session= (String) request.getsession (). getattribute ("random_session");   Out.println ("Random_form:" +random_form);   Out.println ("random_session:" +random_session);   if (random_form!=null&&random_session!=null&&random_form.equalsignorecase ( random_session)) {//Business}         

Summary:

1. Use Java code in JSP, use <%=%> form, error using ' ${} '.

2. Hidden areas Use simplified form <input type= "hidden" name= "Random_form" value=<%=random%>/>will parse/treat as String parsing instead of terminator.

3. Log or print out the values of random_form,random_session , to prevent the failure to debug the situation.

4. Use Session.setattribute () to set the value in the JSP, using request.getsession (). getattribute ( ) is the most insured of the servlet.

5. The hidden area must be in front of the submit button, otherwise the value of the hidden area will not be read.

6. See my first two articles.

Http://www.cnblogs.com/davidwang456/p/3579339.html Use filter to do

http://www.cnblogs.com/davidwang456/p/3579444.html use tag or spring security to do what is included.

Java uses JSP servlet to prevent the implementation of CSRF attacks