Java uses JSP servlet to prevent CSRF attack implementation method

Source: Internet
Author: User
Tags csrf attack

Background:

1.CSRF knowledge

CSRF (Cross-site request forgery cross-site solicitation forgery, also known as "one click Attack" or session riding, usually abbreviated as CSRF or XSRF, is a malicious use of the site. Although it sounds like a cross-site script (XSS), it is very different from XSS and is almost at odds with the way it is attacked. XSS leverages trusted users within the site, while CSRF leverages trusted sites by disguising requests from trusted users. Compared to XSS attacks, csrf attacks are often less prevalent (and therefore have very few resources to protect against them) and are difficult to guard against, so they are considered more dangerous than XSS.

A common workaround:

Cookie Hashing: A random cookie is added to each form request and is at risk of being stolen due to an XSS vulnerability in the site.

HTTP Refer: You can route requests from the server to spoof them so that they look legitimate, and this method does not effectively prevent attacks.

CAPTCHA: A random verification code is used in each form submitted by the user, allowing the user to fill out a random string on the picture in a text box and detect it after the form is submitted.

Token Tocken: One-time tokens are destroyed after they have finished their work and are more secure.

2. Generate an encrypted random number in the JSP form and pass it to the Serlet for verification.

Here's how to fix it:

1. Generate a random number.

<%

SecureRandom random=securerandom.getinstance ("sha1prng");

Long Seq=random.nextlong (); String random= "" +SEQ; Session.setattribute ("Random_session", random);

%>

2. Pass comparison values using hidden fields.

<input type= "hidden" name= "Random_form" value=<%=random%>></input>

3. The servlet controller gets the parameter comparison.

   String random_form=request.getparameter ("Random_form");   String random_session= (String) request.getsession (). getattribute ("random_session");   Out.println ("Random_form:" +random_form);   Out.println ("random_session:" +random_session);   if (random_form!=null&&random_session!=null&&random_form.equalsignorecase ( random_session)) {//Business}         

Summary:

1. Use Java code in JSP, use <%=%> form, error using ' ${} '.

2. Hidden areas Use simplified form <input type= "hidden" name= "Random_form" value=<%=random%>/>will parse/treat as String parsing instead of terminator.

3. Log or print out the values of random_form,random_session , to prevent the failure to debug the situation.

4. Use Session.setattribute () to set the value in the JSP, using request.getsession (). getattribute ( ) is the most insured of the servlet.

5. The hidden area must be in front of the submit button, otherwise the value of the hidden area will not be read.

6. See my first two articles.

Http://www.cnblogs.com/davidwang456/p/3579339.html Use filter to do

http://www.cnblogs.com/davidwang456/p/3579444.html use tag or spring security to do what is included.

Java uses JSP servlet to prevent the implementation of CSRF attacks

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.