Methods to prevent malicious data from being repeatedly submitted

Really on-line projects, this situation should be considered. For example: Someone malicious registration, in the app side of a second stamp screen button about ten.

According to the program provided on the Internet, the following methods are summed up:

1. Disable repeated click button

When the user clicks the Data Submit button, the Button property is set to Disabled using JavaScript. This method can prevent impatient, do not understand JS user multiple clicks. But there is a problem, will JS of the browser settings can be disabled JS or through the debug console to modify the JS code, then the method is invalid.

2. Store a form token flag in the session.

Before the form is presented to the user, the server should make a token mark on the form to be stored in the session. When the user submits the form data, the flag is checked, if present and consistent, the form data is processed normally, and then the flag is deleted or the new token flag is regenerated. If it does not exist or is inconsistent, it indicates that the form data has either been submitted or is illegal (possibly manipulated), ignoring this data submission.

This way can greatly improve the data security, with a higher level of XSRF protection (XSRF attack see the following).

3. Adding constraints to the database

Add a unique constraint to the database or create a unique index to prevent duplicate data from appearing. is the most effective way to prevent duplicate submissions.

In summary: Combined with 2 and 3, can make data submission more secure. The following describes XSRF Web attacks.

The XSRF full name is Cross-site request forgery (cross-site solicitation forgery), also known as CSRF, is a common way of web attack.

The attack form is described as follows:

1. The user logs in and accesses a normal site http://www.biz.com;

2. In the same browser instance, the user opened the malicious website http://www.bad.com; (as to how the user can open the malicious website, it may be malicious site through a number of links or spam and other forms to trick the user to point a link)

3. The following section of code is included in the Malicious website page:

<form method= "POST" name= "Evilform" target= "Hiddenframe"
     action= "Https://www.biz.com/update_profile" >
<input type= "hidden" name= "password" value= "Heihei" >
</form>
<iframe name= "Hiddenframe "style=" Display:none ">
</iframe>
<script>
    document.evilform.submit ();
</script>

You know what happens next: The user is not aware of the situation, the password has been modified (as long as the malicious site has also used https://www.biz.com/, remember that the domain name to change the operation parameter name of the password).

How to defend against xsrf attack, the method is more, for example, in the above example, to change the password, must provide the old password, then can effectively avoid the attack. However, XSRF is a ubiquitous problem, and not all scenarios require users to enter a bunch of things that users will definitely crash.

The more reliable and versatile solutions are as follows:

In some important operation to change the system data (such as Submit order, change password, delete). ), add an action token for verification. This action token is a hidden field of the form as it was previously generated by the application, such as when the form was drawn.

This action token generation must be some attention, not to let the hacker randomly impersonate the clearance, a reliable generation algorithm as follows:

Action token = F (k,c), where K is a key that only the application server knows, and C is the identity of this session, such as Jsessionid.

When an application accepts a request, it first verifies that the action token is legitimate, is checked by removing the jsessionid, and then uses F (k,c) to calculate the action token, if the result of the calculation is the same as the action token value submitted by the form, it is released.

This scheme can effectively defend against XSRF attacks, because malicious websites cannot know the values of K and C and cannot forge action tokens.

But if your site encounters XSS attack, then everything is useless, because hackers can easily get session cookie, impersonate the user identity directly attack can.