The CSRF Attack of web security

What is CSRF?

CSRF (Cross site request forgery), Chinese is requesting forgery across sites. Csrf an attacker who, after the user has logged into the target site, convinces the user to visit an attack page, using the target site's trust to the user to initiate a request for a forged user action on the target site on the attack page, to achieve the purpose of the attack.

As an example,

Simple version:

If the blog park has a add attention to the Get interface, the Bloguserguid parameter is clearly the focus of the person ID, as follows:

http://www.cnblogs.com/mvc/Follow/FollowBlogger.aspx?blogUserGuid=4e8c33d0-77fe-df11-ac81-842b2b196315

Then I just need to write an IMG tag in one of my post content:

So as long as someone opens my blog post, it will automatically follow me.

second, the essential reason of CSRF attack

CSRF attack is a web-based implicit authentication mechanism! Although the authentication mechanism of the Web can guarantee that a request is from a user's browser, there is no guarantee that the request was sent by the user. CSRF attacks are generally resolved by the server.

Defense of CSRF Tools

1. Try to use post to limit get

The Get interface is too easy to be taken as a csrf attack, as the first example knows, as long as an IMG tag is constructed, and the IMG tag is data that cannot be filtered. Interfaces are best limited to post use, and get is not valid, reducing the risk of attack.

Of course post is not foolproof, as long as the attacker constructs a form, but it needs to be done on a third-party page, which increases the likelihood of exposure.

2. Browser Cookie Policy

IE6, 7, 8, Safari will intercept third-party local cookies (Third-party cookies) by default. But Firefox2, 3, Opera, Chrome, Android and so on will not intercept, so the browser cookie policy to defend against CSRF attack is not reliable, can only be said to reduce the risk.

Ps:cookie is divided into two types, session cookies (which expire after the browser is closed, are saved to memory), Third-party cookies (that is, cookies that expire only after exprie time), which are stored locally.

PS: In addition, if the website return HTTP header contains P3P header, then the browser will be allowed to send third-party cookies.

3. Add Verification Code

A verification code that forces the user to interact with the app in order to complete the final request. In general, the CAPTCHA is a good deterrent to csrf attacks. However, due to user experience, the site cannot add a verification code to all operations. Therefore, the verification code can only be used as an auxiliary means and cannot be used as the main solution.

4. Referer Check

The most common application of Referer check on the Web is "prevent picture hotlinking". Similarly, Referer Check can also be used to check whether a request is from a legitimate "source" (whether the Referer value is a specified page, or the domain of a Web site), and if not, it is most likely a csrf attack.

However, because the server is not always able to take the referer, it can not be used as the main means of CSRF defense. But it is a feasible way to monitor the occurrence of CSRF attacks with Referer check.

5. Anti CSRF Token

Now the industry's defense of CSRF, the consistent practice is to use a token (Anti CSRF token).

Example:

1. The user accesses a form page.

2. The server generates a token, which is placed in the user's session, or in the browser's cookie.

3. The token parameter is included with the page form.

4. After the user submits the request, the service side verifies that the token in the form is consistent with the token in the user's session (or cookie) and is consistent with the legitimate request, not the illegal request.

The value of this token must be random and unpredictable. Due to the presence of tokens, an attacker could no longer construct a request with a legitimate token to implement a CSRF attack. In addition to the use of tokens should pay attention to the confidentiality of tokens, as far as possible to change the sensitive operation from get to post, form or Ajax submitted, to avoid token leakage.

Summarize

A CSRF attack is an attack that an attacker can use to manipulate user accounts, typically using anti CSRF tokens to defend against CSRF attacks, while paying attention to the confidentiality and randomness of tokens.

Original link:

1, http://www.cnblogs.com/lovesong/p/5233195.html

The CSRF Attack of web security