The CSRF Attack of web security

CSRF (Cross site request forgery), Chinese is the meaning of request forgery across sites. Simply put, it is the site A to the user to establish a trust relationship, on the site B on the use of this trust relationship, cross-site to site a a number of forged user action requests to achieve the purpose of the attack.

Give me a chestnut bar, website A is a bank website, it has a transfer interface is

http://qkxue.net/api/transfer?toID=12345678&cash=1000
Represents a transfer of $1000 to a target account with ID 12345678. Of course, this interface can not be arbitrarily called, it is only allowed to pass the account verification of the user call.

At this time, the fruit developed a new website B, in the homepage of site B, I wrote a sentence like this

This is the code for a line of pages, which means there is a picture with a width of 0, it does not occupy the display space, but it will trigger the browser to automatically load its resources, that is, src corresponding connection.

So, if a user successfully logged on to site A, for a short period of time he still belongs to authenticated users, this time he visited the homepage of Site B (website building ty300.com). Browser loading to that special picture, will automatically request a picture resource, also requested a transfer of the interface, but also because the identity of the user through the site a verification, so that the user's deposit account to the ID 12345678 of the target account transfer 1000 yuan. Even more frightening, every time he opened the site B, he would be transferred 1000 yuan. This is a simple chestnut of the csrf attack.

The essence of the CSRF attack is that the server trusts the browser too much, believing that the request from the browser is correct, but does not differentiate whether this is the user's unsolicited request or the impersonation of user behavior.

So, the way we solve CSRF attacks is to differentiate the request from real user behavior. The fruit gives advice on several defensive csrf:

Requests for critical data operations, it is best to use a POST request to limit the data for a GET request. This avoids the effect of the default pull resource, and the chestnuts in the previous IMG tag are executed under GET requests.

Key data operations, plus verification code to verify the user identity process, so that can reduce the robot automatically submit post requests, after all, crack verification code is not a simple thing.

If you are not able to influence the user experience, you can try anti CSRF token, in the Real form page, hide a random change token each time, when the user submits the form, the token is submitted to the background, to verify, if the validation through the action. In the case of CSRF attacks, site B is not able to get tokens in the site a form, so the server can quickly verify the valid request.

Manuscripts: Diligent Learning qkxue.net

Read the full version of Web security CSRF attack

The CSRF Attack of web security