View the CSRF Protection Policy of Yii2 requests

View the CSRF Protection Policy of Yii2 requests
First, draw a flowchart:

1. The problem is as follows:

We are processing such a demand todayapp\controllers\LoginController.phpDefined inindex(Mainly used for non-Web page logon, suchCurl -X POST http://api/login):

As a result, both the test tool POSTMAN and the command line CURL request always gethttp400:Bad RequestBut if you use the Web page to GET access (remove the POST limit of verbFilter), it is normal

The problem is found in the post below, which is the cause of CSRF verification;
This is because the form is hidden when a Web page is accessed.input:_csrfAccess can be normally performed only after verification;
Instead of webpage access (not through Web forms ),Csrf Verification.

The CURL access method does not use cookies, so I don't think it is necessary to prevent them here.csrfAttack: temporarily disable it using the following methods.

Http://stackoverflow.com/questions/23237377/yii2-curl-bad-request-400

class Controller extends \yii\base\Controller{    /**     * @var boolean whether to enable CSRF validation for the actions in this controller.     * CSRF validation is enabled only when both this property and [[Request::enableCsrfValidation]] are true.     */    public $enableCsrfValidation = false; <- set this to false

2. Take the opportunity to study the CSRF defense mechanism of Yii2

What is a CSRF attack?

Simply put,Attackers steal your identity and send malicious requests in your name.

Http://www.bkjia.com/Article/201205/130728.html

Http://baike.baidu.com/view/1609487.htm? Fr = aladdin

The most effective method principle is as follows:

• Cookie Hashing, which indicates a random value in all forms sent by the server to the client._csrfAnd save an associatedtoken;
• During verification, the server accesses the received request each time._POST()Oneinput hidden _csrfIn the COOKIE of the ClienttokenVerify against
• Attackers exploit the client's cookies, but attackers cannot obtain the specific content of the cookies.Exploitation(Aside from thisXSSThe possibility of attacks is that users' cookies are easily stolen due to the XSS vulnerability of the website, which is another 1%. Generally, attackers will give up when they see that they need to calculate the Hash value.); Therefore, attackers cannot addtokenIn this way, the verification fails.

This may be the simplest solution. Because attackers cannot obtain third-party cookies (theoretically), the data in the form fails to be constructed:>

Let's see if Yii2 does this.

3. Exploring from the outside to the inside

Yii provides an overview of its CSRF defense mechanism:

  * When CSRF validation is enabled, forms submitted to an Yii Web application must be originated     * from the same application. If not, a 400 HTTP exception will be raised.     *     * Note, this feature requires that the user client accepts cookie. Also, to use this feature,     * forms submitted via POST method must contain a hidden input whose name is specified by [[csrfParam]].     * You may use [[\yii\helpers\Html::beginForm()]] to generate his hidden input.     *     * In JavaScript, you may get the values of [[csrfParam]] and [[csrfToken]] via `yii.getCsrfParam()` and     * `yii.getCsrfToken()`, respectively. The [[\yii\web\YiiAsset]] asset must be registered.     * You also need to include CSRF meta tags in your pages by using [[\yii\helpers\Html::csrfMetaTags()]]

3.1 first, let's take a look at the CSRF in the browser:

In the first image, it is obvious that,<meta>And<form>Each has a csrf_token and is consistent.
In Chapter 2, cookies ['_ csrf'] also have a longer string, which is ...?

After some research, this long string is because Yii is enabled by default.cookieValidation

Disable enableCookieValidationMakes CSRF analysis easy

Disable it in the config file:

    'components' => [        'request' => [            // !!! insert a secret key in the following (if it is empty) - this is required by cookie validation'cookieValidationKey' => '83r5HbITBiMfmiYPOZFdL-raVp4O1VV4','enableCookieValidation' => false,'enableCsrfValidation' => true,        ]

Before and after disabling:

In this way, _ csrf is much simpler. Of course, this is not safe.

3.2 slave viewStart searching csrf3.2.1 first look for app \ views \ site \ login. php In the form

The csrf definition is not found. It should be encapsulatedActiveFormNow

3.2.2 vendor \ yiisoft \ yii2 \ widgets \ ActiveForm. php

class ActiveForm extends yii\base\Widget{    public function init()    {        ...        echo yii\helpers\Html::beginForm(...);    }        public function run()    {        ...        echo yii\helpers\Html::endForm(...);    }}

3.2.3 yii \ helpers \ Html

Finally found CSRF

   public static function beginForm($action = '', $method = 'post', $options = [])    {        $action = Url::to($action);        $hiddenInputs = [];        $request = Yii::$app->getRequest();            if ($request->enableCsrfValidation && !strcasecmp($method, 'post')) {                $hiddenInputs[] = static::hiddenInput($request->csrfParam, $request->getCsrfToken());            }        ... ...

3.2.4 go app\views\layouts\main.phpLet's see how CSRF came from.

 

 
  

Exactly in3.2.3 yii\helpers\HtmlDefined in

 
/**     * Generates the meta tags containing CSRF token information.     * @return string the generated meta tags     * @see Request::enableCsrfValidation     */    public static function csrfMetaTags()    {        $request = Yii::$app->getRequest();        if ($request instanceof Request && $request->enableCsrfValidation) {            return static::tag('meta', '', ['name' => 'csrf-param', 'content' => $request->csrfParam]) . "\n    "                . static::tag('meta', '', ['name' => 'csrf-token', 'content' => $request->getCsrfToken()]) . "\n";        } else {            return '';        }    }

3.2.5 originally, csrf was composed
Yii::$app->requestProcessed

 

 
  
In head
$request->getCsrfToken()
 
  
In form
$request->csrfParam$request->getCsrfToken()
It seems that the entire verification process is composedgetCsrfToken()Triggered.

 
3.3 research source code
Source code see: http://www.yiiframework.com/doc-2.0/yii-web-request.html
Here is a flowchart (hand-painted version ):
Original blog, reproduced Please note: http://www.cnblogs.com/ganiks