What ' s the CRSF??

What ' s CSRF attack?

CSRF ("Cross-site request forgery!" cross-site requests forgery)in the case of the principle:We assume a bank website A, a website B, a user (victim), a hacker, a bank website transfer URL is http://bank./transfer?account=Marry&amount=10000&to= Mallory 1 users after logging on to the bank website A, in the session, the cookie does not expire, also did not log out, 2 at this time users browse the site B, hacker site B inside there is a picture nested site A transfer interface URL, entice users to click to visit this picture 3 When the user clicks on the image, the URL begins to request and respond to bank website A, and the money is transferred from the user's marry account to the Mallory account. 4 in the transfer process, the victim marry is not aware of, even if he inquires the log, also found that the operation was his own request to transfer.from the above example, you can get:

1 CSRF bus hackers use the victim's cookie to defraud the server of trust, but the hacker does not have access to the cookie or the content of the cookie.
2 What a hacker can do is to send a request to the server to execute the command described in the request, directly changing the value of the data on the server side, rather than stealing data from the server.

in summary, we can get what objects need to be protected:

• 1 The objects we want to protect are those that can directly generate data changes, and the services that read the data do not need to be CSRF protected. For example, the transfer request in the banking system will change the amount of the account directly, will be attacked by CSRF, need to protect
• 2 The balance is the read operation of the amount, does not change the data, the CSRF attack cannot resolve the results returned by the server, without protection.

 several strategies to guard against CSRF:

• Verify the value of the HTTP Referer
• According to the HTTP protocol, there is a field called Referer in the HTTP header, which records the source address of the HTTP request.
• Like we're going to visit Http://bank.example/transfer?account=Marry&amount=10000&to=Mallory, The value of Referer is to require the user to initiate the above URL request under the Bank.example page. If you are initiating this transfer URL request on site B, then this referer is the site B itself.
• Speaking of which, let's talk about how to prevent csrf attacks by Referer:
1. The obvious benefit of this approach is simplicity, the site's general developers do not need to worry about CSRF's vulnerability, only need to be in the end to all security-sensitive requests unified add an interceptor to check the value of Referer. Especially for current systems, there is no need to change any existing code and logic of the current system, no risk, very convenient.
2. The risk is that we this security pinned on the browser, for IE6 or FF2 and other browsers, can tamper with the Referer value, even if the change is not, some users if the browser closed when the request Referer, Then the website will reject the request of the legitimate user because there is no referer value in the request
• Add tokens to the request address and verify
• As already said, hackers can use the user's own cookie to execute URL requests, then we will go into some hackers can not forge the information, and there is no cookie, you can in the HTTP request in the form of parameters to add a randomly generated token, An interceptor is established on the server side to verify the token, and if no token or token content is incorrect in the request, it may be considered a CSRF attack to reject the request.
• For a POST request, add the <input type= "hidden" name= "Csrftoken" to the end of the form, value= "Tokenvalue"/>, so the token is added as a parameter to the request.
  
• custom Attribute validation in HTTP headers

• This approach is also using token and validating, unlike the previous method, where token is not placed in an HTTP request in the form of an argument, but instead placed in a custom attribute in the HTTP header. By XMLHttpRequest This class, you can add Csrftoken this HTTP header attribute to all requests at once, and put the token value into it. This solves the inconvenience of adding tokens to the request, while the address requested by XMLHttpRequest is not recorded in the browser's address bar, nor does it worry that tokens will be leaked to other websites through Referer.

  However, the limitations of this approach are very large. XMLHttpRequest requests are usually used in the Ajax method for the partial page of the asynchronous refresh, not all requests are suitable for this class to initiate, and through the request of this kind of page can not be recorded by the browser, so as to advance, backward, refresh, collection and other operations, to the user inconvenience. In addition, for legacy systems that do not have CSRF protection, it is not acceptable to use this approach for protection, to change all requests to xmlhttprequest requests, almost to rewrite the entire site.

  The connection above is referenced from: http://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/index.html

 

What ' s the CRSF??