CSRF (Cross site request forgery) is a network attack that can be sent to a compromised site without the victim's knowledge of the victim's name forgery request, thereby performing a rights-protected operation with no authorization. There is a lot of harm.
CSRF Attack instances
The CSRF attack can be sent to the compromised site in the name of the victim without the knowledge of the victim, thereby performing an operation under rights protection if not authorized.
For example, the victim Bob has a deposit at the bank and sends a request to the bank's website
Http://bank.example/withdraw?account=bob amount=1000000 FOR=BOB2 allows Bob to transfer 1000000 of his savings to Bob2 's account.
Typically, after the request is sent to the Web site, the server verifies that the request is from a valid session and that the user Bob of the session has successfully logged in. Mallory himself has an account with the bank and knows that the URL above can transfer money.
Mallory can send a request to the bank by itself:
Http://bank.example/withdraw?account=bob amount=1000000 for=mallory.
But this request comes from Mallory, not Bob, who cannot pass security authentication, so the request will not work. At this time, Mallory think of using CSRF attack way, he first make a website, put the following code in the site:
src= Http://bank.example/withdraw?account=bob amount=1000000 For=mallory,
and entice Bob to visit his website by advertising. When Bob visits the site, the above URLs are sent from Bob's browser to the bank, which is sent to the bank server with a cookie from Bob's browser.
In most cases, the request fails because he requires BOB's authentication information. However, if Bob had just visited his bank shortly after, the session between his browser and the bank's website had not expired, and the browser's cookie contained Bob's authentication information. At this point, the tragedy occurred, the URL request will be answered, the money will be transferred from Bob's account to Mallory's account, and Bob was not informed. After Bob found that the account was less money, even if he went to the bank to check the log, he can only find that there is a legitimate request from his own transfer of funds, without any traces of attack. And Mallory can get the money and go unpunished.
CSRF object of attack
Before discussing how to defend against CSRF, it is very clear that the object of the CSRF attack is the object to be protected.
From the above example, the CSRF attack is a hacker's use of the victim's cookie to defraud the server of trust, but hackers do not have access to cookies, but also do not see the content of cookies. In addition, for the results returned by the server, due to browser-origin policy restrictions, hackers can not be resolved. Therefore, the hacker cannot get anything from the returned results, all he can do is send a request to the server to execute the command described in the request, directly change the value of the data on the server side, rather than stealing the data from the server.
Therefore, the objects we want to protect are those that can directly generate data changes, and for the services that read the data, there is no need for CSRF protection. For example, the transfer request in the banking system will change the amount of the account directly, will be CSRF attack, need to protect. The query balance is a read operation on the amount, does not change the data, the CSRF attack cannot resolve the results returned by the server, without protection.
Several strategies of current defensive CSRF
There are three main strategies for defending CSRF attacks in the industry today:
Verify the HTTP Referer field;
Add tokens to the request address and verify;
Customize the properties in the HTTP header and verify.
These three strategies are described in detail below.
Validating HTTP Referer Fields
According to the HTTP protocol, there is a field called Referer in the HTTP header, which records the source address of the HTTP request.
In general, requests to access a secure restricted page come from the same Web site, such as the need to access Http://bank.example/withdraw?account=bob amount=1000000 for=mallory, and users must first log on Bank.example, then trigger the transfer event by clicking on the button on the page. At this point, the Referer value of the transfer request will be the URL of the page where the transfer button is located, usually the address beginning with the Bank.example domain name. And if the hacker wants to carry on the CSRF attack to the bank website, he only constructs the request in his own website, when the user sends the request to the bank through the hacker's website, the request Referer is pointing at the hacker own website. Therefore, to defend against CSRF attacks, the bank website only needs to verify its Referer value for each transfer request, if it is a domain name beginning with bank.example, it is legitimate that the request is from the bank website itself. If Referer is a different Web site, it could be a hacker's CSRF attack, rejecting the request.
The obvious benefit of this approach is simplicity, the site's general developers do not need to worry about CSRF, only need to be at the end of all security-sensitive requests unified add an interceptor to check the value of Referer. Especially for current systems, there is no need to change any existing code and logic of the current system, no risk, very convenient.
However, this approach is not foolproof. The value of the Referer is provided by the browser, although there are clear requirements on the HTTP protocol, but each browser may have a different implementation for Referer, and there is no guarantee that the browser itself does not have a security vulnerability. The method of validating Referer values is to ensure that security is dependent on a third party (ie, the browser), which in theory is not secure. In fact, for some browsers, such as IE6 or FF2, there are ways to tamper with Referer values. If the Bank.example website supports IE6 browser, the hacker can completely set the Referer value of the user's browser to the address beginning with the Bank.example domain name, so that it can be authenticated for CSRF attacks.
Even with the latest browser, the hacker cannot tamper with the Referer value, and this method still has a problem. Because the Referer value records the user's access to the source, some users believe that this violates their own privacy, especially some organizations worry that the Referer value will disclose some information in the organization intranet to the external network. As a result, users can set their own browser to no longer provide Referer when sending requests. When they visit the bank website normally, the website will be considered as a CSRF attack because the request does not have Referer value, and deny access to legitimate users.
Add tokens to the request address and verify
The success of the CSRF attack is because the hacker can completely forge the user's request, all the user authentication information in the request is in the cookie, so the hacker can directly use the user's own cookie to pass the security authentication without knowing the authentication information. The key to defending against CSRF is to put in the request information that the hacker cannot forge, and that the information does not exist in the cookie. A randomly generated token can be added as a parameter in an HTTP request, and an interceptor is established on the server side to verify the token, and if no token or token content is incorrect in the request, it may be rejected as a CSRF attack.
This method is more secure than checking the Referer, token can be generated after the user login and placed in the session, and then on each request to take the token from the session, and the token in the request to compare, but the difficulty of this method is how to put token to The form of the parameter is added to the request. For a GET request, token is appended to the request address so that the URL becomes http://url?csrftoken=tokenvalue. For a POST request, add input type= hidden name= csrftoken value=/To the end of the form, which adds the token as a parameter to the request. However, in a Web site, there are many places to accept requests, it is cumbersome to add tokens to each request, and it is easy to miss out, usually using JavaScript to traverse the entire DOM tree every time the page loads, for all the A and form tags in the DOM Add token. This solves most of the requests, but this method has no effect on the dynamically generated HTML code after the page is loaded, and requires the programmer to add tokens manually when encoding.
One drawback of this approach is that it is difficult to secure the token itself. Especially in some of the sites that support users to publish their own content, hackers can post their own personal site address. Since the system will also add tokens to this address, hackers can get this token on their website and can launch CSRF attacks immediately. In order to avoid this, the system can add tokens when adding a judgment, if the link is linked to their own site, in the back to add tokens, if it is to the outside network is not added. However, even if the csrftoken is not appended to the request in the form of a parameter, the hacker's website can also be Referer to get the token value to launch the CSRF attack. This is also why some users prefer to manually turn off the Referer feature.
Customize the properties in the HTTP header and verify
This approach is also using token and validating, unlike the previous method, where token is not placed in an HTTP request in the form of an argument, but instead placed in a custom attribute in the HTTP header. By XMLHttpRequest This class, you can add Csrftoken this HTTP header attribute to all requests at once, and put the token value into it. This solves the inconvenience of adding tokens to the request, while the address requested by XMLHttpRequest is not recorded in the browser's address bar, nor does it worry that tokens will be leaked to other websites through Referer.
However, the limitations of this approach are very large. XMLHttpRequest requests are usually used in the Ajax method for the partial page of the asynchronous refresh, not all requests are suitable for this class to initiate, and through the request of this kind of page can not be recorded by the browser, so as to advance, backward, refresh, collection and other operations, to the user inconvenience. In addition, for a legacy that does not have CSRF protection, it is not acceptable to use this approach for protection, to change all requests to xmlhttprequest requests, almost to rewrite the entire site.
What are the ways to defend against CSRF (i) Custom attributes in HTTP headers and verifying csrf cross-site domain request forgery attacks