1, Csrf:cross Site Request forgery. The attack works by including links or scripts in pages that are accessed by authorized Users. is a web browser-dependent, obfuscated proxy attack. 2, Common features: Relying on user identification of the threat site to use the site of the user identity of the trust of users to deceive users of the browser to send HTTP requests to the target site can also be through the inclusion of SRC The Eg:iframe\image\script\style will trigger a GET request that can be used to initiate a CSRF attack.
See: http://www.cnblogs.com/hyddd/archive/2009/04/09/1432744.html 3, CSRF Defense 1) Verification Code--force the user to interact with the app. The most concise and effective defense method. 2) Referer Check--HTTP Referer is part of the header, when the browser sends a request to the Web server, it usually takes Referer to tell the server which page link I took from, and the server can get some information for processing. The Referer flaw is that the server is not always able to get to Referer. 3) one-time Tokens (different forms contain a different pseudo-random Value) the random token needs to be placed in both the form and the Session. When submitting a request, the server simply verifies that the token in the form is consistent with the token in the User's session (or cookie), is consistent and legal, and is Inconsistent. Token use principle: enough random---need to use a secure random number generator to generate Tokens. Need to have a valid life time----eg: if the form submits a consumed token, it needs to be regenerated into a new Token. If token is not placed in the session, it is placed in a cookie. If you have only one token, consider the possibility of multiple page sharing, so you should consider generating multiple valid tokens to solve multiple page problems. Note the privacy of tokens----try to place tokens in the form, change sensitive operations from get to post, and submit them as form forms (or ajax).
White hat Talk Web security chapter fourth Cross-site request forgery (CSRF)
