Csrf-Attack and Defense
Author: lake2
0x01 what is a csrf attack
Csrf is the abbreviation of Cross Site Request Forgery (xsrf, that is, perform get/post operations on a CGI in a user session. Users may not know and want to do these tasks. You can hijack HTTP sessions.Website
This article illustrates the YII framework's approach to preventing SQL injection, XSS attacks, and csrf attacks. Share to everyone for your reference, specific as follows:
The methods commonly used in PHP are:
/* Anti-SQL injection, XSS attack (1)/function Actionclean ($str) {$str =trim ($STR);
$str =strip_tags ($STR);
$str =stripslashes ($STR);
$str =addslashes ($STR);
$str =rawurlde
of attack is called XSRF.The essential reason of CSRF attackCSRF attack is a web-based implicit authentication mechanism! Although the authentication mechanism of the Web can guarantee that a request is from a user's browser, there is no guarantee that the request was sent by the user. CSRF attacks are generally resol
What is CSRF? CSRF (Cross site request forgery), Chinese is requesting forgery across sites. Csrf an attacker who, after the user has logged into the target site, convinces the user to visit an attack page, using the target site's trust to the user to initiate a request for a forged user action on the target site on th
1. What is a csrf attack?
Csrf is the abbreviation of Cross Site Request Forgery (xsrf, that is, perform get/post operations on a CGI in a user session. Users may not know and want to do these tasks. You can hijack HTTP sessions.The website uses cookies to identify users. After a user successfully authenticates, the browser will obtain a cookie that identifies th
CSRF attackWhat is Cross-site request forgeryCross-site Request forgery: cross-site solicitation forgery, also known as "one click Attack" or session riding, usually abbreviated to CSRF or XSRF, is a malicious use of the site. Although it sounds like a cross-site script (XSS), it is very different from XSS and is almost at odds with the way it is attacked. XSS le
. As described earlier, you must establish a good one session between the Administrator and the site before you can perform a password change operation.Then the hacker can construct a Web page, put the above code into the page, and then trick the administrator to open the page, if the administrator happens to be working on the site, the administrator's browser and the site to establish a good session, then the above code will take effect.For example,
Name Service provider 114DNS found a "monitoring data anomaly." Then, the security team successfully traced to launch this DNS hijacking attack "culprit", and the first time the attack to the Tp-link and other domestic mainstream router manufacturers.
114DNS and Tencent computer stewards say a new round of DNS phishing attacks have caused millions of of users to become infected. About 4% of all network us
Csrf is short for cross site request forgery, and Chinese is Cross Site Request Forgery. Next we will share with you the principles, implementation methods, and defense methods of this attack;
Principles of csrf attacks
By deploying attack code and related data on a malicious website, and then guiding authorized user
Overview
Csrf is short for cross site request forgery, and Chinese is Cross Site Request Forgery. Next we will share with you the principles, implementation methods, and defense methods of this attack;
Principles of csrf attacks
By deploying attack code and related data on a malicious website, and then guiding autho
What is CSRF?
CSRF-Cross-site Request Forgery literally refers to Cross-site Request Forgery, which is usually used for this type of WEB site vulnerability, that is, on a page of a malicious site, urge visitors to request a URL of your website (usually POST data) to change the server data. This type of attack relies on forms on your web pages. Vulnerable forms ar
I. Introduction of CSRFCSRF (Cross-site request forgery cross-site requests forgery), also known as "one click Attack" or session riding, is usually abbreviated as CSRF or XSRF, which is a malicious use of the site.CSRF is a Web browser-dependent, obfuscated proxy attack (deputy attack).
parsingThe problem arises:As the function increases, there will be more views, perhaps the regular expression before the configuration is not accurate enough, so it is necessary to modify the regular expression, but once the regular expression has been modified, all the corresponding hyperlinks have to be modified, it is a troublesome thing, and may also miss some hyperlinks forget to modify, Is there a way to dynamically generate links based on regular expressions?Answer: Reverse parsing . Des
What is CSRF attack.
CSRF (cross-site request forgery) is an attacker who lures a user to visit a page to perform related operations in a third party site as the user.
For example: After landing the Sohu blog, only need to request this URL, you can bar number "156713012" blog post Delete
http://blog.sohu.com/manage/ent
users, this time he visited the homepage of Site B (website building ty300.com). Browser loading to that special picture, will automatically request a picture resource, also requested a transfer of the interface, but also because the identity of the user through the site a verification, so that the user's deposit account to the ID 12345678 of the target account transfer 1000 yuan. Even more frightening, every time he opened the site B, he would be transferred 1000 yuan. This is a simple chestnu
Csrf-Cross-Site Request Forgery literally refers to cross-site Request Forgery, usually used for this type of web siteVulnerabilitiesThat is, on a malicious website page, the visitor is prompted to request a URL of your website (usually using the post data method), so as to change the server data. This type of attack relies on forms on your web pages. Vulnerable forms are vulnerable to attacks. Visitors to
A major puzzle, how to effectively prevent CSRF attack
Online there is a way to use
$_server[' Http_referer ']
But the article also points out that
Referer can be forged.
For example
Header ("referer:www.aaa.com")
......
?>
I tried it, it looks like I sent it in the console to see that the referer is changing.
But $_server[' http_referer ' is empty, which means
What is a cross-site forgery request attack?My own understanding: User A with browser access to a vulnerability site B, and a also visited the malicious website C, assuming that user A on the B site for a transaction, C site has a HTML fragment, then user A Browser will send a request to the B website Transaction link, because a has been logged in the B site, so b site processing of this request, but this request is not user A's own behavior sent, bu
Background:1.CSRF knowledgeCSRF (Cross-site request forgery cross-site solicitation forgery, also known as "one click Attack" or session riding, usually abbreviated as CSRF or XSRF, is a malicious use of the site. Although it sounds like a cross-site script (XSS), it is very different from XSS and is almost at odds with the way it is attacked. XSS leverages trust
Online there is a way to use
$_server[' Http_referer ']
But the article also points out that
Referer can be forged.
For example
Header ("referer:www.aaa.com")
......
?>
I tried it, it looks like I sent it in the console to see that the referer is changing.
But $_server[' http_referer ' is empty, which means it doesn't seem to be a problem.
Well, what about this parameter? Can you prevent it?
Reply to discussion (solution)
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.