An example of CSRF attack defense in web application scenarios

Cross-site request forgery

CSRF（Cross-site request forgery） The attacker stole your identity , Send malicious requests in your name

Attack mode : To complete once CSRF attack , The victim must complete two steps in turn

1. Log in to trusted sites A, And build locally Cookie.
2. At no logout site A Under the circumstances , Visit the danger website B. Site B It contains fake sites that can be requested A Malicious request , You can use A Cached in the browser cookie.

Attack instance

Attack scenario

In the original Alice It's the victim , She uses a bank website http://unsafe/ There is session fixation Loophole ,Mallory It's the attacker , He wants to steal Alice A deposit in a bank , and Alice Will click Mallory Send her a web link （ The reason might be Alice know Mallory, Or her own safety awareness is not strong ）.

Attack steps :

1. Hacker:Mallory visit http://unsafe/ And get a session ID（session_id）, For example, the form returned by the server is ：Set-Cookie: session_id=0D6441FEA4496C2
2. Hacker:Mallory to user:Alice Sent an email ：“ We have launched a new service , For the first experience, please click ：http://unsafe/?SID=0D6441FEA4496C2”
3. user:Alice Click and log in .
4. Because the server's session ID Don't change , Now? Hacker:Mallory Click on http://unsafe/?session_id= I_WILL_KNOW_THE_SID after , He has user:Alice The identity of the . You can do whatever you want .

defense :

The application automatically generates a for each active user's session CSRF「 token 」. This token is used to verify Authenticated users Whether it is The user who made the request to the application .
No matter when , When you define HTML On form , Should include a hidden... In the form CSRF Tag field , So that the server CSRF Filters can validate the form CSRF Whether the token is connected to the session session_id Same token stored in , Even if the form is forged in advance in the email and your identity certificate is stolen session_id. But he can't forge a random CSRF token . So it can effectively prevent the above situation . Unless your terminal is completely hijacked .

According to the above example , There are two key considerations in the development process :

• After successful login, you need to update session_id, verification session_id Whether the format is legal or not .
• When receiving sensitive operation , You don't just have to verify your credentials , Also verify Authenticated users Whether it is The user who made the request to the application . otherwise session_id Exposure means that the login permission is completely exposed .

Other scenes

Attack scenario 1： The most simple ： The server receives any session ID. The process is as follows :

1. Hacker:Mallory Find out http://unsafe/ Receive any session ID, And conversation ID adopt URL The query parameters of the address are carried to the server , The server does not check
2. Hacker:Mallory to User:Alice Send an email , He may pretend that the bank is promoting his new business , for example ,“ We have launched a new service , For the first experience, please click ：http://unsafe/?SID= I_WILL_KNOW_THE_SID, I_WILL_KNOW_THE_SID yes Hacker:Mallory A selected session ID.
3. User:Alice Attracted to , Click. http://unsafe/?SID= I_WILL_KNOW_THE_SID, As usual , Enter your account number and password to log in to the bank website .
4. Because the server's session ID Don't change , Now? Hacker:Mallory Click on http://unsafe/?SID= I_WILL_KNOW_THE_SID after , He has User:Alice The identity of the . You can do whatever you want .

Attack scenarios 2： cross-site cookie(cross-site cooking). Exploit browser vulnerabilities , Even if http://good Very safe , however , Due to browser Management cookie A loophole in the ,
Make malicious websites http://evil/ Be able to send... To the browser http://good Of cookie`. The process is as follows ：

1. Hacker:Mallory to User:Alice Send an email " There is an interesting website ：http://evil It's fun , Might as well try. "
2. User:Alice Visited this link , This site will have a conversation ID The value is I_WILL_KNOW_THE_SID Of http://good/ Domain cookie Set to browser .
3. Hacker:Mallory Give again User:Alice Sent an email ：“ We have launched a new service , For the first experience, please click ：http://good/”
4. If User:Alice Log on to the ,Hacker:Mallory You can use this ID 了