CSRF attack

background

It was listed as one of the ten famous loopholes in the field of information security more than ten years ago , Now, although the ranking has dropped , But if you don't take precautions , It's still going to get caught .

principle

Take advantage of cookie Will be in http The feature that is automatically carried in the request .
Premise ： A user logs into a website , The site will cookie Send to user client , The cookie Is the login credentials
attack ： Attackers induce users to visit their own phishing sites , The attacker clicks a cross domain carry of the attacker's forged interface to access the real backend under the same browser cookie Request . Cross domain portability cookie Because it is forbidden by the homology policy , therefore ajax Can't be carried in this way cookie,（ Otherwise the attacker will not have to induce others , Just send it yourself ）.

• This method is usually a img Of src, then src It's practical GET Address of the interface , This img Can hide , Take advantage of img Natural cross domain strategy （ Be similar to jsonp）
• in the light of post Submit , An attacker constructs a hidden form , adopt Js Automatic triggering form To trigger the initiation of post request .

This simulates the network request initiated by a real site , Although the third-party website will not get the victim website cookie,（cookie Have a scope ）, But it can be used cookie Automatically carried to http Request header to cheat the browser , Let the browser think that this request is a normal request from the front end of the website , Therefore, the source's cookie Carry to this request .

and xss Different attacks

• xss The attack is to inject the attack script directly into the browser , As soon as the user opens the victimized website, he gets caught ,csrf The attack needs to induce users to open their own websites

How to defend against such attacks

• Server side ： Use the response header Reference Field , To determine whether the user comes from the original site .
  • shortcoming ： An attacker can still modify ajax To complete the task of Reference Response header modification
• Use a unique value from the server to verify .
  • specific working means ： The server returns a unique... Each time , Non duplicate values are hidden to the client , The client will carry this value with every request , When the server receives this value, it destroys it .
  • principle ： Be similar to token, The server-side verification is done , And has a valid period （ A request and a response ）. It takes advantage of the fact that the attacker's website cannot know the data of the user's browser .
• use token To communicate
  • token To communicate , because token Is a mature RFC The proposal , Therefore, it is widely used in front and back-end separation projects to ensure interface security . Because it is specialized in this , Therefore, the amount of application is also very high .
• Yes cookie Set it up
  • Let it only in http Sent under the agreement
  • Let it only in https Sent under the agreement
  • Let it send only at the source site

summary

CSRF Attacks can also be combined xss Attack to use , Mainly used cookie The characteristics of this insecure feature , So I suggest you start from now on , Try not to use... For server and client communication of all projects cookie.
Try not to use the front end for storage cookie To store content , because cookie Small size , The most important thing is that it has led to many security vulnerabilities , And now we have a better choice , Why not ？