How to prevent XSRF attacks and how to prevent CSRF attacks

One. What is CSRF?

CSRF (Cross-Site Request Forgery), Chinese name: Cross-site request forgery, also known as: One Click Attack Session Riding, abbreviated as:

csrf/xsrf。

Two. What can a CSRF do?

This can be understood as a CSRF attack: an attacker steals your identity and sends malicious requests on your behalf. Among the things that CSRF can do are:

Send emails, send messages, steal yours, and even buy goods and transfer virtual currency in your name. Problems include: personal privacy leakage and property security.

Three. CSRF vulnerability status.

CSRF attack method has been proposed by foreign security personnel in 2000, but in China, it was not until 06 years that it began to be concerned, 08 years, a number of large communities and interactions at home and abroad broke out CSRF vulnerabilities, such as: New York Times), Metafilter (a large blog**), YouTube and hi...And now, many sites on the Internet are still so defenseless that the security industry calls CSRF a "sleeping giant."

The way to defend against CSRF attacks is to log out web applications when they are not in use. Protect your username and password. Don't let the browser remember the password. While you're working on the app and logging in, avoid browsing.

CSRF attacks can be summarized as follows: CSRF attackers steal your identity and send malicious requests on your behalf. For example, using you to send emails, send messages, steal you, delete your personal information, buy goods, pretend to be virtual currency or bank transfers.

All in all, it will cause personal privacy leakage and property loss.

There are two conditions for launching a CSRF attack: the user logs in to the target site, and the browser retains the user's login state; The user opened a third-party site.

Attackers use the login state to launch CSRF attacks, and cookies are the key data to maintain the login state, so you can find ways to prevent CSRF attacks on cookies.

Defend against CSRF attacks:

Captcha is an effective way to defend against CSRF attacks. The principle is that each operation asks the user to enter a verification code.

CSRF attacks are to construct network requests in the attacker's attack site, and then trigger them without the user's knowledge, while forcing the verification code to let the user know what is currently being operated, so as to achieve the purpose of prevention.

But there is a problem with this method, that is, each operation forces the user to enter a verification code, so the user experience is not good, so it is not commonly used, and can only be used as an auxiliary means of prevention.

At present, there are three main strategies to defend against CSRF attacks: validating the HttpReferer field; Add a token to the request address and verify it. Customize the attribute in the HTTP header and verify.

1) Verify the httpreferrer field According to the HTTP protocol, there is a field called referer in the HTTP header, which records the ** address of the HTTP request. In the case of Tongliangpai, the request to access a security restricted page comes from the same **, for example, the user who needs to access must log in first, and then click the button on the page to trigger the transfer event. In this case, the referer value of the transfer request will be the URL of the page where the transfer button is located, usually the address at the beginning of the domain name.

And if a hacker wants to carry out a CSRF attack on the bank, he can only construct a request in his own **, and when the user sends a request to the bank through the hacker's **, the referer of the request is directed to the hacker's own **. (2) The reason why the CSRF attack can be successful by adding a token to the request address and verifying it is that the hacker can completely fake the user's request, and all the user verification information in the request is present in the cookie, so the hacker can directly use the user's own cookie to pass the security verification without knowing the verification information. The key to defending against CSRF is to include information in the request that hackers cannot falsify and that does not exist in the cookie.

3) Customize the attribute in the HTTP header and verify this method is also to use the token and verify, unlike the previous method, here is not to put the token in the form of a parameter in the HTTP request, but to put it into the custom attribute in the HTTP header. With the XMLhttpRequest class, you can add the CSRFToken HTTP header attribute to all requests at once, and put the token value into it. This solves the inconvenience of adding a token to the request in the previous method, and at the same time, the address requested through xmlhttprequest will not be recorded in the address bar of the browser, and it is not respectful that the token will be leaked to other ** through the referer.

CSRF Attack Principle 1User C opens the browser, accesses Trusted **a, enters the username and password to request login**a; 2.After the user information is verified, **a generates cookie information and returns it to the browser, at this time, the user logs in **a successfully, and can send a request to **a normally; 3.

Before the user exits **a, open a tab page in the same browser to visit **b; 4.Upon receiving the user request, it returns some aggressiveness and issues a request to access third-party site a;

Defending against XSS attacks requires the following principles:

When inserting untrusted data between HTML tags, HTML Entity encoding is used on that data.

When inserting untrusted data into HTML attributes, encode the HTML attributes.

When untrusted data is inserted into the script, the data is script-encoded.

When inserting untrusted data into the style attribute, CSS encode the data.

When inserting trusted data into the HTML URL, the data is URL encoded.

When using rich text, the XSS rule engine is used for encoding filtering.

XSS attacks, known as Cross Site Scripting, are not confused with the abbreviation Cascading Style Sheets (CSS), which is a type of computer security that is often used in web applications.

CSRF attack, the full name is "cross-site request forgery", the Chinese name is cross-site request forgery, also known as "one click".

attack" or "session riding", often abbreviated as csrf or xsrf, is a malicious exploit of **.

XSS mainly exploits trusted users within the site, while CSRF exploits trusted users by disguising themselves to the requests of trusted users. CSRF is more dangerous than XSS.

Harm of CSRF attacks.

The main harm comes from attackers stealing user identities and sending malicious requests. For example, simulate users to send emails, send messages, and make payments, transfers, etc.

How to defend against CSRF attacks.

1. Important data interaction is received by post, of course, post is not omnipotent, and a form can be cracked by forging a form.

2. Using the verification code, as long as it involves data interaction, the verification code will be carried out first, and this method family can completely solve the CSRF.

3. For the sake of user experience, the verification code cannot be added to all operations, so the verification code can only be used as an auxiliary means, not as the main solution.

5. Add a token token to each form and verify it. Trillion comodal.

Filter for ** containing js, there are such files on the Internet.