防止伪造跨站请求的小招式
伪造跨站请求介绍
伪造跨站请求比较难以防范,而且危害巨大,攻击者可以通过这种方式恶作剧,发spam信息,删除数据等等。这种攻击常见的表现形式有:
伪造链接,引诱用户点击,或是让用户在不知情的情况下访问
伪造表单,引诱用户提交。表单可以是隐藏的,用图片或链接的形式伪装。
比较常见而且也很廉价的防范手段是在所有可能涉及用户写操作的表单中加入一个随机且变换频繁的字符串,然后在处理表单的时候对这个字符串进行检查。这个随机字符串如果和当前用户身份相关联的话,那么攻击者伪造请求会比较麻烦。
yahoo对付伪造跨站请求的办法是在表单里加入一个叫.crumb的随机串;而facebook也有类似的解决办法,它的表单里常常会有post_form_id和fb_dtsg。
随机串代码实现
咱们按照这个思路,山寨一个crumb的实现,代码如下:
class Crumb {
CONST SALT = "your-secret-salt";
static $ttl = 7200;
static public function challenge($data) {
return hash_hmac('md5', $data, self::SALT);
}
static public function issueCrumb($uid, $action = -1) {
$i = ceil(time() / self::$ttl);
return substr(self::challenge($i . $action . $uid), -12, 10);
}
static public function verifyCrumb($uid, $crumb, $action = -1) {
$i = ceil(time() / self::$ttl);
if(substr(self::challenge($i . $action . $uid), -12, 10) == $crumb
substr(self::challenge(($i - 1) . $action . $uid), -12, 10) == $crumb)
return true;
return false;
}
}
代码中的$uid表示用户唯一标识,而$ttl表示这个随机串的有效时间。
应用示例
构造表单
在表单中插入一个隐藏的随机串crumb
处理表单 demo.php
对crumb进行检查
if(Crumb::verifyCrumb($uid, $_POST['crumb'])) {
//按照正常流程处理表单
} else {
//crumb校验失败,错误提示流程
}
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Where can I check the uid of Tomato Novel?
Feb 28, 2024 pm 04:25 PM
When using the Tomato Novel software, log in to your account so that you can enjoy more personalized services and convenience. After logging in to your account, you can also view your UID (Unique User Identifier), which is very important information. Sometimes this uid is very important, so where can you view your UID in Tomato Novels? Users who want to know, please follow this article to learn more about the viewing steps! Where to check the answer of Tomato Novel uid: [Tomato Novel] - [My] - [Feedback and Help] - [Feedback] - [Click 5 times]. Specific steps: 1. First open the Tomato Novel software. After entering the home page, we need to click [My] in the lower right corner; 2. Then in the My page, we slide to the page
DJI Osmo Action 5 Pro: Release date mooted as retailer reveals launch pricing that could undercut GoPro Hero 13 Black
Sep 04, 2024 am 06:51 AM
DJI has not confirmed any plans to introduce a new action camera yet. Instead, it seems that GoPro will get ahead of its rival this year, having teased that it will introduce two new action cameras on September 4. For context, these are expected to a
One-line command to find all real users in Linux
Feb 18, 2024 pm 05:50 PM
Hello everyone, I am Xianyu. Friends who have been exposed to Linux all know that there are three types of users in Linux (or Unix-like): Super user (UID 0): the root user, who has the highest permissions. System user (UID 1~999): System built-in user, used to run system services and daemon processes. Ordinary user (UID 1000~60000): Created to allow users to use Linux system resources. The account created by the user is generally an ordinary account. So now the question is, how to quickly find out the real users (root users and ordinary users) in Linux? Before we officially start, we first introduce a tool-getent. getent
Learn more about how to view Linux user UID and GID
Mar 20, 2024 pm 12:06 PM
User UID and GID are numerical identifiers used to identify users and groups in Linux systems. When using a Linux system, we often need to view the user's UID and GID in order to manage user and file permissions. This article will provide an in-depth introduction to the various ways to view user UID and GID in Linux systems, and attach specific code examples. 1. Check the user UID and GID through the command. Check the UID and GID of the current user: id. After running the above command, the system will display the UID, GID and GID of the current user.
php提交表单通过后,弹出的对话框怎样在当前页弹出,该如何解决
Jun 13, 2016 am 10:23 AM
php提交表单通过后,弹出的对话框怎样在当前页弹出php提交表单通过后,弹出的对话框怎样在当前页弹出而不是在空白页弹出?想实现这样的效果:而不是空白页弹出:------解决方案--------------------如果你的验证用PHP在后端,那么就用Ajax;仅供参考:HTML code
Is UID an account number?
Mar 02, 2023 pm 12:01 PM
UID is not an account number, but the abbreviation of User Identification. It is a value automatically generated by the system when registering on the network platform. After a UID user registers on the network platform, the system will automatically give you a UID value, which means giving this name User assigns a number.
Linux Commands: Tips to View User UID and GID
Mar 20, 2024 pm 12:33 PM
The Linux operating system is a widely used open source operating system that provides users with a wealth of command line tools to allow users to manage the system more easily. In a Linux system, each user has a unique user identifier (UserID, UID) and a group identifier (GroupID, GID). Understanding the user's UID and GID is very important for system management and file permission management. This article will introduce several techniques for viewing the user's UID and GID to better manage the Linux system.
Insta360 Go 3S: New pocketable 4K action camera released weighing just 39 g with Apple Find My support
Jun 14, 2024 pm 06:05 PM
Insta360hasreleasedanewactioncamera,itssecondoftheyearaftertheInsta360X4(curr.$499.99onAmazon).Asexpected,thecompanyhasintroducedtheGo3S,anupgradedthatGo3thatadds4Kvideorecordingcapabilities.Specifically,whileInst
