The content of this article is about what is CSRF? The hazards of CSRF and defense methods have certain reference value. Friends in need can refer to it. I hope it will be helpful to you.
What is CSRF
Before understanding CSRF, we need to popularize two prerequisites. First of all, there are many ways to verify login permissions. Currently, most websites use session session task mode. Simply speaking, the session mechanism is that the server uses a key-value pair to record login information, and at the same time, the session is stored in the cookie. The id (the key just mentioned) is stored in the cookie. In addition, we also know that HTTP(s) requests in the browser will automatically save cookies for us. Passed to the server. In this way, the session id is obtained through the cookie during each request, and then the login information is obtained from the server through it to complete the verification of user permissions.
Originally this was also a good feature. But due to Cookies are really open. If a user logs in to website A, if the user sends an A cookie when visiting website B, Website request, then this request actually carries the user's login information on website A. If A at station B at this time If the website request is unknown to the user, it is a very serious harm. The above process is a cross-site request attack, that is, Cross-Site Request Forgery, that is CSRF.
The dangers of CSRF
A brief summary of CSRF vulnerabilities is to use vulnerabilities in website authority verification to send requests without the user's awareness, thereby "disguising" the user. Purpose. The main types of attacks implemented by attackers using CSRF are as follows:
The attacker can trick the victim user into completing any status change operation allowed by the victim, such as: updating account details, completing shopping, logging out, and even Login and other operations
Obtain users' private data
Cooperate with other vulnerability attacks
CSRF worm
Among them The CSRF worm, as its name implies, produces a worm effect and will The attack spreads from one to ten, and from ten to a hundred. For example, the interface for privately messaging friends in a community and the interface for obtaining the friend list both have CSRF vulnerabilities. An attacker can combine them into a CSRF worm - when a user visits a malicious page, he obtains his friend list information through CSRF, and then uses The CSRF vulnerability of private messaging friends sends a message pointing to a malicious page to each friend. As long as someone views the link in this message, the CSRF worm will continue to spread, and the harm and impact it may cause is huge!
Defense Method
From the above description, we can know that CSRF has two characteristics: the feature of automatically carrying cookies and cross-site attacks. Then the following solutions can be used for these two features.
Check the Referer field
Everyone knows that there is a Referer field in the HTTP header. This field is used to indicate the address from which the request comes. By verifying this field of the request in the website, we can know whether the request is issued from this site. We can reject all requests not issued by this site, thus avoiding the cross-site characteristics of CSRF.
const { parse } = require('url');module.exports = class extends think.Logic { indexAction() { const referrer = this.ctx.referrer(); const {host: referrerHost} = parse(referrer); if(referrerHost !== 'xxx') { return this.fail('REFERRER_ERROR'); } }}
Also taking ThinkJS as an example, just make a simple judgment in Logic. This method takes advantage of the fact that the client cannot construct a Referrer. Although it is simple, it will become very troublesome when the website has multiple domain names or the domain names are frequently changed, and it also has certain limitations.
Token Verification
Since CSRF takes advantage of the browser's ability to automatically pass cookies, another defense idea is to not pass the verification information through cookies, and add random encrypted strings to other parameters for verification. test. There are two methods here:
Random string: Add a random string parameter to each submission. The parameter is sent by the server through the page. It is added to the submission parameter every time it is requested. The server passes Verify whether the parameters are consistent to determine whether it is a user request. Since the attacker in a CSRF attack has no way of knowing the value of the random string in advance, the server can reject the request by verifying the value.
JWT: Actually except In addition to session login, JWT token login verification is becoming increasingly popular. This method is to record the login token on the front end, and pass it in the Header every time a request is made. The login verification process is implemented by adding an authentication header. Since the attacker cannot know the token value in a CSRF attack, CSRF attacks can also be prevented in this way. certainly In addition to JWT, token login methods include OAuth and many other methods.
The above is the detailed content of What is CSRF? The dangers of CSRF and how to defend against it. For more information, please follow other related articles on the PHP Chinese website!