CSRF concept: CSRF cross-site request forgery (Cross-Site Request Forgery), like XSS attacks, has huge harm, you can understand it like this:
An attacker steals your identity and sends a malicious request in your name. This request is completely legal to the server, but it completes an operation expected by the attacker, such as using your Send emails and messages in your name, steal your account, add system administrators, and even purchase goods, transfer virtual currency, etc. (Recommended learning: PHP programming from entry to proficiency)
For example: Web A is a website with CSRF vulnerabilities, Web B is a malicious website built by an attacker, and User C is Web A Legitimate users of the website.
Defense against CSRF attacks:
Currently there are three main strategies to defend against CSRF attacks: verify the HTTP Referer field; add token to the request address and verify it; Custom attributes in the header and verify.
(1) Verify the HTTP Referer field
According to the HTTP protocol, there is a field called Referer in the HTTP header, which records the source address of the HTTP request. Under normal circumstances, the request to access a secure restricted page comes from the same website. For example, if you need to access http://bank.example/withdraw?account=bob&amount=1000000&for=Mallory, the user must first log in to bank.example and then go through Click a button on the page to trigger the transfer event.
At this time, the Referer value of the transfer request will be the URL of the page where the transfer button is located, usually an address starting with the bank.example domain name. If a hacker wants to implement a CSRF attack on a bank's website, he can only construct a request on his own website. When a user sends a request to the bank through the hacker's website, the Referer of the request points to the hacker's own website.
Therefore, to defend against CSRF attacks, the bank website only needs to verify its Referer value for each transfer request. If it is a domain name starting with bank.example, it means that the request is from the bank website itself. Yes legal. If the Referer is another website, it may be a CSRF attack by a hacker and the request will be rejected.
(2) Add token to the request address and verify
The reason why the CSRF attack is successful is because the hacker can completely forge the user's request. All user authentication information in the request exists in cookies, so hackers can directly use the user's own cookies to pass security verification without knowing the authentication information.
To resist CSRF, the key is to put information in the request that hackers cannot forge, and this information does not exist in cookies.
You can add a randomly generated token in the form of a parameter to the HTTP request, and create an interceptor on the server side to verify the token. If there is no token in the request or the token content is incorrect, it is considered that it may be The request is rejected due to CSRF attack.
(3) Customize attributes in the HTTP header and verify
This method also uses tokens and performs verification, which is different from the previous method Yes, the token is not placed in the HTTP request in the form of a parameter, but it is placed in the custom attribute in the HTTP header. Through the XMLHttpRequest class, you can add the csrftoken HTTP header attribute to all requests of this type at once, and put the token value into it. This solves the inconvenience of adding token to the request in the previous method. At the same time, the address requested through XMLHttpRequest will not be recorded in the browser's address bar, and there is no need to worry about the token being leaked to other websites through the Referer.
The above is the detailed content of How to prevent csrf attacks in php. For more information, please follow other related articles on the PHP Chinese website!