CSRF stands for Cross Site Request Forgery. At first glance, it looks similar to XSS, but the principle is the opposite. XSS uses a legitimate user to obtain its information, while CSRF impersonates a legitimate user to initiate a Request.

In XSS harm — Session hijacking, we mentioned the principle of session. After logging in, the user will store the login information in the server, and the client has a user id stored in the cookie. As long as the user does not close the browser or log out, the server will regard the request sent by the browser as the current client within the validity period. If the user is cheating, use the browser opens some malicious url, it will contain some not the user wants to send the request, the server will also send these requests as a current customer’s request, this time the user’s personal information, financial security, if the user permissions could imperil the whole site.

CSRF principle

The principle of CSRF is very simple. When a user logs in to a site and opens a malicious URL with his browser, he may be attacked. And as some of you might wonder, this is really hard to do, because you have to satisfy both conditions. In fact, it is very simple, for example, we use QQ, check the QQ Zone, suddenly pop up a chat window containing lottery or questionnaire links (or…). “Tencent has taken precautions, but we received an email containing this content, and many users will choose to click it

I found a picture on the Internet that really illustrates the process

Simple example

In a forum management page, the administrator can delete a post on the list.php page and determine the id of the post to be deleted based on the URL, such as this one

http://localhost/list.php?action=delete&id=12Copy the code

When a malicious user wants to send an email containing CSFR to trick the administrator into visiting test.com/csrf.php, the malicious web page can be used to delete the post without the administrator knowing it as long as it contains such HTML statements

<img alt="" arc="http://localhost/list.php? action=delete&id=12"/>Copy the code

This takes advantage of the fact that IMG’s SRC can make cross-domain requests, which is less common because web sites don’t use GET requests to modify resource information

upgrade

 

Is it safe for a website to use POST to modify information

<? php $action=$_POST['action']; $id=$_POST['id']; delete($action,$id); ? >Copy the code

But malicious websites can be attacked as well

<! DOCTYPE HTML > < HTML > < body > < iframe display = "none" > < form method = "post" action = "http://localhost/list.php" > <input type="hidden" name="action" value="delete"> <input type="hidden" name="id" value="12"> <input Id =" CSFR "type="submit"/> </form> </iframe> Document. The getElementById (' CSFR). Submit (); </script> </body> </html>Copy the code

How to prevent

 

1. Use POST instead of GET to modify information

2. Verification code. All form submission requires verification code, but it seems to be troublesome to use, so some key operations can be done

3. Pre-embed some encrypted information in the form to verify that the request is sent from this form