This is the second day of my participation in Gwen Challenge

Recently, I want to know about the principle of CSRF, read some articles, understand a little, and then I want to sort out and review, so I have this article.

CSRF is introduced

Let’s take a look at MDN’s interpretation of CSRF

Cross Site Request Forgery (CSRF) is an attack method that impersonates a trusted user to send unexpected requests to the server.

To put it simply, CSRF is an operation in which an attacker sends a request to the background without the knowledge of the user by using the cookie of the user. The background identifies the cookie of the user and considers the attacker to be the identity of the user, thus leading to the success of the request.

CSRF attack flow

Let me illustrate this with a picture

Main process:

  1. First, the user logs in to website A, and cookies are generated and stored in the browser after successful login.
  2. Website A opens dangerous website B through some operations. At this time, dangerous website B requests the interface of website A (dangerous), because it will visit with cookies at this time
  3. Cookie authentication is successful, the server thinks it is the user himself, the request is successful, the purpose of attack is achieved;

Defense mechanism

According to the above process analysis, identity authentication through cookie is not secure. So if you want to defend yourself, you have to start with cookies

SameSite

Google added A new attribute for cookies, which is mainly used to restrict third-party cookies, that is to say, it can restrict dangerous website B from using the cookies of website A

There are three possible values:

  1. Strict

Strict mode that completely restricts third-party cookies. Cookies are not sent directly in any case, unless the newly opened site is codomain with its own site. One of the downsides is that if I have an external link and I go to this site, if I’ve logged in before and NOW I have to log in again, it affects the experience;

  1. Lax

Loose mode, most do not send cookies directly, except when the open link is a GET request (such as get form, A link);

Google80 and above will use this value as the default

  1. None

There is no restriction at all. Third parties can use cookies, but they need to set the secure property (HTTPS access).

Homologous detection

The origin and refer attributes of headers can be used to determine the source of the request. Only if the source of the request is consistent can the request be processed.

Token authentication

In addition, we can defend against this by adding token authentication, which is generated by the server. The client stores the token (but the token cannot be stored in a cookie), then wears the token when the request is made, and the back end validates the token on the server

Verification code

When submitting a request, we need the user to input the verification code before submitting it. By adding the verification code, the third party cannot steal the verification code of the current page, so we can also prevent it, but the experience is not very good (because each request has to input the verification code).

There are other authentication methods (such as cookie two-factor authentication, etc.), but I’ll cover only the common ones here

conclusion

This is my summary of the INTRODUCTION to CSRF understanding, although we are the front end (commonly known as the page boy, just kidding), security issues we may not be able to contact sometimes, but we still understand, because it may come in handy one day.