What is CSRF?
Cross-site request forgery Cross-site Request Forgery, also known as one-click attack or session riding, usually abbreviated as CSRF or XSRF, Is a method of hijacking a user to perform unintended actions on a currently logged Web application.
2. Actual attack scenario
The following uses the transfer function of a bank website to explain the attack principle. Note: Information related to URLS is fiction.
1. Login account
-
After logging in to a bank website and checking its background information, I did not log out.
-
Suppose the bank operates the transfer at the URL:
https://bank.example.com/withdraw?account=AccoutName&amount=1000&for=PayeeName Copy the code
2. Malicious links
-
When you see a leading link from another site, you automatically click on it.
-
Induced links contain malicious code (transfer links instead of real image links)
<img src="https://bank.example.com/withdraw?account=Alice&amount=1000&for=Badman" /> Copy the code
3. The attack is complete
- When you click the link, the browser opens
<img>
SRC property to load the image, but actually perform the transfer operation; - The computer, browser, IP and other environments used in the transfer request are exactly the same as those used when you log in to your account. The background of the bank website will think that this is your operation, so if you pass the verification, you can directly transfer the money.
3. Prevent CSRF attacks
The server authenticates the request and rejects the request that fails to pass the authentication. CSRF attacks can be carried out.
1. The first method: verification code
A digital verification code is sent to the mobile phone, a graphical verification code is sent to the customer for identification, and the user enters the account password again for authentication.
2. The second method: Token
-
Token usage process:
1. The server generates a CSRF token. 2. The client (browser) submission form contains CSRF token information; 3. The server receives the CSRF token and verifies its validity.Copy the code
-
Principle description:
If the server does not support CORS(cross-domain resources), then the attacker’s cross-domain JavaScript request will be rejected by the server. To prevent CSRF attacks.
-
Csurf is recommended for node.js projects. For details, see here!
Iv. Reference documents
- How to prevent cross-site Request Forgery Attack (CSRF)?