What is a CSRF attack?
Cross-site Request Forgery (CSRF) : An attacker induces the victim to access a third-party website and sends cross-site request to the attacked website. Using the victim in the attacked website has obtained the registration certificate, bypassing the background user authentication, to impersonate the user to perform a certain operation on the attacked website.
This section provides an example for CSRF attacks
When programmer Little C logged in and browced the forum website a.com, an advertisement popped up about hair transplant without recovery period. It was so tempting for a programmer that little C couldn’t control himself and clicked on it. After clicking on the page, C found that there was only one image that could not be loaded. Little C was very disappointed and closed the page, but did not know that this operation had implemented CSRF attack.
There are two necessary conditions to implement a CSRF attack:
- The user logs in to the attacked website and returns a cookie saved in the browser
- During login, a user accesses a third party website (the attacker’s website). The third party website sends requests to the attacked website pretending to be the user and performs certain operations on behalf of the user
In a.com, when the user delete a post, will initiate the request www.a.com:8002/content/del… , such as a request to www.c.com:8002/content/del… , the post with id 87343 will be deleted.
When little C went to the website a.com, The server returns a cookie res.setheader (‘ set-cookie ‘, [‘user=22333; Expires =Sat, 21 Jul 2018 00:00:00 GMT;’]);
The attacker has now constructed a trap page that looks like this:
<p> Websites prepared by CSRF attackers: </p>
<img src="http://www.a.com:8002/content/delete/87343">
When little C clicks the trap page and browsees the picture, it will automatically initiate a request. Since this request is for a.com, it will carry the cookie under the domain name of A.COM (including the cookie of user login information). At this time, the attacker website replaces little C to delete the post with the ID of 87343.
And little C has no idea.
From the above examples, it can be seen that CSRF attacks are implemented through cookies. The attacker uses the user to perform some operations by luring the user to visit the third-party website, which is a passive attack.
The characteristics of CSRF
- An attacker can only impersonate the user’s cookie identity, but cannot obtain the user’s cookie
- An attacker can only perform some operations, but cannot obtain the results of the operations
- Attacks generally occur on third-party websites, which cannot be prevented
- Attacks can be implemented in a variety of ways: image urls, hyperlinks, CORS, Form submissions, and so on. Part of the request can be directly embedded in third-party forums, articles, difficult to track.
The CSRF protection
CSRF defenses can be divided into two categories:
- Block access to unknown outfields
-
Homologous detection
-
Samesite Cookie
- Submit by asking for additional information that is available only to the local domain
-
CSRF Token
-
Verification code
1. Block access from unknown outdomains
Homologous detection
There is a field Referer in the HTTP request, which indicates the source of the HTTP request. The Referer field of all requests initiated by users on the a.com website is A.com, while all requests sent by third-party websites are not A.com. Therefore, all requests whose Referer is not A.com can be prohibited to prevent CSRF attacks.
if (req.headers.referer ! = = 'http://www.c.com:8002/') {res. Write (' CSRF attacks'); return; }
Still have a function is: prevent others to steal picture link, use in own website.
Samesite Cookie
Samesite is a cookie attribute proposed by Chrome to enhance network security. It is used to indicate that cookies are first-party cookies (same-site cookies), that is, third-party cookies are not allowed to carry.
Samesite has two property values, Strict and Lax:
Strict: Third-party cookies are not allowed. That is, cookies under the domain name of a.com are not allowed to be carried when you visit b.com
Lax: Only link jumps and GET form submissions can carry cookies; POST form submissions and cross-site asynchronous requests do not. This actually protects against most cross-site request forgery attacks.
None: third-party cookies are allowed
The default value of Samesite has changed from None to Lax, which enhances the security of the network to a certain extent and protects the privacy of users. To learn more about this property, click here
Changing the default value of Samesite to Lax greatly reduces CSRF attacks, but does not prevent chip-hop CSRF attacks. Setting Samesite to Strict avoids all CSRF attacks, but it makes it inconvenient to synchronize login information under the subsystem.
2. Submit information that can be obtained only by the local domain
This approach works because an attacker can only use the user’s cookie, but cannot obtain the user’s real cookie information. CSRF attacks can be avoided by attaching additional information that the attacker cannot obtain on the basis of the cookie (not put in the cookie).
- CSRF Token
This method carries a randomly generated token in the parameters of the request, and then adds an interceptor on the server side to reject the request if the token in the request is incorrect or does not carry the token.
- Verification code
It is also the use of attackers can not get the real user to obtain information to verify user identity.
Captchas are considered to be the simplest and most effective defense against CSRF attacks.
That is, when users perform some important behaviors, adding verification codes to verify user behaviors can effectively fight AGAINST CSRF attacks. However, it is not advisable to add verification codes to all behaviors on the website, and it can be used appropriately.
CSRF users defend themselves
Try not to open suspicious links, and do open them with an infrequently used browser.
Reference article:
Github.com/dwqs/blog/i… Juejin. Cn/post / 684490…