CSRF|About csrf attack and how to defense think deeply
Posted l0cm
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CSRF|About csrf attack and how to defense think deeply相关的知识,希望对你有一定的参考价值。
About csrf attack and how to defense think deeply
About CSRF:
CSRF(Cross-site request forgery),Maybe most secrity pepole konw crsf what it look like XSS,but it is considered more dangerous than xss.
Developer Eyes:
As a developer,you must to konw csrf request methods,so csrf request methods is roughly divided into POST and GET types.
About POST request types:
scenario: pay money for buy computer
so,you can look URL:xxx.xxx.xxx/buy.php?id=xxx,if attack find csrf debug and sonstructor html POC submit Post request types.
<form method="POST" action="xxx.xxx.xxx/buy.php?id=xxx" enctype="multipart/form-data"> <input type="hidden" name="money" value="xxx"/> ..... </form> <script> document.forms[0].submit(); </script>
About GET request types:
scenario: pay money for buy computer
shop return URL:xxx.xxx.xxx/buy.php?id=xxx&submit_id=1&money=199&user=test
Develop environment how to defense csrf?
In general,3 methods for example validation token and referce and return Code,but like PayPal will validation cookie or session.someone will stop no Origin.
Attacker how to find csrf and using?
Under certain conditions,testing we can find exposed value and test some URL request ,try use different user name into test CSRF effectiveness.
End
this is defense think deeply head,so will write about CSRF using or about exposed debug.
以上是关于CSRF|About csrf attack and how to defense think deeply的主要内容,如果未能解决你的问题,请参考以下文章
dwr的A request has been denied as a potential CSRF attack.错误