Shulou(Shulou.com)06/01 Report--

This article mainly introduces "Python's djanjo how to prevent csrf cross-site attacks". In daily operation, I believe many people have doubts about how Python's djanjo carries out csrf anti-cross-site attacks. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to prevent csrf cross-site attacks in Python djanjo". Next, please follow the editor to study!

I. introduction to CSRF

What is CSRF?

CSRF (Cross-site request forgery), Chinese name: cross-site request forgery, also known as: one click attack/session riding, abbreviated as: CSRF/XSRF.

What can CSRF do?

You can understand the CSRF attack this way: the attacker stole your identity and sent malicious requests in your name. The things CSRF can do include sending emails in your name, sending messages, stealing your account, even buying goods, transferring money in virtual currency. The problems include: disclosure of personal privacy and property security.

Status of CSRF vulnerabilities?

CSRF was proposed by foreign security personnel in 2000, but in China, it was not concerned until 2006. In 2008, CSRF vulnerabilities were exposed in many large communities and interactive websites at home and abroad, such as NYTimes.com (New York Times), Metafilter (a large BLOG website), YouTube and Baidu HI. Now, many sites on the Internet are still so defenseless that the security industry calls CSRF a "sleeping giant".

II. CSRF (Web form submission)

Setting CSRF tags under web forms can effectively prevent CSRF cross-site attacks (see figure below)

{% csrf_token%}

If the form is not set, access is disabled when accessing the web page (as shown below)

In fact, there are many ways to deal with the prohibition of access, one of which is to remove the csrf middleware from the configuration file (settings.py), so that the pages that were originally prohibited can be accessed successfully, but the risk is very great. For security reasons, this is not recommended.

Another way is to add a decorator (@ csrf_exempt) in the view layer to achieve partial non-detection. In other words, even if you do not add csrf tags to the web form, as long as you add the decorator, you can successfully access the page. It should be noted that only the content with the decorator is added, and other code without decorator is still prohibited.

3. CSRF (Web form submission) experiment

Then let's demonstrate it in code based on what we said above:

First, configure a child route under the urls.py file under app

From django.urls import path, re_pathfrom App import viewsurlpatterns = [# csrf test path ('register/',views.register,name =' register'),]

Next, write the view function

Def register (request): if request.method = = "POST": # if the request is POST request username = request.POST.get ('username') # get username password = request.POST.get (' password') # get password print (username,password) # print username,password return render (request,'register.html') # render template and return the content in web register.html

Web form (no csrf tag set)

Registered user name:

Password:

After enabling the service (python manage.py runserver 8090), visit the web page and the words "access prohibited" will be displayed.

So next we set the csrf tag in the web form

{% csrf_token%}

Register {# prevent cross-site attacks #} {% csrf_token%} username:

Password:

Then visit the web page and find that the user name and password can be submitted normally, and there will be an csrf implicit pseudorandom number in the form.

CSRF attacks are derived from WEB's implicit authentication mechanism! Although WEB's authentication mechanism can guarantee that a request comes from a user's browser, it cannot guarantee that the request is approved by the user!

The idea of CSRF defense mechanism is that more effective cross-site attack defense can be achieved by adding pseudo-random numbers to the client page.

IV. CSRF (ajax submission)

Ajax submission, you need to add the following to html

1 reference jquery

2 add a tag to prevent cross-site attacks

3 add ajax submission with button

4 add ajax

Register {# 1 reference jquery #} {# csrf_token%} username to prevent cross-site attacks

Password:

{# 4 ajax #} $("# button") .click (function () {username = $("[name='username']") .val (); password = $("[name='password']") .val (); csrf = $("[type='hidden']") .val (); console.log (username,password,csrf); {# $.post ("/ register/") #}}))

After visiting the web page, enter the user name, password, view the review element, and the console will display the entered user name, password, and implicit pseudorandom number

Continue to add the following in html

5 post submission

Register {# 1 reference jquery #} {# csrf_token%} username to prevent cross-site attacks

Password:

{# 4 ajax #} $("# button") .click (function () {username = $("[name='username']") .val (); password = $("[name='password']") .val (); csrf = $("[type='hidden']") .val (); console.log (username,password,csrf) {# post submit #} {# $.post ("address", {parameter}, function (return value) {}) #} $.post ("/ user/register/", {'username':username,'password':password,'csrfmiddlewaretoken':csrf}, function (data) {console.log (post)})

Add the following code to the view layer

Return the ajax request

# partial prohibition # @ csrf_exemptdef register (request): if request.method = = "POST": username = request.POST.get ('username') password = request.POST.get (' password') print (username,password) #? Return ajax request return JsonResponse ({'code':1}) # {' code':1} is the custom value return render (request,'register.html')

Finally, visit the web page. The ajax request is successful and the return value {'code':1} is returned successfully.

At this point, on the "Python djanjo how to prevent csrf cross-site attacks" on the end of the study, I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.