Shulou(Shulou.com)05/31 Report--

Today, I would like to talk to you about how to effectively resist CSRF attacks, many people may not know much about it. In order to make you understand better, the editor has summarized the following for you. I hope you can get something from this article.

Nowadays, most of us shop online. But what many people don't know is that many e-commerce websites have security vulnerabilities. For example, Dark Cloud reported that there are CSRF loopholes in the websites of many companies in China. If there is such a security loophole in a website, then we are likely to be stolen credit cards by network hackers in the process of shopping. Isn't it a little "shudder"?

First, we need to figure out what CSRF is. Its full name is Cross-site request forgery, which translates into Chinese means "cross-site request forgery", which is a malicious use of the website. To put it simply, a malicious website does something wrong on the website you log on without our knowledge-- sending messages, buying things, or even transferring money.

This attack mode sounds a bit like cross-site scripting (XSS), but CSRF is very different from XSS, and the attack mode is almost different. XSS takes advantage of trusted users within the site, while CSRF takes advantage of trusted sites by masquerading requests from trusted users. Compared with XSS attacks, CSRF attacks are often rare, so there are few resources to prevent them. However, this "trusted" attack mode is more difficult to prevent, so it is considered more dangerous than XSS.

What exactly is this process? Let's look at a simple and vivid case.

Bank website A, which uses GET requests to complete bank transfers, such as:

Http://www.mybank.com/Transfer.php?toBankId=11&money=1000

Dangerous website B, which contains a piece of HTML code as follows:

What could happen? After you log on to bank website An and then visit dangerous website B, you suddenly find that your bank account is 10000 yuan short.

What causes it? The reason is that before visiting the dangerous website B, you have already logged in to the bank website A, and the third party in B requests third-party resources in the way of GET (here the third party refers to the bank website, originally this is a legitimate request, but here is exploited by lawbreakers), so your browser will take the Cookie of your bank website A to issue a GET request to get the resources.

"http://www.mybank.com/Transfer.php?toBankId=11&money=1000"

As a result, after receiving the request, the bank website server thought it was a reasonable transfer operation and transferred the money immediately.

In fact, real banking websites will not be so unguarded, but using POST instead of GET will only make dangerous websites take more effort. Dangerous website B can still try to steal customers' money by embedding Javascript, so it's not uncommon for us to hear about cases of clients' funds being stolen from time to time.

I believe that many people know that there will be a cold sweat here, but also let us in the "double 11" period to enjoy the pleasure of online shopping? Isn't there any way to prevent it?

Of course there is. You can patch your Web site, such as Cookie Hashing (all forms contain the same pseudo-random value). This is probably the simplest solution, because in theory an attacker cannot obtain a third-party Cookie, so the data in the form fails to be constructed. But this is not a perfect solution, because the user's Cookie can easily be stolen due to the XSS vulnerability of the website; another way is to use the CAPTCHA, each user submission requires the user to fill in a random string on the image in the form. This solution can completely solve CSRF, but the user experience is very painful (too troublesome). The other is One-Time Tokens (different forms contain different pseudo-random values), which requires designing tokens and Session management logic, and modifying Web forms, which makes the website operation and maintenance suffer.

All of the above methods need to tinker with the website, and then spend a lot of effort to test. Some people may think of using firewalls to protect them, so are there any products that meet the requirements? Last year, the concept of adaptive security protection (RASP), a next-generation firewall, came into being and attracted the attention of many enterprises. Its ability to perceive the context of requests and the ability to identify and defend in-depth applications has changed the concept of passive, external shield protection, and can assume the responsibility of protection without patching the website, which is worth trying.

Here is the recommendation of a new solution called RASP (Real-time Application self-Protection), which can effectively solve such problems. Aiming at the problem of CSRF loophole, RASP customizes the rule set and protection class, and then uses Java bytecode technology to modify the protected class according to the rules and weave the protected class into the protected class before the protected class is loaded into the virtual machine. You might as well give it a try.

At present, there is only one service manufacturer OneASP that provides RASP in China. To solve the above problems quickly and at a minimum cost, you can simply modify the startup configuration of JVM and run it. It can make the attack process transparent, and through the console, you can clearly know when, which module, which line of code has suffered what type of attack. At the same time, it can also quickly fix vulnerabilities, as long as the OneRASP and the application are deployed together to quickly fix known vulnerabilities, without the need for a long scan-fix-scan process. Quickly synchronize the latest vulnerabilities by upgrading the system in real time to avoid zero-day attacks.

Of course, only OneRASP is not foolproof. The best solution is to combine OneRASP with network security solutions, application security scanning and testing and other security protection systems to form a multi-level and three-dimensional defense system. Nowadays, all kinds of attacks emerge one after another, and it is unscientific to rely on any one of these technologies to prevent the security of applications. But OneRASP is always the last insurmountable trench in application security. It can help you quickly raise the security level of your application, and you no longer have to worry about not having a qualified security engineer. Of course, make sure your business doesn't hit the headlines as the next security victim.

OneRASP (Real-time Application self-Protection) is a cloud-based application self-protection service that can provide real-time protection for software products from vulnerabilities.

After reading the above, do you have any further understanding of how to effectively resist CSRF attacks? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.