Shulou(Shulou.com)06/01 Report--

1. CSRF

The full name of CSRF is Cross Site Request Forgery, which means to request pseudo-stations across sites.

1. Browser's cookie policy

Many fake requests can be verified on the server because the user's browser successfully sent cookie.

There are two types of cookie held by browsers: one is "Session Cookie", also known as "temporary Cookie", and the other is "Third-party Cookie", also known as "local Cookie".

The difference between the two is that Third-party Cookie specifies the Expire time when the server Set-Cookie, and the Cookie will not expire until after the Expire time, so the Cookie will be saved locally, while Session-Cookie does not specify the Expire time, so the Session Cookie will become invalid after the browser is closed.

During the process of a browser website, if a website has Session Cookie set, Session Cookie is valid during the life cycle of the browser process, even if the browser opens a new Tab page. Session Cookie is saved in the memory space of the browser process, while Third-party Cookie is saved locally.

If a browser loads resources from another domain from a page in one domain, some browsers will block the sending of Third-party Cookie for security reasons.

The following example demonstrates this process:

In http://www.a.com/cookie.php, two Cookie are written to the browser: one is Session Cookie and the other is Third-party Cookie.

Visit this page and find that the browser has received both Cookie (Direction:Recived received them for the first time).

Then open a new browser Tab page and visit different pages in the same domain. Because the new Tab page is in the same browser process, the Session Cookie will be sent (the Direction:Sent sends it to the server for the second time).

At this point in another domain, there is a page http://www.b.com/csrf-test.html that constructs the CSRF to access the www.a.com.

At this point, I found that only Session Cookie (Cookie:123) could be sent, and Third-party Cookie was prohibited.

This is because IE forbids browsers because of security concerns.

Send third-party Cookie in tags such as, and so on. But firefox allows third-party Cookie to be sent.

In the current mainstream browsers, Third-party Cookie will be blocked by default: IE, Safari; will not block: Firefox, Opera, Chrome, Android and so on.

2. Side effects of P3P head

P3P Header is a privacy standard developed by W3C, whose full name is The Platform for Privacy Preferences.

If the HTTP header returned by the site to the browser contains the P3P header, to some extent, the browser will be allowed to send a third-party Cookie, even in the IE browser.

3. Defense of CSRF

3.1 CAPTCHA

CAPTCHA is considered to be the most concise and effective defense against CSRF***. It forces the user to interact with the application to complete the final request, but CAPTCHA is not omnipotent. For the sake of user experience, it is impossible for all requests to require user input CAPTCHA.

3.2 Referer Check

The most common application of Referer is to prevent picture theft. Similarly, Referer Check can also be used to check whether the request comes from a legitimate "source".

The drawback of Referer Check is that Referer is not always available to the server. Under many privacy conditions, the sending of Referer is restricted.

3.3 Anti CSRF Token

Now the industry's long-standing defense is to use Token.

The essential reason why CSRF is successful is that all the important parameters can be guessed. * users can successfully construct a pseudo-site request only if they predict all the parameters and parameter values of URL; otherwise, they cannot * * succeed.

Click to hijack (ClickJacking)

Click hijacking is a visual deception. * users use a transparent, invisible iframe to cover a web page, and then the user operates on the web page.

Common forms are: Flash click hijacking, picture coverage * *, drag and drop hijacking and data theft, touch screen hijacking

Defense style:

1 、 frame bustiong

You can usually write a piece of JavaScript code to prevent iframe nesting. This method is called frame bustiing.

2 、 X-Frame-Options

X-Frame-Option can be said to be created to solve ClickJacking, and it has three optional values:

DENY: the browser will refuse to load any frame pages on the current page

The address of the SAMEORIGIN:frame page can only be the page under the same origin domain name.

ALLOW-FROM origin: defines the address of the page that is allowed to load.

In addition to X-Frame-Options, Firefox's "Content Security Policy" and Firefox's NoScript extension can also defend against ClickJacking.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.