Shulou(Shulou.com)05/31 Report--

What is the customs clearance of CSRF under DVWA? I believe many inexperienced people are at a loss about it. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

CSRF Cross-site request forgery (Cross-Site Request Forgery):

Like XSS attacks, there are great dangers, and you can understand it this way:

The attacker stole your identity and sent a malicious request in your name, which was perfectly legal to the server, but completed an operation expected by the attacker, such as sending e-mails and messages in your name, stealing your account, adding system administrators, and even purchasing goods, virtual currency transfers, and so on. As follows: Web An is a website with CSRF vulnerabilities, Web B is a malicious website built by an attacker, and User C is a legitimate user of the Web A website.

The principle and process of CSRF attack are as follows:

1. User C opens a browser, visits trusted website A, and enters a user name and password to request login to website A.

two。 After the user information has been verified, site A generates Cookie information and returns it to the browser. When the user logs in to site A successfully, the user can send a request to site A normally.

3. Before the user exits site A, open a TAB page to visit site B in the same browser.

4. After receiving the user's request, website B returns some attack code and sends out a request to visit third-party site A.

5. After receiving these offensive codes, according to the request of website B, the browser carries Cookie information without the user's knowledge and sends a request to website A. Site A does not know that the request was actually initiated by B, so it will process the request with the authority of user C according to the Cookie information of user C, resulting in the execution of malicious code from site B.

The difference from XSS:

XSS is through the modification of the page Javascript and other code, sent to the user to achieve the theft of cookie information, and then use cookie to log on to the website and other operations. Illegal operation is a hacker.

CSRF does not steal cookie information, but operates through the direct use of cookie by users. Illegal operations are not hackers, but users themselves.

1. Low level

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.