CSRF 是什么?

先从一个故事说起(故事纯属虚构,恶意模仿后果自负):

小谷最近遭遇电信诈骗被骗的倾家荡产,于是他想到了报复社会。在知乎上狂点800个没有帮助1000个举报后,他决定做点正事干票捞钱的生意。
「很多视频网站都有赠送礼品的功能,假如所有人都赠送我个礼物,我再转卖掉,不就发财啦」小谷寻思着。
说干就敢,经过一番折腾测试,小谷发现视频网站赠送礼物的接口是:

https://xxxx.com/gift/send?target=someone&giftId=ab231

, 原来只要用户在登录状态下请求这个地址,就能给名为someone的用户赠送礼品ab231。
那如何才能让其他用户请求这个接口呢?其实只要用户点击就行,「色诱是最好的陷阱」回想起自己被骗的经过,小谷猥琐狠狠的打了一行文字 ——「想要的都在这里,今夜注定让你无眠~~ 饥人谷-最有爱的前端学习社区」,然后在各个群组里回复。
经过一天等待,有几个上钩的,但远远达不到预期,「有没有更自动的办法,让用户只要看到即使不点也能上钩呢?」。小谷开始对整个网站功能逐一过滤,突然他眼前一亮,在用户评论编辑框内看到了上传外链图片的功能。「如果把这个 url 作为图片填进去,上传后会在评论区创建一个img 标签,src 对应的就是这个地址。当用户打开页面后这个 img 就会自动加载图片也就是发送这个请求,这样一来凡是打开这个页面的人不论是不是点击这个链接都会给赠送礼物,perfect!」 小谷为自己的聪明才智惊叹。
又过了一天,果然源源不断的礼物送了过来。这个时候小谷隐隐有些担心起来,虽然礼物送的都很小,但赠送都是有历史记录的,用户查看历史记录肯定会起疑心,能不能帮用户删除这条赠送记录呢?经过测试,发现删除赠送记录的接口地址是

https://xxxx.com/gift/deleteRecord

, 接口类型为POST,请求参数为 { giftId:”ab231″}。 用户无法通过点击一个链接在不知情的情况下发送 POST 请求,怎么办呢?于是,小谷构造了一个页面:


哈哈,给你开了个玩笑,莫生气~ <form action="https://xxxx.com/gift/deleteRecord" id="form" method="post" target="hiddenIframe"> </form> document.getElementById('form').submit(); location.href = "http://xxxx.com";

当用户点开这个页面的链接后,会自动发送 POST 请求,然后跳转到原始首页。这样用户既在不知情的情况下赠送了礼品,又在不知情的情况下删除了赠送记录。大功告成后,小谷购买了个广告机在各大论坛狂发….

一周之后,警察👮叔叔来敲门了,咚🕳🕳

上面小谷的攻击流程就是典型的 CSRF (Cross Site Request Forgery)攻击,中文名:跨站请求伪造。其原理是攻击者构造网站后台某个功能接口的请求地址,诱导用户去点击或者用特殊方法让该请求地址自动加载。用户在登录状态下这个请求被服务端接收后会被误以为是用户合法的操作。对于 GET 形式的接口地址可轻易被攻击,对于 POST 形式的接口地址也不是百分百安全,攻击者可诱导用户进入带 Form 表单可用POST方式提交参数的页面。

后续……

xxxx视频网站不断接到用户举报,自己的礼品莫名丢失。经过排查发现有攻击者利用 CSRF 进行攻击,报警后赶紧让公司的安全部门的小饥来修复漏洞。

小饥梳理了一遍公司网站所有的接口,发现很多接口都存在这个问题。于是采用了anti-csrf-token的方案。 具体方案如下:

  1. 服务端在收到路由请求时,生成一个随机数,在渲染请求页面时把随机数埋入页面(一般埋入 form 表单内,
  2. 服务端设置setCookie,把该随机数作为cookie或者session种入用户浏览器
  3. 当用户发送 GET 或者 POST 请求时带上_csrf_token参数(对于 Form 表单直接提交即可,因为会自动把当前表单内所有的 input 提交给后台,包括_csrf_token)
  4. 后台在接受到请求后解析请求的cookie获取_csrf_token的值,然后和用户请求提交的_csrf_token做个比较,如果相等表示请求是合法的。

(上图是某电商网站的真实设置,这里页面上设置的 token和session里设置的token 虽然不直接相等,但 md5(‘1474357164624’) === ‘4bd4e512b0fbd9357150649adadedd4e’,后台还是很好计算的)

安全部的Leader 看了看小饥的方案,「方案出的很赞, 不过还有几点需要注意一下」:

  1. Token 保存在 Session 中。假如 Token 保存在 Cookie 中,用户浏览器开了很多页面。在一些页面 Token 被使用消耗掉后新的Token 会被重新种入,但那些老的 Tab 页面对应的 HTML 里还是老 Token。这会让用户觉得为啥几分钟前打开的页面不能正常提交?
  2. 尽量少用 GET。假如攻击者在我们的网站上传了一张图片,用户在加载图片的时候实际上是向攻击者的服务器发送了请求,这个请求会带有referer表示当前图片所在的页面的 url。 而如果使用 GET 方式接口的话这个 URL 就形如:
https://xxxx.com/gift?giftId=aabbcc&amp;_csrf_token=xxxxx

,那相当于攻击者就获取了_csrf_token,短时间内可以使用这个 token 来操作其他 GET 接口。

「这个项目,就由你来推动实施,晚上加加班争取这两天搞定~」

作者:若愚,想学前端?进群

102 thoughts on “CSRF 是什么?”

  1. Hi, I do believe this is a great web site. I stumbledupon it 😉 I’m going to come back once again since i have bookmarked it. Money and freedom is the greatest way to change, may you be rich and continue to guide other people.|

  2. Hello friends, how is all, and what you would like to say concerning this piece of writing, in my view its actually remarkable in support of me.|

  3. Hi there! This post couldn’t be written much better! Looking through this post reminds me of my previous roommate! He always kept talking about this. I most certainly will send this article to him. Fairly certain he will have a good read. Thank you for sharing!|

  4. Unquestionably consider that that you stated. Your favourite justification appeared to be at the internet the simplest thing to keep in mind of. I say to you, I certainly get annoyed at the same time as other people consider issues that they just do not realize about. You controlled to hit the nail upon the highest and also outlined out the whole thing with no need side-effects , other people could take a signal. Will probably be again to get more. Thanks|

  5. Heya terrific blog! Does running a blog like this take a massive amount work? I have no expertise in programming but I had been hoping to start my own blog soon. Anyways, if you have any suggestions or tips for new blog owners please share. I know this is off topic nevertheless I simply wanted to ask. Thanks!|

  6. Hey there! I know this is somewhat off-topic but I needed to ask. Does operating a well-established blog such as yours require a lot of work? I’m completely new to operating a blog but I do write in my diary daily. I’d like to start a blog so I can share my personal experience and views online. Please let me know if you have any recommendations or tips for new aspiring bloggers. Thankyou!|

  7. Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates. I’ve been looking for a plug-in like this for quite some time and was hoping maybe you would have some experience with something like this. Please let me know if you run into anything. I truly enjoy reading your blog and I look forward to your new updates.|

  8. Wow that was odd. I just wrote an really long comment but after I clicked submit my comment didn’t show up. Grrrr… well I’m not writing all that over again. Anyhow, just wanted to say great blog!|

  9. I was very happy to uncover this great site. I want to to thank you for ones time for this fantastic
    read!! I definitely really liked every little bit of it and i also have you saved as a favorite to
    check out new stuff in your blog.

  10. Hello there, You’ve done an incredible job. I’ll certainly digg it and personally recommend to my friends.
    I’m confident they will be benefited from this web site.

  11. I will immediately snatch your rss as I can’t find your email subscription hyperlink or e-newsletter service. Do you have any? Kindly allow me realize in order that I may subscribe. Thanks.|

  12. Wow! After all I got a weblog from where I can truly take helpful
    information concerning my study and knowledge.

  13. I’m not sure where you are getting your information, but great topic.
    I needs to spend some time learning more or
    understanding more. Thanks for magnificent information I was looking for this information for
    my mission.

  14. Admiring the persistence you put into your site and detailed information you provide.
    It’s great to come across a blog every once in a while that isn’t the same unwanted
    rehashed material. Wonderful read! I’ve saved your site and I’m adding your RSS feeds to my Google account.

  15. What’s up to every one, it’s really a good for me to go
    to see this web page, it consists of important Information.

  16. This design is wicked! You definitely know how to keep a reader entertained.
    Between your wit and your videos, I was almost moved to start my
    own blog (well, almost…HaHa!) Fantastic job. I really
    enjoyed what you had to say, and more than that, how
    you presented it. Too cool!

  17. My brother suggested I might like this web site. He was entirely right. This post truly made my day. You cann’t imagine just how much time I had spent for this information! Thanks!|

  18. I’m extremely impressed with your writing skills as well as with the layout on your blog. Is this a paid theme or did you modify it yourself? Anyway keep up the excellent quality writing, it’s rare to see a great blog like this one these days.|

  19. Hi my friend! I wish to say that this post is amazing, nice written and
    include approximately all vital infos. I would like to see extra posts like this
    .

  20. It’s the best time to make some plans for the future and it is time to be happy. I have read this post and if I could I wish to suggest you some interesting things or tips. Perhaps you could write next articles referring to this article. I want to read even more things about it!|

  21. I am curious to find out what blog system you’re using? I’m having some small security issues with my latest website and I would like to find something more safe. Do you have any solutions?|

  22. Heya i’m for the first time here. I came across this board and I find It truly useful & it helped me out much. I hope to give something back and help others like you helped me.|

  23. I like the helpful information you provide in your articles. I’ll bookmark your weblog and check again here frequently. I’m quite certain I will learn a lot of new stuff right here! Best of luck for the next!|

  24. Exceptional post however I was wanting to know if you could write a litte more on this topic? I’d be very thankful if you could elaborate a little bit further. Thank you!|

  25. Please let me know if you’re looking for a author for your weblog. You have some really good articles and I think I would be a good asset. If you ever want to take some of the load off, I’d love to write some articles for your blog in exchange for a link back to mine. Please blast me an e-mail if interested. Thanks!|

  26. I blog often and I truly appreciate your content. Your article has truly peaked my interest. I will book mark your blog and keep checking for new information about once a week. I opted in for your RSS feed as well.|

  27. I was recommended this web site by way of my cousin. I’m now not certain whether this submit is written by means of him as no one else recognise such exact approximately my problem. You’re wonderful! Thank you!|

  28. It’s really a great and helpful piece of info. I am glad that you simply shared this useful information with us. Please keep us informed like this. Thank you for sharing.|

  29. Hi there this is somewhat of off topic but I was wanting to know if
    blogs use WYSIWYG editors or if you have to manually code
    with HTML. I’m starting a blog soon but have no coding know-how so I wanted to get advice from
    someone with experience. Any help would be enormously appreciated!

  30. Hi, i read your blog occasionally and i own a similar one and i was just curious if you get a lot of spam responses? If so how do you protect against it, any plugin or anything you can advise? I get so much lately it’s driving me insane so any assistance is very much appreciated.|

  31. Magnificent goods from you, man. I’ve understand your stuff previous to and you are just too fantastic. I actually like what you’ve acquired here, really like what you are saying and the way in which you say it. You make it enjoyable and you still care for to keep it sensible. I can’t wait to read much more from you. This is actually a great web site.|

  32. Just want to say your article is as surprising. The clarity to your publish is just cool and that i can suppose you’re knowledgeable in this subject. Fine with your permission allow me to take hold of your feed to stay updated with imminent post. Thank you a million and please keep up the rewarding work.|

  33. I have been browsing online greater than three hours these days, yet I by no
    means discovered any fascinating article like yours. It is lovely worth enough
    for me. In my opinion, if all web owners and bloggers made
    just right content material as you probably did, the internet will probably be much more useful than ever before.

  34. I’m really impressed with your writing skills as well as with
    the layout on your blog. Is this a paid theme
    or did you customize it yourself? Either way keep up the excellent quality writing, it
    is rare to see a great blog like this one these days.

  35. I think everything published made a ton of
    sense. However, what about this? suppose you were to create a
    killer title? I mean, I don’t wish to tell you how to run your
    website, however suppose you added a post title
    that makes people want more? I mean CSRF 是什么? – 饥人谷 is kinda vanilla.
    You could glance at Yahoo’s home page and note how
    they create article titles to get people interested. You might
    try adding a video or a picture or two to get readers
    excited about everything’ve written. In my opinion, it would bring your posts
    a little livelier.

  36. After checking out a handful of the blog articles on your web page, I truly like your technique of writing a blog. I saved it to my bookmark webpage list and will be checking back soon. Please visit my website as well and tell me how you feel.|

  37. Excellent post. I used to be checking continuously this weblog and I’m impressed! Very useful information specially the ultimate phase 🙂 I maintain such information much. I used to be seeking this particular information for a long time. Thank you and good luck. |

  38. I don’t know whether it’s just me or if perhaps everyone else encountering problems with your site. It appears like some of the text in your posts are running off the screen. Can somebody else please provide feedback and let me know if this is happening to them as well? This may be a issue with my internet browser because I’ve had this happen previously. Cheers|

  39. I’m pretty pleased to discover this great site. I want to to thank you for your time for this fantastic read!! I definitely enjoyed every bit of it and I have you saved to fav to check out new information on your site.|

  40. Appreciating the persistence you put into your site
    and in depth information you offer. It’s awesome to come across a
    blog every once in a while that isn’t the same out of date rehashed material.
    Fantastic read! I’ve saved your site and I’m including your
    RSS feeds to my Google account.

  41. Howdy! I know this is kinda off topic but I was wondering which blog platform are you using for this site? I’m getting sick and tired of WordPress because I’ve had problems with hackers and I’m looking at options for another platform. I would be fantastic if you could point me in the direction of a good platform.|

  42. My brother recommended I might like this web site. He was once totally right. This post truly made my day. You cann’t imagine just how much time I had spent for this info! Thanks!|

  43. certainly like your web-site but you have to take a look at the spelling on several of your posts. Many of them are rife with spelling problems and I to find it very bothersome to tell the truth however I will certainly come back again.

  44. My spouse and i still can not quite feel that I could always be one of those studying the important recommendations found on your website. My family and I are sincerely thankful for the generosity and for presenting me the chance to pursue this chosen profession path. Appreciate your sharing the important information I obtained from your web page.

  45. hello there and thank you for your info – I have definitely picked up something new from right here. I did however expertise some technical issues using this web site, as I experienced to reload the site lots of times previous to I could get it to load correctly. I had been wondering if your web hosting is OK? Not that I am complaining, but slow loading instances times will sometimes affect your placement in google and could damage your high-quality score if advertising and marketing with Adwords. Anyway I am adding this RSS to my e-mail and can look out for much more of your respective exciting content. Make sure you update this again very soon..

  46. I just wanted to write a small message in order to thank you for all of the lovely facts you are giving on this website. My time consuming internet research has at the end been paid with sensible details to write about with my partners. I would say that most of us website visitors are definitely lucky to live in a remarkable site with so many outstanding professionals with great tactics. I feel really privileged to have discovered your web pages and look forward to so many more entertaining moments reading here. Thanks once again for everything.

  47. Valuable information. Fortunate me I found your web site unintentionally, and I am stunned why this accident did not happened earlier! I bookmarked it.

  48. Nice read, I just passed this onto a friend who was doing some research on that. And he just bought me lunch since I found it for him smile Thus let me rephrase that: Thanks for lunch!

  49. Hello there, just became alert to your blog through Google, and found that it is really informative. I’m gonna watch out for brussels. I’ll be grateful if you continue this in future. Numerous people will be benefited from your writing. Cheers!

发表评论

电子邮件地址不会被公开。