什么是CSRF令牌?它的重要性是什么,它如何工作? [英] What is a CSRF token ? What is its importance and how does it work?
本文介绍了什么是CSRF令牌?它的重要性是什么,它如何工作?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我知道如何使用csrf_token,但我只需要一些信息如何工作。
解决方案
以简单的单词进行跨站点请求伪造(CSRF)
- 假设从
mybank.com
将导致(概念)的请求(http://www.mybank.com/transfer?to=<SomeAccountnumber>;amount =< SomeAmount>
。 (您的帐号不需要,因为您的登录信息是暗示的。) - 您访问
www.cute-cat-pictures.org
,不知道它是一个恶意网站。 - 如果该网站的所有者知道上述请求的形式(easy!),并正确猜测您已登录到
mybank.com
(需要一些运气!),他们可以在他们的页面上包含一个请求,如http://www.mybank.com/transfer?to=123456 ; amount = 10000
(其中123456
是其开曼群岛帐户的数量,10000
是你以前认为你很高兴拥有的金额)。 - cute-cat-pictures.org 页面,所以您的浏览器将会提出请求。
- 银行无法如何认识到请求不是由您做出的:您的网络浏览器将发送请求以及您的
www.mybank.com
cookie,它将看起来完全合法即有你的钱!
假设您目前正在以
登录您的网上银行。www.mybank.com
这是没有CSRF标记的世界 。
现在更好的一个 与 CSRF令牌:
- 转移请求被扩展为第三个参数:
http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971
。 - 这个标记是一个巨大的,不可能猜到的随机数, c $ c> mybank.com 将包含在自己的网页上服务于你每次向任何人提供任何页面时,它是不同的。
- 攻击者无法猜测该令牌,无法说服您的网络浏览器投降它(如果浏览器正常工作...),因此攻击者将不能可以创建有效的请求,因为具有错误令牌(或不存在令牌)的请求将被拒绝
www.mybank.com
。
结果:你保持你的 10000
货币单位。我建议你把一些捐赠给维基百科。
(你的里程可能会有所不同)
Okay guys, I am writing a Django application and I just want an idea of what actually a csrf token is and how it protects the data. Is the post data not safe if you do not use csrf tokens?
I know how to use csrf_token but I just need some information how it works.
解决方案
Cross-Site Request Forgery (CSRF) in simple words
- Assume you are currently logged into your online banking at
www.mybank.com
- Assume a money transfer from
mybank.com
will result in a request of (conceptually) the formhttp://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>
. (Your account number is not needed, because it is implied by your login.) - You visit
www.cute-cat-pictures.org
, not knowing that it is a malicious site. - If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into
mybank.com
(requires some luck!), they could include on their page a request likehttp://www.mybank.com/transfer?to=123456;amount=10000
(where123456
is the number of their Cayman Islands account and10000
is an amount that you previously thought you were glad to possess). - You retrieved that
www.cute-cat-pictures.org
page, so your browser will make that request. - There is no way how your bank could recognize that the request was not made by you: Your web browser will send the request along with your
www.mybank.com
cookie and it will look perfectly legitimate. There goes your money!
This is the world without CSRF tokens.
Now for the better one with CSRF tokens:
- The transfer request is extended with a third argument:
http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971
. - That token is a huge, impossible-to-guess random number that
mybank.com
will include on their own web page when they serve it to you. It is different each time they serve any page to anybody. - The attacker is not able to guess the token, is not able to convince your web browser to surrender it (if the browser works correctly...), and so the attacker will not be able to create a valid request, because requests with the wrong token (or no token) will be refused by
www.mybank.com
.
Result: You keep your 10000
monetary units. I suggest you donate some of that to Wikipedia.
(Your mileage may vary.)
这篇关于什么是CSRF令牌?它的重要性是什么,它如何工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文