什么是CSRF令牌？它的重要性是什么，它如何工作？ [英] What is a CSRF token ? What is its importance and how does it work?

问题描述

好吧，我正在编写一个Django应用程序，我只想知道一个csrf令牌是什么，以及它如何保护数据。如果您不使用csrf令牌，帖子数据是否不安全？

我知道如何使用csrf_token，但我只需要一些信息如何工作。

解决方案

以简单的单词进行跨站点请求伪造（CSRF）

假设您目前正在以登录您的网上银行。www.mybank.com

• 假设从 mybank.com 将导致（概念）的请求（ http://www.mybank.com/transfer?to=<SomeAccountnumber>;amount =< SomeAmount> 。 （您的帐号不需要，因为您的登录信息是暗示的。）


• 您访问 www.cute-cat-pictures.org ，不知道它是一个恶意网站。


• 如果该网站的所有者知道上述请求的形式（easy！），并正确猜测您已登录到 mybank.com （需要一些运气！），他们可以在他们的页面上包含一个请求，如 http://www.mybank.com/transfer?to=123456 ; amount = 10000 （其中 123456 是其开曼群岛帐户的数量， 10000 是你以前认为你很高兴拥有的金额）。


• cute-cat-pictures.org 页面，所以您的浏览器将会提出请求。


• 银行无法如何认识到请求不是由您做出的：您的网络浏览器将发送请求以及您的 www.mybank.com cookie，它将看起来完全合法即有你的钱！

这是没有CSRF标记的世界 。

现在更好的一个 与 CSRF令牌：

• 转移请求被扩展为第三个参数： http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971 。


• 这个标记是一个巨大的，不可能猜到的随机数， c $ c> mybank.com 将包含在自己的网页上服务于你每次向任何人提供任何页面时，它是不同的。


• 攻击者无法猜测该令牌，无法说服您的网络浏览器投降它（如果浏览器正常工作...），因此攻击者将不能可以创建有效的请求，因为具有错误令牌（或不存在令牌）的请求将被拒绝 www.mybank.com 。

结果：你保持你的 10000 货币单位。我建议你把一些捐赠给维基百科。

（你的里程可能会有所不同）

Okay guys, I am writing a Django application and I just want an idea of what actually a csrf token is and how it protects the data. Is the post data not safe if you do not use csrf tokens?

I know how to use csrf_token but I just need some information how it works.

解决方案

Cross-Site Request Forgery (CSRF) in simple words

• Assume you are currently logged into your online banking at www.mybank.com
• Assume a money transfer from mybank.com will result in a request of (conceptually) the form http://www.mybank.com/transfer?to=<SomeAccountnumber>;amount=<SomeAmount>. (Your account number is not needed, because it is implied by your login.)
• You visit www.cute-cat-pictures.org, not knowing that it is a malicious site.
• If the owner of that site knows the form of the above request (easy!) and correctly guesses you are logged into mybank.com (requires some luck!), they could include on their page a request like http://www.mybank.com/transfer?to=123456;amount=10000 (where 123456 is the number of their Cayman Islands account and 10000 is an amount that you previously thought you were glad to possess).
• You retrieved that www.cute-cat-pictures.org page, so your browser will make that request.
• There is no way how your bank could recognize that the request was not made by you: Your web browser will send the request along with your www.mybank.com cookie and it will look perfectly legitimate. There goes your money!

This is the world without CSRF tokens.

Now for the better one with CSRF tokens:

• The transfer request is extended with a third argument: http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971.
• That token is a huge, impossible-to-guess random number that mybank.com will include on their own web page when they serve it to you. It is different each time they serve any page to anybody.
• The attacker is not able to guess the token, is not able to convince your web browser to surrender it (if the browser works correctly...), and so the attacker will not be able to create a valid request, because requests with the wrong token (or no token) will be refused by www.mybank.com.

Result: You keep your 10000 monetary units. I suggest you donate some of that to Wikipedia.

(Your mileage may vary.)

这篇关于什么是CSRF令牌？它的重要性是什么，它如何工作？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！