什么是CSRF保护？ [英] What is CSRF Protection really for?

问题描述

我很久以前听说过CSRF ，大部分时间听到的都是：

I've been hearing about CSRF a long time ago, and the thing I hear most of the time is:

防止CSRF攻击很重要，因此有人不会自动提交表单（使用机器人或其他东西）

Protecting against CSRF attacks is important so that someone doesn't submit your form automatically (using a bot or something)

嗯，这不是100％真的吗？

Well, that isn't 100% true, is it?

我一直在做网页抓取大约3年，而很简单地提出请求，解析 csrftokenmiddleware 字段，并与其他字段一起POST。

I've been doing web scraping for about 3 years, and it is pretty straightforward to make a request, parse the csrftokenmiddleware field and POST it along with the other fields.

所以这是真的吗？

推荐答案

想象一下电子银行网络应用程序，位于 banking.example。 com 与以下表单提交交易：

Imagine an e-banking web application at banking.example.com with the following form to submit a transaction:

<form action="/transaction" method="post">
    <input type="text" name="beneficiary"/>
    <input type="text" name="amount"/>
    <input type="submit" value="Pay"/>
</form>

攻击者现在可以在 hacker.net 包含以下内容：

An attacker could now set up a website at hacker.net with the following:

<form action="https://banking.example.com/transaction" method="post" style="visibility:hidden">
    <input type="text" name="beneficiary" value="John Doe, Account No. 34-236326-1"/>
    <input type="text" name="amount" value="1000000"/>
    <input type="submit" value="Pay"/>
</form>
<script>
    document.forms[0].submit();
</script>

攻击者然后会诱骗受害者访问 hacker.net ，这将导致受害者的浏览器向电子银行应用程序发送POST请求，向黑客进行大量交易。这是因为受害者的浏览器愉快地将会话cookie与伪造的POST请求一起发送到电子银行应用程序。如果表单受到CSRF令牌的保护，则攻击者不能使受害者的浏览器发送有效的POST请求，因此攻击是不可能的。

The attacker would then trick victims into visiting hacker.net, which will cause the victims' browsers to send a POST request to the e-banking application, making a large transaction to the hacker. This works because the victim's browser happily sends the session cookie along with the forged POST request to the e-banking application. If the form would have been protected by a CSRF token, then the attacker could not have caused the victim's browser to send a valid POST request and thus the attack would not be possible.

这种类型的攻击称为跨站点请求伪造（CSRF）攻击。

This type of attack is called a Cross-Site Request Forgery (CSRF) attack.

不幸的是，CSRF攻击也是人们给予建议的原因访问其他网站，同时登录电子银行或其他关键网络应用程序。

Incidently, CSRF attacks are also the reason why people give the advice of never ever visiting other websites while being logged into an e-banking or other critical web application.

CSRF令牌不保护常规授权用户自动提交的网络表单。为了保护您的安全，您可以使用人机验证系统。

CSRF tokens do not protect a web form being automatically submitted by regular authorized users as themselves. To protect from that, you'd use a CAPTCHA.

这篇关于什么是CSRF保护？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！