csrf跨站请求伪造_跨站请求伪造（CSRF）缓解—同步器令牌模式

csrf跨站请求伪造

什么是CSRF Attack ..？ (What is CSRF Attack..?)

A Cross-Site Request Forgery is also known as CSRF, one-click attack or session riding. This is a sort of assault whereby web site with noxious aim will send a request to a web application that a client is already confirmed for. These requests are directed to the target site which the user is validated for through their browser because their browser is authenticated against the site. This will permit the attacker to get to the usefulness of the web application through the victim’s already verified browser.

跨站点请求伪造也被称为CSRF，一键式攻击或会话控制。 这是一种攻击，具有有害目的的网站会将请求发送到已经确认客户端的Web应用程序。 这些请求被定向到用户通过其浏览器对其进行验证的目标站点，因为他们的浏览器已针对该站点进行了身份验证。 这将使攻击者可以通过受害者已经验证的浏览器来使用Web应用程序。

这个怎么运作.. (How it Works..)

CSRF attack surfaces are often HTTP requests that cause a victim-related change, for example: name, email address, website, and even password. Sometimes it is also used to change the authentication status. This is mainly dependent on if the target web application’s user is still logged into the web application through his browser.

C SRF攻击面通常是导致受害人相关更改的HTTP请求，例如：名称，电子邮件地址，网站，甚至密码。 有时它也用于更改身份验证状态。 这主要取决于目标Web应用程序的用户是否仍通过其浏览器登录到Web应用程序。

For example, if a user visited an online banking website which had CSRF vulnerabilities and remained logged in, and another website he visits has a CRSF attack on that banking site, the attack would be executed as if he had done it himself. Now that malicious web site could get advantages from that online banking website. such as transferring money to another account and steal all money on his account.

例如，如果用户访问了一个具有CSRF漏洞并且仍保持登录状态的在线银行网站，并且他访问的另一个网站对该银行站点进行了CRSF攻击，则该攻击将被执行，就好像他自己做了一样。 现在，该恶意网站可以从该网上银行网站获得好处。 例如将资金转入另一个帐户并窃取他帐户中的所有资金 。

These attacks are mostly used against web applications which deal with social media, in-browser email clients and online banking. It can result in damaged client relationships, unauthorized money transfers, changed passwords and data theft including stolen session cookies

这些攻击主要用于处理社交媒体，浏览器内电子邮件客户端和在线银行业务的Web应用程序。 这可能会导致客户关系损坏，未经授权的汇款，更改的密码和数据盗窃(包括会话cookie被盗)

识别CSRF漏洞 (Identifying the CSRF Vulnerability..)

The easiest way to identify if a web application would suffer from a CSRF attack is checking if each form and link has an unexpected and unpredictable token attached to each user.

识别Web应用程序是否会遭受CSRF攻击的最简单方法是检查每个表单和链接是否都具有附加给每个用户的意外且不可预测的令牌。

CSRF预防和缓解方法 (Methods of CSRF Prevention and Mitigation..)

There are lot of methods for prevention and mitigation these attacks. Prevention is a matter of safeguarding login credentials and denying unauthorized actors’ access to applications. To do that we can follow these things.• Logging off web applications when not in use• Securing usernames and passwords• Do not allo