New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

csrf 是什么？如何防范？ #156

Open

sisterAn opened this issue Mar 9, 2021 · 2 comments

Labels

Owner

sisterAn commented Mar 9, 2021

No description provided.

sisterAn added the 虾皮 label

LXFengGithub commented Mar 10, 2021

CSRF(跨站请求伪装）：通过伪装来自受信任用户的请求
举例子：瓶子老师的webapp音乐请求数据就是利用CSRF跨站请求伪装来获取QQ音乐的数据
防范：在客服端页面增加伪随机数，通过验证码

boyan1010 commented Mar 10, 2021

跨站请求伪造，利用用户登陆状态，通过第三方站点发送请求。

用户保持登陆状态
服务器存在csrf漏洞
第三方站点发起请求
防护：
cookie的Samesite字段，控制第三方站点发起的请求携带本站点cookie信息：Strict、Lax、None
服务器校验请求来源：Origin及Referer字段，Origin只返回域名信息
CSRF Token：服务器下发csrf token，插入页面，用户发起请求时携带token。第三方站点无法获取token。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment