[Security] Cross-Site Request Forgery (CSRF)

其實和之前提過的XSS相類似, XSS 是由injected 的code 引發, 而CSRF 則是由browser 植入的code 誘發.

例如, 當user早前去過http://bank.com/transfer.do做transaction後, 當去到另一網站, 而它植入以下的mal-code, 便有機會做多了一條transaction. 

<script>
function put() {
	var x = new XMLHttpRequest();
	x.open("PUT","http://bank.com/transfer.do",true);
	x.setRequestHeader("Content-Type", "application/json"); 
	x.send(JSON.stringify({"acct":"BOB", "amount":100})); 
}
</script>
<body onload="put()">

為了避免此情況發生, 網頁就須要加入HTTP header  去限制網站的connection, 以white-list 的形式避免第三方網站的訪問.

Access-Control-Allow-Origin: *

另外, 亦可以用token來決定. 當form render 時, assign 一個random token, 當form submit 時, 此form 亦跟著一齊送到server side. 而server 則可透過檢查這個token, 決定是否惡意存取.

Reference

About C.H. Ling 262 Articles
a .net / Java developer from Hong Kong and currently located in United Kingdom. Thanks for Google because it solve many technical problems so I build this blog as return. Besides coding and trying advance technology, hiking and traveling is other favorite to me, so I will write down something what I see and what I feel during it. Happy reading!!!

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.