简体中文(ZH-CN)English(EN)繁体中文(ZH-TW)日本語(JA)한국어(KO)Melayu(MS)Français(FR)Deutsch(DE)
Home
Article
Q&A
Course
Topic
Download
Game
Dictionary
Recent Updates

Home  >  Q&A  >  body text

Learn about CSRF

I don't understand how using a "challenge token" adds any kind of prevention: what value should be compared to what?

From OWASP:

Generally speaking, developers only need Generate this token once Current session. After initialization The generation of this token, whose value is stored in session and used For each subsequent request, until Session expired.

If I understand the process correctly, this is what will happen.

I log in to http://example.com and create a session/cookie containing this random token. Each form then contains a hidden input that also contains a random value from the session, which is compared to the session/cookie on form submission.

But what can be achieved? Don't you just get the session data, put it into the page, and compare it to the exact same session data? Seems like circular reasoning. These articles keep talking about following a "same origin policy" but that doesn't make any sense since all CSRF attacks originate with the user and just trick the user into doing something he/she doesn't intend.

Are there any alternatives to appending the token as a query string to each URL? Looks very ugly and impractical, and makes it harder for users to bookmark.

P粉056618053P粉056618053332 days ago621

reply all(2)I'll reply

  • P粉794851975

    P粉7948519752023-10-24 11:47:30

    CSRF explained by analogy - Example:

    • You use your key to open the front door of your home.
    • Before going in, talk to your neighbor
    • While you are having this conversation, please walk in with the door unlocked.
    • They went in, pretending to be you!
    • No one in your family notices any difference - your wife is like, "Oh, asshole*, he's home".

    The impostor took all your money and maybe played some Xbox on the way out...

    Summary

    CSRF basically relies on the fact that you open the door to your home and then leave it open so that someone else can simply walk in and pretend to be you.

    how to solve this problem?

    When you first open the door to your home, the doorman will give you a piece of paper with a long and very random number written on it:

    Now, if you want to enter your house, you have to show that piece of paper to the doorman to get in.

    SoNowWhen an impostor tries to enter your house, the doorman will ask:

    "What is the random number written on the paper?"

    If the impostor does not have the correct number, then he cannot enter. Either he has to guess the random number correctly - a very difficult task. To make matters worse, the random number is only valid for 20 minutes (for example). So know that the impersonator must guess correctly, and not only that, he only has 20 minutes to get the correct answer. This is so strenuous! So he gave up.

    Of course, this analogy is a bit far-fetched, but I hope it helps.

    **crud = (create, read, update delete)

    reply
    0
  • P粉121081658

    P粉1210816582023-10-24 00:28:04

    The attacker cannot obtain the token. Therefore the request will not take effect.

    I recommend this article by Gnucitizen. It has a pretty good explanation of CSRF: http://www.gnucitizen.org/blog/csrf-revealed/

    reply
    0
  • Cancelreply