Bạn có chắc chắn muốn xóa bài viết này không ?
Cross-Site Request Forgery explained
A quick example
Transfer money <form action="http://bank-site.com/Transfer" method=post> Enter Amount <input name="amount" value="100.23" /> Enter Account number <input name="account" value="1001" /> <input type=submit value="transfer money" /> </form>
The internal HTML of the forged site has those hidden fields which have the account number and amount to do money transfer, it POST data to the same url above.
Win 1000000 US$ <form action="http://bank-site.com/Transfer" method=post> <input type=hidden name="amount" value="10000" /> <input type=hidden name="account" value="3002" /> <input type=submit value="Play the ultimate game" /> </form>
Now let’s say the user has logged into the bank-site and the attacker sent this forged game link to his email. The end-user thinks that it’s a game site, clicks on the “Play the Ultimate Game” button and internally the malicious code does the money transfer process.
How to prevent
- Check the Referer HTTP header and verify that the request originated from a page internal to your web application.
- CSRF token:
- Server generates a one-time token, adds it to hidden field of form.
- When user sends request, token is submited with form. This token is validated on the server.