Web信息安全实践_3.4 CSRF防御
2021-04-24 08:27
标签:oob for failed miss code overflow java 检查 submit Web信息安全实践_3.4 CSRF防御 标签:oob for failed miss code overflow java 检查 submit 原文地址:https://www.cnblogs.com/tianjiazhen/p/12235607.html错误的CSRF防御方法
(1)只接受 POST 请求
(2)转账需要多步
(3)检查 Referer
Referer
Referer: http://www.myzoo.com/transfer.php
Referer: http://www.attacker.com/csrf/csrf1.html
防御思路:在服务器的transfer.php中增加对Referer的检查
$ref = ($_SERVER[‘HTTP_REFERER‘]);
$tmp2 = substr($tmp1,0,strpos($tmp1,‘/‘));
if($tmp2 !=‘www.bank.com‘)
die("Hotlinking not permitted!");
else
echo($refData[‘host‘])
Referer防御缺陷
通用的CSRF防御方法:在表单中增加攻击者难以构造的项(随机串)
sudo vim /var/www/myzoo/login.php
// 在头部处添加如下四行
php
session_start(); //启动session
if($_POST[‘login_username‘]!=NULL && $_POST[‘login_password‘]!=NULL)
$_SESSION[‘csrf‘] = md5(uniqid(mt_rand(),true)); //在session中产生一个随机数,并且通过MD5k进行散列
?>
//构造随机数,每次用户登录生成一个随机数.
//开发者控制粒度,譬如,用户登录页面,用户登录期间使用一个随机数,用户转账页面,每次转账更新一次数据......
sudo vim /var/www/myzoo/transfer.php
//检测如果csrf字段不正确就停止操作
sudo vim /var/www/myzoo/transfer.php
if($_POST[‘submission‘]) {
// if(1){
if($_POST[‘csrf‘] == $_SESSION[‘csrf‘]) {//用户提交token值和生成的token值是否一样
$recipient = $_POST[‘recipient‘];
$zoobars = (int) $_POST[‘zoobars‘];
$sql = "SELECT Zoobars FROM Person WHERE PersonID=$user->id";
$rs = $db->executeQuery($sql);
$rs = mysql_fetch_array($rs);
$sender_balance = $rs["Zoobars"] - $zoobars;
$sql = "SELECT PersonID FROM Person WHERE Username=‘$recipient‘";
$rs = $db->executeQuery($sql);
$rs = mysql_fetch_array($rs);
$recipient_exists = $rs["PersonID"];
if($zoobars > 0 && $sender_balance >= 0 && $recipient_exists) {
$sql = "UPDATE Person SET Zoobars = $sender_balance " .
"WHERE PersonID=$user->id";
$db->executeQuery($sql);
$sql = "SELECT Zoobars FROM Person WHERE Username=‘$recipient‘";
$rs = $db->executeQuery($sql);
$rs = mysql_fetch_array($rs);
$recipient_balance = $rs["Zoobars"] + $zoobars;
$sql = "UPDATE Person SET Zoobars = $recipient_balance " .
"WHERE Username=‘$recipient‘";
$db->executeQuery($sql);
$result = "Sent $zoobars zoobars";
}
else $result = "Transfer to $recipient failed.";
}
else return;//如果csrf字段不正确,停止操作
}
?>