csrf

一、CSRF介绍 CSRF（Cross-site request forgery） 跨站请求伪造，也被称为“OneClick Attack”或者Session Riding，通常缩写为CSRF或者XSRF，是一种对网站的恶意利用。 CSRF攻击与防御，web安全的第一防线（源码，实战，5分钟科普文） 上图为CSRF攻击的一个简单模型，用户访问恶意网站B，恶意网站B返回给用户的HTTP信息中要求用户访问网站A，而由于用户和网站A之间可能已经有信任关系导致这个请求就像用户真实发送的一样会被执行。 二、CSRF攻击的危害 攻击者盗用了你的身份，以你的名义发送恶意请求，对服务器来说这个请求是完全合法的，但是却完成了攻击者所期望的一个操作，比如以你的名义发送邮件、发消息，盗取你的账号，添加系统管理员，甚至于购买商品、虚拟货币转账等。 如果CSRF发送的垃圾信息还带有蠕虫链接的话，那些接收到这些有害信息的好友万一打开私信中的连接就也成为了有害信息的散播着，这样数以万计的用户被窃取了资料种植了木马。整个网站的应用就可能在瞬间奔溃，用户投诉，用户流失，公司声誉一落千丈甚至面临倒闭。曾经在MSN上，一个美国的19岁的小伙子Samy利用css的background漏洞几小时内让100多万用户成功的感染了他的蠕虫，虽然这个蠕虫并没有破坏整个应用，只是在每一个用户的签名后面都增加了一句“Samy

After uprading to Spring Security 3.2.0 and configuring the xml, the _csrf token is not working. Fundamentals: Spring 4.0.1 Spring Security 3.2.0. Freemarker Template Language Step 1 - the spring security xml configuration: <!-- enable csrf protection via csrf-element --> <sec:http> <!-- --> <sec:csrf token-repository-ref="csrfTokenRepository" /> </sec:http> <!-- rewrite headerName --> <bean id="csrfTokenRepository" class="org.springframework.security.web.csrf.HttpSessionCsrfTokenRepository"> <property name="headerName" value="X-SECURITY" /> </bean> Step 2 - the freemarker template: <form

I already seen some question from here (stackoverflow) and THIS post, but I still have some questions... Using hidden value in the post form and check it when post reach the server. The hidden value can easy be copied and send exactly like the real one, "hard to guess" (like md5) will not help. (right?) Setting a cookie when you reach the form and send the cookie value as a hidden value. You can easily change a cookie value or send a custom cookie exactly like the real one using the same real hidden value. (right?) Using 'timeout', the POST values cannot reach too late. So, if you're slow you

Is there any provisions in rails that would allow all AJAX POST requests from the site to pass without an authenticity_token? I have a Jquery POST ajax call that calls a controller method, but I did not put any authenticity code in it and yet the call succeeds. My ApplicationController does have 'request_forgery_protection' and I've changed config.action_controller.consider_all_requests_local to false in my environments/development.rb I've also searched my code to ensure that I was not overloading ajaxSend to send out authenticity tokens. Is there some mechanism in play that disables the check

I have a Rails 3 Facebook canvas app. When it loads up it gives me an invalid authenticity token error and displays the signed_request parameter that Facebook sends to my app. Is there a way to bypass the 'protect_from_forgery' for the signed_request from facebook? Thanks! Tim Problem solved. I added skip_before_filter :verify_authenticity_token, :only => [THE ACTION] to the top of my controller. You can also just remove protect_from_forgery from the application controller, if you only use the app as a canvas app. 来源： https://stackoverflow.com/questions/4551210/how-do-i-bypass-protect-from