发表新帖
发表新帖

Understanding CSRF

后端 未结
关注
4 922
不知归路
不知归路 2020-12-01 06:06

I don\'t understand how using a \'challenge token\' would add any sort of prevention: what value should compared with what?

From OWASP:

In gen

4条回答
  • 旧时难觅i
    旧时难觅i (楼主)
    2020-12-01 06:43

    CSRF Explained with an analogy - Example:

    Imagine you're opening your front door using a key - your key. nobody else has your key. You open the door – but before you go inside, your neighbour calls you over from across the road and you both have a very amicable conversation about the weather or perhaps President Trump’s latest 3.45 am tweets etc. While you are having this conversation, unbeknownst to you, somebody else sees you outside, and decides to impersonate you by wearing your same clothes and hair style and decides to go into your own house pretending to be you!

    Nobody inside your house notices anything different - your wife is like, ‘oh crud*, he’s home’.

    The impersonator helps himself to all of your money, and perhaps plays some Xbox on the way out and nobody is any wiser.

    CSRF basically relies on the fact that you opened the door to your house and then left it open, allowing someone else to simply walk in and pretend to be you.

    What is the way to solve this problem?

    When you first open the door to your house, you are given a paper with a long and very random number written on it by your door man:

    "ASDFLJWERLI2343234"

    Now, if you wanna get into your own house, you have to present that piece of paper to the door man to get in.

    So now when the impersonator tries to get into your house, the door man asks:

    "What is the random number written on the paper?"

    If the impersonator doesn't have the correct number, then he won't get in. Either that or he must guess the random number correctly - which is a very difficult task. What's worse is that the random number is valid for only 20 minutes (e.g). So know the impersonator must guess correctly, and not only that, he has only 20 minutes to get the right answer. That's way too much effort! So he gives up.

    Granted, the analogy is a little strained, but I hope it is helpful to you.

    **crud = (Create, Read, Updated Delete)

    0 讨论(0)
 看不清?
提交回复
热议问题