0

我有这个表格

<form>
//code
<input type="hidden" value="gfth35rfer43556thgrth8678gbfgb" name="csrf">
</form>

令牌对每个用户都是唯一的。现在假设攻击者已登录并打开此页面。现在他知道当前会话令牌是什么,通过复制上面的值,攻击者拥有身份验证令牌。他可以轻松攻击我的网站。这个程序如何防止 csrf 攻击?

4

1 回答 1

2

Given:

  • Alice - a user
  • Bob - someone who runs a site
  • Mallory - an attacker

The point of CSRF protection is to prevent Mallory from tricking Alice into submitting data provided by Mallory (using Alice's user credentials).

Since Alice and Mallory have different tokens, Mallory cannot just "copy the value above".

It isn't there to prevent Mallory submitting data using their own credentials. To solve that problem you need to decide how much trust to give to different users.

于 2013-12-19T12:27:27.107 回答