一、概念
CSRF(Cross-site request forgery)跨站請求僞造,也被稱爲“One Click Attack”或者Session Riding,通常縮寫爲CSRF或者XSRF,是一種對網站的惡意利用。儘管聽起來像跨站腳本(XSS),但它與XSS非常不同,XSS利用站點內的信任用戶,而CSRF則通過僞裝成受信任用戶的請求來利用受信任的網站。與XSS攻擊相比,CSRF攻擊往往不大流行(因此對其進行防範的資源也相當稀少)和難以防範,所以被認爲比XSS更具危險性。
二、攻擊原理
假如用戶a銀行轉賬100元,url如下:
http://example.icbc.com/zhuanzhang?toUser=a&payCount=100
而當a登錄信息未過期時收到了惡意攻擊者b的如下代碼:
http://example.icbc.com/zhuanzhang?toUser=b&payCount=100
這種鏈接以隱蔽的方式存在與瀏覽器的各個頁面中迷惑用戶,當用戶點擊後很可能造成損失。
三、防範手段
1、校驗Referer
referer字段存在於http頭部信息中,用來標識請求來源,所以可以通過使用過濾器,校驗referer來攔截非法請求。
代碼實現1(web.xml配置版):
(1)web.xml 添加過濾器
<filter>
<filter-name>refererFilter</filter-name>
<filter-class>com.songsir.config.RefererFilter</filter-class>
<!-- 過濾排除url-->
<init-param>
<param-name>excudeUrl</param-name>
<param-value>/login.action</param-value>
</init-param>
</filter>
<filter-mapping>
<filter-name>refererFilter</filter-name>
<url-pattern>*.action</url-pattern>
</filter-mapping>
(2)filter類
package com.songsir.config;
import org.apache.commons.lang.StringUtils;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @PackageName com.songsir.config
* @ProjectName songsir-demoboot
* @Author: SongYapeng
* @Date: Create in 13:40 2019/8/2
* @Description:
* @Copyright Copyright (c) 2019, [email protected] All Rights Reserved.
*/
public class RefererFilter implements Filter {
String[] excudeUrlArray;
/**
* @param filterConfig
* @MethodName init
* @Description 獲取過濾器需要放過的uri
* @Auther SongYapeng
* @Date 2019/8/2 13:42
* @Since JDK 1.8
*/
@Override
public void init(FilterConfig filterConfig) {
String excudeUrl = filterConfig.getInitParameter("excudeUrl");
String regex = ",";
excudeUrlArray = excudeUrl.split(regex);
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
String servletPath = getServletPath(request);
boolean isExcludeUrl = false;
for (String excudeUrl : excudeUrlArray) {
if (excudeUrl.equals(servletPath)) {
isExcludeUrl = true;
break;
}
}
if (isExcludeUrl) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
String referer = request.getHeader("Referer");
// 如果來源是本網域名(假設本網域名是"com.songsir")
if (referer != null && referer.trim().contains("com.songsir")) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
response.sendRedirect("/login.action");
}
}
}
private String getServletPath(HttpServletRequest request) {
String servletPath = request.getServletPath();
if (StringUtils.isNotEmpty(servletPath)) {
return servletPath;
} else {
int startIndex = request.getContextPath().equals("") ? 0 : request.getContextPath().length();
int endIndex = request.getRequestURI().length();
return request.getRequestURI().substring(startIndex, endIndex);
}
}
@Override
public void destroy() {
return;
}
}
代碼實現2(SpringBoot版)
(1)啓動類增加註解@ServletComponentScan
(2)Filter配置類
package com.songsir.config;
import org.apache.commons.lang.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import javax.servlet.*;
import javax.servlet.annotation.WebFilter;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
/**
* @PackageName com.songsir.config
* @ProjectName songsir-demoboot
* @Author: SongYapeng
* @Date: Create in 13:40 2019/8/2
* @Description:
* @Copyright Copyright (c) 2019, [email protected] All Rights Reserved.
*/
@WebFilter(urlPatterns = {"/*"}, filterName = "refererFilter")
public class RefererFilter implements Filter {
private static Logger logger = LoggerFactory.getLogger(RefererFilter.class);
private String ecludeUrl = "/login.action";
@Override
public void init(FilterConfig filterConfig) {
logger.info("refererFilter is init ...");
}
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
String servletPath = getServletPath(request);
if (servletPath.equals(ecludeUrl)) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
String referer = request.getHeader("Referer");
if (referer.trim().contains("com.songsir")) {
filterChain.doFilter(servletRequest, servletResponse);
} else {
response.sendRedirect("/login.action");
}
}
}
private String getServletPath(HttpServletRequest request) {
String servletPath = request.getServletPath();
if (StringUtils.isNotEmpty(servletPath)) {
return servletPath;
} else {
int startIndex = request.getContextPath().equals("") ? 0 : request.getContextPath().length();
int endIndex = request.getRequestURI().length();
return request.getRequestURI().substring(startIndex, endIndex);
}
}
@Override
public void destroy() {
return;
}
}
2、添加校驗 Token
在訪問敏感數據請求時,要求用戶瀏覽器提供不保存在 Cookie 中,並且攻擊者無法僞造的數據作爲校驗。例如服務器生成隨機數並附加在表單中,並要求客戶端傳回這個隨機數。
3、輸入驗證碼
因爲 CSRF 攻擊是在用戶無意識的情況下發生的,所以要求用戶輸入驗證碼可以讓用戶知道自己正在做的操作。