New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

网络安全之 CRSF #41

Open

ronghaoZHI opened this issue Jun 1, 2020 · 0 comments

Owner

ronghaoZHI commented Jun 1, 2020 •

edited

CRSF

即 cross-site request forgery
黑客常利用用户的登录状态，通过第三方站点来做一些事情。

必要条件

目标站点一定要有CRSF漏洞
用户需要登陆站点，并且在浏览器保留其登录状态
需要用户打开第三方站点

防范措施

充分利用 cookie 的 SameSite 属性（ Strict , Lax， None）
验证请求来源 Origin、referer 头信息
CRSF Token

ronghaoZHI added todo and removed todo labels

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment