????????-CSRF????
???????????? ???????[ 2015/11/24 14:22:13 ] ??????????????? ????????
?????.CSRF??????
????CSRF??Cross-site request forgery????????????????????α??????????one click attack/session riding????д???CSRF/XSRF??
??????.CSRF??????????
?????????????????CSRF????????????????????????????????巢?????????CSRF???????????????????????巢??????????????????????????????**???????????????......????????????????????й????????????
??????.CSRF??????
????CSRF????????????2000?????????????????????????????????06????????????08???????????????**?????????????CSRF??????磺NYTimes.com???????????Metafilter??????????BLOG???????YouTube????HI......??????????????????????????????????????????????CSRF?“????????”??
??????.CSRF?????
???????????????CSRF?????????
?????????????????????????CSRF????????????????????????????裺
????1.????????????A?????????????Cookie??
????2.??????A??????£?????Σ?????B??
?????????????????????“???????????????????????е??????????????CSRF?????”???????????????????????????????????
????1.????????????????????????????tab??沢??????????????
????2.???????????????????????Cookie????????????ε??????????????????????????????????????????????????????????????????????????????/????????......??
????3.???????ν????????????????????????????????????ε?????????????????
?????????????????CSRF?????????????????ü?????????????????CSRF????????????????????????????????????????????????????????????????:>??
???????1??
???????????A??????GET???????????????????????磺http://www.mybank.com/Transfer.php?toBankId=11&money=1000
????Σ?????B?????????????HTML????????£?
????<img src=http://www.mybank.com/Transfer.php?toBankId=11&money=1000>
??????????????????????A????????Σ?????B???????????????????????????1000??......
????????????????????????????AΥ????HTTP?淶?????GET?????????????????Σ?????B???????????????????????A????B?е?<img>??GET??????????????????????????????????????????????????????????????????????????????????????????????????????????????A??Cookie????Get???????????“http://www.mybank.com/Transfer.php?toBankId=11&money=1000”????????????????????????????????????????????????????????????????????????????......
???????2??
?????????????????????о???????POST???????????????
???????????A??WEB??????£?
????<form action="Transfer.php" method="POST">
????<p>ToBankId: <input type="text" name="toBankId" /></p>
????<p>Money: <input type="text" name="money" /></p>
????<p><input type="submit" value="Transfer" /></p>
????</form>
??????????????Transfer.php???£?
????<?php
????session_start();
????if (isset($_REQUEST['toBankId'] &&??isset($_REQUEST['money']))
????{
????buy_stocks($_REQUEST['toBankId']????$_REQUEST['money']);
????}
?????>
??????
???·???
??????????????????
2023/3/23 14:23:39???д?ò??????????
2023/3/22 16:17:39????????????????????Щ??
2022/6/14 16:14:27??????????????????????????
2021/10/18 15:37:44???????????????
2021/9/17 15:19:29???·???????·
2021/9/14 15:42:25?????????????
2021/5/28 17:25:47??????APP??????????
2021/5/8 17:01:11
sales@spasvo.com