<>CSRF and SSRF Explain in detail :
<>CSRF What is it? :
CSRF Cross-site request forgery (Cross-Site Request
Forgery), In terms of means XSS Vulnerability similarity , By stealing the identity of the attacker , Access the server as an attacker , Operate
<>CSRF Attack principle :
* The attacker opened the browser , Visit website A, Enter user name and password , Send request , The server receives the request , Return response , It contains the user's cookie information .
* By the attacker on the website A
cookie Within the validity period of , Visit the website built by the attacker , The attacker's website contains malicious code , Because the browser contains websites A of Cookie, Therefore, the attacker can use the identity of the attacker to visit the website through the website he has built A
<>CSRF Defensive means :
* verification HTTP In packet referer field
* Add to request address token And verify
* stay HTTP Customize the attribute in the header and validate it
* Request mode can only be restricted POST
* When users send important requests, they need to enter the original password
<>SSRF What is it? :
SSRF(Service-SideRequest
Forgery) Server request forgery is a security vulnerability constructed by attackers to send requests by the server .SSRF The main goal of is the internal system that cannot be accessed by the external network
<>SSRF Causes of formation :
SSRF The main reason is that the server provides the corresponding resources from other server applications , However, the target address is not filtered .
<>SSRF Common vulnerabilities :
* adopt url Load or download pictures
* Online translation function : adopt url Address loading or uploading pictures
Technology