CSRF attack ：

CSRF Attack Overview ：

CSRF（Cross Site Request Forgery, Cross site domain Request Forgery ） It's a kind of network attack , It's in 2007 It was listed as the Internet in 20 One of the big safety concerns . Other security risks , such as SQL Script injection , In recent years, cross-site scripting attacks have become more and more familiar , Many websites are also defending against them . However , For most people ,CSRF But it's still a strange concept . Even the most famous Gmail, stay 2007 The end of the year also exists CSRF Loophole , So it was attacked by hackers Gmail Users caused huge losses .

CSRF Attack principle ：

The website is through cookie To realize the login function . and cookie As long as it exists in the browser , So the browser is accessing this cookie When the server , Will automatically carry cookie Information to the server . Then there is a loophole , If you visit a website with ulterior motives or viruses , This website can insert... In the web page source code js Code , Use js Code to send requests to other servers （ such as ICBC Your transfer request ）. Well, because when you send a request , The browser will automatically put cookie Send to the corresponding server , At this time, the corresponding server （ such as ICBC Website ）, I didn't know the request was forged , Was deceived . Thus, without the user's knowledge , Sent a request to a server （ For example, transfer accounts. ）.

defense CSRF attack ：

CSRF The point of the attack is when sending a request to the server , Corresponding cookie It will be automatically sent to the corresponding server . The server does not know whether the request is initiated by the user or forged . Now , Every time a user visits a page with a form , Add a random string to the web page source code called csrf_token, stay cookie Add a of the same value to csrf_token character string . When sending requests to the server in the future , Must be in body And cookie All carry csrf_token, The server only detected cookie Medium csrf_token and body Medium csrf_token All the same , I think this request is normal , Otherwise it's fake . Then hackers can't forge requests . stay Django in , If you want to defend CSRF attack , There should be two steps . The first is in settings.MIDDLEWARE Add CsrfMiddleware middleware . The second is to add a... To the template code input label , load csrf_token. The sample code is as follows ：

• Server code ： MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.middleware.gzip.GZipMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware' ]
• Template code ： <input type="hidden" name="csrfmiddlewaretoken" value="{{ csrf_token }}"/> Or directly csrf_token label , To automatically generate a with csrf token Of input label ： {% csrf_token %}

Use ajax Handle csrf defense ：

If you use ajax To deal with it csrf defense , Then it needs to be manually in form Add csrfmiddlewaretoken, Or add X-CSRFToken. We can return from cookie Extract from csrf token, And set it in . The sample code is as follows ：

function getCookie(name) {
    var cookieValue = null;
    if (document.cookie && document.cookie !== '') {
        var cookies = document.cookie.split(';');
        for (var i = 0; i < cookies.length; i++) {
            var cookie = jQuery.trim(cookies[i]);
            // Does this cookie string begin with the name we want?
            if (cookie.substring(0, name.length + 1) === (name + '=')) {
                cookieValue = decodeURIComponent(cookie.substring(name.length + 1));
                break;
            }
        }
    }
    return cookieValue;
}

var myajax = {
    'get': function (args) {
        args['method'] = 'get';
        this.ajax(args);
    },
    'post': function (args) {
        args['method'] = 'post';
        this._ajaxSetup();
        this.ajax(args);
    },
    'ajax': function (args) {
        $.ajax(args);
    },
    '_ajaxSetup': function () {
        $.ajaxSetup({
            beforeSend: function(xhr, settings) {
                if (!/^(GET|HEAD|OPTIONS|TRACE)$/.test(settings.type) && !this.crossDomain) {
                    xhr.setRequestHeader("X-CSRFToken", getCookie('csrftoken'));
                }
            }
        });
    }
};

$(function () {
    $("#submit").click(function (event) {
        event.preventDefault();
        var email = $("input[name='email']").val();
        var money = $("input[name='money']").val();

        myajax.post({
            'url': '/transfer/',
            'data':{
                'email': email,
                'money': money
            },
            'success': function (data) {
                console.log(data);
            },
            'fail': function (error) {
                console.log(error);
            }
        });
    })
});

iframe Related knowledge ：

Pycharm Activation code reference address ：http://vrg123.com/

1. iframe You can load web pages embedded under other domain names . That is to say, cross domain requests can be sent . For example, I can load Baidu's website in my own web page , The sample code is as follows ：<iframe src="http://www.baidu.com/"> </ifrmae>
2. because iframe What is loaded is a web page under another domain name . according to The same-origin policy ,js Only code under this domain name can be operated , therefore js Unable to operate through iframe Loaded DOM Elements .
3. If ifrmae Of src Attribute is empty , Then there is no restriction of homology strategy , At this time, we can operate iframe The following code . also , If src It's empty , So we can do that iframe in , You can send a request to any domain name .
4. Directly in iframe Write in html Code , Browsers don't load .