django - What is a CSRF token ? What is its importance and how does it work? -
okay guys, writing django application , want idea of csrf token , how protects data. post data not safe if not use csrf tokens?
i know how use csrf_token need information how works.
cross-site request forgery (csrf) in simple words
- assume logged online banking @
www.mybank.com - assume money transfer
mybank.comresult in request of (conceptually) formhttp://www.mybank.com/transfer?to=<someaccountnumber>;amount=<someamount>. (your account number not needed, because implied login.) - you visit
www.cute-cat-pictures.org, not knowing malicious site. - if owner of site knows form of above request (easy!) , correctly guesses logged
mybank.com(requires luck!), include on page requesthttp://www.mybank.com/transfer?to=123456;amount=10000(where123456number of cayman islands account ,10000amount thought glad possess). - you retrieved
www.cute-cat-pictures.orgpage, your browser make request. - your bank cannot recognize origin of request: web browser send request along
www.mybank.comcookie , legitimate. there goes money!
this world without csrf tokens.
now better 1 with csrf tokens:
- the transfer request extended third argument:
http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971. - that token huge, impossible-to-guess random number
mybank.cominclude on own web page when serve you. different each time serve page anybody. - the attacker not able guess token, not able convince web browser surrender (if browser works correctly...), , attacker not able create valid request, because requests wrong token (or no token) refused
www.mybank.com.
result: keep 10000 monetary units. suggest donate of wikipedia.
(your mileage may vary.)
Comments
Post a Comment