django - What is a CSRF token ? What is its importance and how does it work? -


okay guys, writing django application , want idea of csrf token , how protects data. post data not safe if not use csrf tokens?

i know how use csrf_token need information how works.

cross-site request forgery (csrf) in simple words

  • assume logged online banking @ www.mybank.com
  • assume money transfer mybank.com result in request of (conceptually) form http://www.mybank.com/transfer?to=<someaccountnumber>;amount=<someamount>. (your account number not needed, because implied login.)
  • you visit www.cute-cat-pictures.org, not knowing malicious site.
  • if owner of site knows form of above request (easy!) , correctly guesses logged mybank.com (requires luck!), include on page request http://www.mybank.com/transfer?to=123456;amount=10000 (where 123456 number of cayman islands account , 10000 amount thought glad possess).
  • you retrieved www.cute-cat-pictures.org page, your browser make request.
  • your bank cannot recognize origin of request: web browser send request along www.mybank.com cookie , legitimate. there goes money!

this world without csrf tokens.

now better 1 with csrf tokens:

  • the transfer request extended third argument: http://www.mybank.com/transfer?to=123456;amount=10000;token=31415926535897932384626433832795028841971.
  • that token huge, impossible-to-guess random number mybank.com include on own web page when serve you. different each time serve page anybody.
  • the attacker not able guess token, not able convince web browser surrender (if browser works correctly...), , attacker not able create valid request, because requests wrong token (or no token) refused www.mybank.com.

result: keep 10000 monetary units. suggest donate of wikipedia.

(your mileage may vary.)


Comments

Post a Comment

Popular posts from this blog

Magento/PHP - Get phones on all members in a customer group -

i working on custom magento extension. working around adminhtml part , i've created custom form there. here form code: <?php class vivasindustries_smsnotification_block_adminhtml_sms_sendmass_edit_form extends mage_adminhtml_block_widget_form { public function _preparelayout() { $extensionpath = mage::getmoduledir('js', 'vivasindustries_smsnotification'); $head = $this->getlayout()->getblock('head'); $head->addjs('jquery.js'); $head->addjs('vivas.js'); return parent::_preparelayout(); } protected function _prepareform() { $form = new varien_data_form(array( 'id' => 'edit_form', 'action' => $this->geturl('*/*/save', array('id' => $this->getrequest()->get...
Read more

php - Bypass Geo Redirect for specific directories -

i'm trying bypass redirect specific url within site. wondering if might able help. the code below code use, original urls replaces example.com i'd able access http://example.com/admin without redirect occuring. is there way this, , there way using own ip? function country_geo_redirect() { $country = getenv('http_geoip_country_code'); if ($country == "us" ) { wp_redirect("http://usa.example.com/"); exit; } else if ($country == "gb" ) { wp_redirect("http://uk.example.com/"); exit; } } add_action('init', 'country_geo_redirect'); you can bypass redirection code if server found ip address. if ip address == <my ip address> ' nothing here else country_georedirect() end if
Read more

php - .htaccess mod_rewrite for dynamic url which has domain names -

i want convert url ex:( example.com/link.php?url=facebook.com ) ( example.com/facebook.com.php ) how can using .htaccess. or there other process make job easier ? i tried adding script .htaccess file options +followsymlinks rewriteengine on rewriterule url-(.*)\.htm$ link.php?url=$1 but converting url adding "url-" ( example.com/url-facebook.com.php ) i want remove "url-" , want make ( example.com/facebook.com.php ) rewriteengine on rewritecond %{the_request} ^get.*link\.php\?url\= [nc] rewritecond %{request_uri} !/system/.* [nc] rewriterule (.*?)link\.php\?url\=/*(.*) /$1$2 [r=301,ne,l] not sure how above work edit of used use remove index.php url
Read more