开发者

how to generate and validate csrf tokens

what is the bes开发者_JS百科t way to generate a csrf token and verify. From what i have been able to gather, even if you have a hidden form field in a "post" form a hacker can simply get that form using ajax, take the csrf token and send another request to the site to submit the form.

And if we are to check the headers sent to us... then the hacker could simply send the csrf token to a server side script that will then emulate the http headers.

So how does one actually generate and verify csrf tokens?


All token-based CSRF protections can be defeated with XSS, which is what you seem to "have been able to gather". This will be a good read for you: OWASP on CSRF

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜