{"id":240,"date":"2020-08-10T16:03:28","date_gmt":"2020-08-10T08:03:28","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=240"},"modified":"2026-01-23T15:48:45","modified_gmt":"2026-01-23T07:48:45","slug":"csrf","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/240","title":{"rendered":"CSRF"},"content":{"rendered":"\n<div class=\"wp-block-jetpack-markdown\"><h3>CSRF(Cross Site Request Forgery)<\/h3>\n<p>\u60e1\u610f\u7684HTTP\u6307\u4ee4\u88ab\u7576\u6210\u5408\u6cd5\u7684\u6307\u4ee4\u4f86\u57f7\u884c<br>\nps:<br>\nCSRF \u53c8\u7a31\u4f5c one-click attack<\/p>\n<p>\u00a0<\/p>\n<h3>\u653b\u64ca\u6d41\u7a0b<\/h3>\n<p>1.\u653b\u64ca\u8005\u6e96\u5099\u4e00\u500b\u91dd\u5c0d\u7db2\u7ad9A\u7684CSRF\u5f31\u9ede\u7db2\u9801<br>\n2.\u53d7\u5bb3\u8005\u5728\u7db2\u7ad9A\u662f\u767b\u5165\u72c0\u614b\uff0c\u4f46\u9023\u5230\u653b\u64ca\u8005\u7684\u7db2\u9801<br>\n3.\u653b\u64ca\u8005\u7684\u7db2\u9801\u6703\u5047\u5192\u53d7\u5bb3\u8005\u5c0d\u7db2\u7ad9A\u767c\u9001\u8acb\u6c42<br>\n4.\u7db2\u7ad9A\u4ee5\u70ba\u662f\u53d7\u5bb3\u8005\u767c\u9001\u7684\u8acb\u6c42\uff0c\u6240\u4ee5\u7528\u53d7\u5bb3\u8005\u8eab\u4efd\u57f7\u884c\u8acb\u6c42<\/p>\n<p>\u00a0<\/p>\n<h3>\u653b\u64ca\u539f\u7406<\/h3>\n<p>CSRF \u5c31\u662f\u5728\u4e0d\u540c\u7684 domain \u5e95\u4e0b\u537b\u80fd\u5920\u507d\u9020\u51fa&quot;\u4f7f\u7528\u8005\u672c\u4eba\u767c\u51fa\u7684request&quot;.<br>\n\u5728\u700f\u89bd\u5668\u7684\u6a5f\u5236\uff0c\u53ea\u8981\u767c\u9001request\u5230\u67d0\u500b\u7db2\u57df\uff0c\u5c31\u6703\u628a\u76f8\u95dc\u7684\u8cc7\u8a0a\u4e00\u8d77\u9001\u904e\u53bb\uff0c\u4f8b\u5982session id, cookie.<br>\n\u5982\u679c\u4f7f\u7528\u8005\u5728\u767b\u5165\u72c0\u614b\uff0crequest\u5c31\u6703\u5305\u542b\u4e86\u76f8\u95dc\u767b\u5165\u8cc7\u8a0a\uff0c\u5c31\u6703\u50cf\u4f7f\u7528\u8005\u672c\u4eba\u767c\u51fa\u7684 request.<\/p>\n<p>\u00a0<\/p>\n<h3>\u5be6\u969b\u6e2c\u900f\u5e38\u9047\u5230\u7684\u554f\u984c<\/h3>\n<ul>\n<li>SOP\uff08\u540c\u6e90\u653f\u7b56\uff09<br>\n\u7121\u6cd5\u8b80\u53d6\u975e\u540c\u6e90\u7db2\u9801\u7684 Cookie\u3001LocalStorage \u548c IndexedDB<br>\n\u7121\u6cd5\u7372\u53d6\u975e\u540c\u6e90\u7db2\u9801\u7684 DOM<br>\n\u5411\u975e\u540c\u6e90\u5730\u5740\u767c\u9001 AJAX \u8acb\u6c42\uff0c\u700f\u89bd\u5668\u6703\u62d2\u7d55\u97ff\u61c9<\/li>\n<li>CORS\u8a2d\u5b9a\u592a\u56b4\u683c<\/li>\n<li>SameSite\u4fdd\u8b77<\/li>\n<\/ul>\n<p>\u00a0<\/p>\n<hr>\n<h3>\u653b\u64ca\u7bc4\u4f8b<\/h3>\n<h4>GET\u653b\u64ca\u7bc4\u4f8b<\/h4>\n<p>\u6b63\u5e38\u60c5\u6cc1<br>\n\u900f\u904e\u4ee5\u4e0bGET\u8f49\u5e33100\u5143\u5230\u5e33\u6236ray<br>\n<code>&lt;a href='https:\/\/xbank.com\/withdraw100?account=ray'&gt;\u8f49\u5e33100&lt;\/a&gt;<\/code><br>\n\u7db2\u7ad9\u5f8c\u7aef\u6709\u505a\u9a57\u8b49\uff0c\u6703\u78ba\u8a8d\u6709\u6c92\u6709\u767b\u5165session\uff0c\u6240\u4ee5\u53ea\u6709\u5728\u672c\u4eba\u767b\u5165\u72c0\u614b\u4e0b\u624d\u6703\u8f49\u5e33<\/p>\n<h5>\u653b\u64ca\u65b9\u5f0f1<\/h5>\n<p>1.\u653b\u64ca\u8005\u6e96\u5099\u4ee5\u4e0b\u9801\u9762\u7d66\u53d7\u5bb3\u8005<br>\n<code>&lt;a href='https:\/\/xbank.com\/withdraw100?account=badguy'&gt;\u9001\u4f60500\u5143&lt;\/a&gt;<\/code><\/p>\n<p>2.\u53d7\u5bb3\u8005\u5728\u767b\u5165xbank\u72c0\u614b\u4e0b\u958b\u555f\u653b\u64ca\u9801\u9762\u4e26\u9ede\u64ca&quot;\u9001\u4f60500\u5143&quot;<br>\n\u700f\u89bd\u5668\u6703\u767c\u9001\u4e00\u500b GET \u8acb\u6c42\u5230https:\/\/xbank.com\/withdraw100?account=badguy<br>\n\u56e0\u70ba\u700f\u89bd\u5668\u7684\u904b\u4f5c\u6a5f\u5236\uff0c\u6703\u628axbank.com\u7684\u767b\u5165session\u7b49\u8cc7\u8a0a\u4e00\u8d77\u9001\u5230server\u7aef<\/p>\n<p>3.Server\u7aef\u6536\u5230\u5f8c\u6aa2\u67e5session\uff0c\u78ba\u8a8d\u662f\u53d7\u5bb3\u8005\u672c\u4eba\u7684\u8acb\u6c42\uff0c\u65bc\u662f\u5c31\u628a100\u5143\u8f49\u5e33\u5230\u5e33\u6236badguy<\/p>\n<h5>\u653b\u64ca\u65b9\u5f0f2<\/h5>\n<p>1.\u653b\u64ca\u8005\u6e96\u5099\u4ee5\u4e0b\u9801\u9762\u7d66\u53d7\u5bb3\u8005<\/p>\n<pre><code>&lt; img src='https:\/\/xbank.com\/withdraw100?account=badguy' width='0' height='0' \/&gt;\n&lt; a href='\/add'&gt;\u9001\u4f60500\u5143&lt; \/a&gt;\n<\/code><\/pre>\n<p>2.\u53d7\u5bb3\u8005\u5728\u767b\u5165xbank\u72c0\u614b\u4e0b\u958b\u555f\u653b\u64ca\u9801\u9762\u6642\uff0c\u4e00\u6a23\u767c\u9001\u8f49\u5e33\u7684\u8acb\u6c42\u5230server\u7aef<br>\n3.Server\u7aef\u4e00\u6a23\u8f49\u5e33\u5230\u5e33\u6236badguy<\/p>\n<p>\u00a0<\/p>\n<h4>POST\u653b\u64ca\u7bc4\u4f8b<\/h4>\n<p>\u6b63\u5e38\u60c5\u6cc1<br>\n\u900f\u904e\u4ee5\u4e0bPOST\u8f49\u5e33100\u5143\u5230\u5e33\u6236ray<\/p>\n<pre><code>&lt; form action=&quot;https:\/\/xbank.com\/withdraw100&quot; method=&quot;POST&quot;&gt;  \n&lt; input type=&quot;hidden&quot; name=&quot;account&quot; value=&quot;ray&quot;\/&gt;\n&lt; input type=&quot;submit&quot; value=&quot;\u8f49\u5e33&quot;\/&gt;\n&lt; \/form&gt;\n<\/code><\/pre>\n<p>\u7db2\u7ad9\u5f8c\u7aef\u6709\u505a\u9a57\u8b49\uff0c\u6240\u4ee5\u6703\u78ba\u8a8d\u6709\u6c92\u6709\u767b\u5165session\uff0c\u6240\u4ee5\u53ea\u6709\u5728\u672c\u4eba\u767b\u5165\u72c0\u614b\u4e0b\u624d\u6703\u8f49\u5e33<\/p>\n<h5>\u653b\u64ca\u65b9\u5f0f1<\/h5>\n<p>1.\u653b\u64ca\u8005\u6e96\u5099\u4ee5\u4e0b\u9801\u9762\u7d66\u53d7\u5bb3\u8005<\/p>\n<pre><code>&lt; form action=&quot;https:\/\/xbank.com\/withdraw100&quot; method=&quot;POST&quot;&gt;  \n&lt; input type=&quot;hidden&quot; name=&quot;account&quot; value=&quot;badguy &quot;\/&gt;\n&lt; input type=&quot;submit&quot; value=&quot;\u9001\u4f60500\u5143&quot;\/&gt;\n&lt; \/form&gt;\n<\/code><\/pre>\n<p>2.\u53d7\u5bb3\u8005\u5728\u767b\u5165xbank\u72c0\u614b\u4e0b\u958b\u555f\u653b\u64ca\u9801\u9762\u4e26\u9ede\u64ca&quot;\u9001\u4f60500\u5143&quot;\uff0c\u4e00\u6a23\u767c\u9001\u8f49\u5e33\u7684\u8acb\u6c42\u5230server\u7aef<br>\n3.Server\u7aef\u4e00\u6a23\u8f49\u5e33\u5230\u5e33\u6236badguy<\/p>\n<h5>\u653b\u64ca\u65b9\u5f0f2<\/h5>\n<p>1.\u653b\u64ca\u8005\u6e96\u5099\u4ee5\u4e0b\u9801\u9762\u7d66\u53d7\u5bb3\u8005<\/p>\n<pre><code>&lt; iframe style=&quot;display:none&quot; name=&quot;csrf-frame&quot;&gt;&lt; \/iframe&gt;\n&lt; form method='POST' action='https:\/\/xbank.com\/withdraw100' target=&quot;csrf-frame&quot; id=&quot;csrf-form&quot;&gt;\n&lt; input type='hidden' name='account' value='badguy'&gt;\n&lt; input type='submit' value='submit'&gt;\n&lt; \/form&gt;\n&lt; script&gt;document.getElementById(&quot;csrf-form&quot;).submit()&lt; \/script&gt;\n<\/code><\/pre>\n<p>\u9019\u6703\u5efa\u4e00\u500b\u770b\u4e0d\u898b\u7684 iframe\uff0c\u800c\u4e14\u9019\u500bform\u53ef\u81ea\u52d5submit<br>\n2.\u53d7\u5bb3\u8005\u5728\u767b\u5165xbank\u72c0\u614b\u4e0b\u958b\u555f\u9801\u9762\u6642\uff0c\u81ea\u52d5\u767c\u9001\u8f49\u5e33\u7684\u8acb\u6c42\u5230server\u7aef<br>\n3.Server\u7aef\u4e00\u6a23\u8f49\u5e33\u5230\u5e33\u6236badguy<\/p>\n<p>refer<br>\nhttps:\/\/stackoverflow.com\/questions\/17940811\/example-of-silently-submitting-a-post-form-csrf<\/p>\n<p>lab:<br>\nhttps:\/\/portswigger.net\/web-security\/csrf\/lab-no-defenses<\/p>\n<p>\u00a0<\/p>\n<h4>\u7d50\u5408XSS\u7bc4\u4f8b<\/h4>\n<p>1.\u653b\u64ca\u8005\u5728\u6709XSS\u5f31\u9ede\u7684\u7559\u8a00\u7248\u63d2\u5165\u4e00\u6bb5\u767b\u51fa\u6307\u4ee4<br>\n<code>...omit&lt; script&gt;...\/logout=1 &lt; \/script&gt;...omit...<\/code><br>\n2.\u53d7\u5bb3\u8005\u5728\u767b\u5165\u72c0\u614b\u4e0b\u958b\u555f\u7559\u8a00\u7248<br>\n\u7559\u8a00\u7248\u89f8\u767c\u767b\u51fa\u6307\u4ee4\uff0c\u4e26\u628a\u6b64\u8acb\u6c42\u50b3\u5230server\u7aef<br>\n3.Server\u7aef\u6536\u5230\u5f8c ,\u78ba\u8a8d\u662f\u672c\u4eba\uff0c\u5c07\u4f7f\u7528\u8005\u5f37\u8feb\u767b\u51fa<\/p>\n<p>\u00a0<\/p>\n<hr>\n<h3>\u6b77\u53f2\u4e0a\u6709\u540d\u7684CSRF\u653b\u64ca\u6848\u4f8b<\/h3>\n<h5>Microsoft\u5b50\u7db2\u57dfCSRF\u8b8a\u66f4\u4f7f\u7528\u8005\u8cc7\u8a0a\uff1a<\/h5>\n<p>\u5728\u9019\u500b\u6848\u4f8b\u4e2d\uff0c\u767c\u73fe\u4e00\u500b\u7f3a\u4e4ftoken\u4fdd\u8b77\u7684\u7ad9\u9ede\uff0c\u5141\u8a31\u653b\u64ca\u8005\u9032\u884c\u7528\u6236\u8cc7\u8a0a\u66f4\u6539\u3002<\/p>\n<h5>Google\u5b50\u7db2\u57dfCSRF\u522a\u9664\u5e33\u6236\uff1a<\/h5>\n<p>\u6b64\u6848\u4f8b\u4e2d\uff0c\u767c\u73fe\u4e00\u500b\u6709token\u4fdd\u8b77\u7684\u7ad9\u9ede\uff0c\u4f46\u5728\u522a\u9664\u8cec\u6236\u6642\uff0c\u672a\u5c0dtoken\u9032\u884c\u6b63\u78ba\u7684\u6821\u9a57\uff0c\u653b\u64ca\u8005\u50c5\u9700\u63d0\u4f9b\u4e00\u500b\u6709\u6548\u7684token\uff08\u81ea\u8eab\u7684token\uff09\u5373\u53ef\u901a\u904e\u6821\u9a57\u3002<\/p>\n<h5>Facebook CSRF\u5e33\u865f\u63a5\u7ba1\uff1a<\/h5>\n<p>\u6f0f\u6d1e\u5229\u7528\u4e3b\u8981\u5206\u70ba\u5169\u90e8\u5206\u3002 \u7b2c\u4e00\u90e8\u5206\u662f\u900f\u904e\u670d\u52d9\u7aef\u7684\u4e00\u500b\u8df3\u8f49\uff0c\u7b2c\u4e8c\u90e8\u5206\u5247\u662fAccount Takeover\uff08\u5e33\u865f\u63a5\u7ba1\uff09\u3002<\/p>\n<h5>MySpace\u4e0a\u7684\u8815\u87f2Samy\uff1a<\/h5>\n<p>\u5728MySpace\u4e0a\u7522\u751f\u7684\u7b2c\u4e00\u500bXSS\u8815\u87f2Samy\uff0c\u5176\u5be6\u5c31\u662fXSS\u8207CSRF\u7d50\u5408\u7684\u7d50\u679c\u3002 \u4e00\u958b\u59cb\u53ea\u5728Samy\u7684\u81ea\u50b3\u9801\u9762\u4e0a\u5beb\u5165JavaScript\uff0c\u7576\u6709\u4eba\u700f\u89bd\u8a72\u9801\u9762\u6642\uff0c\u5c31\u6703\u5728\u4f7f\u7528\u8005\u672c\u8eab\u7684\u9801\u9762\u4e0a\u81ea\u52d5\u52a0\u5165\u300csamy is my hero\u300d\u8207\u6563\u64ad\u7528\u7684JavaScript\u3002<\/p>\n<p>\u00a0<\/p>\n<hr>\n<h3>\u9632\u79a6CSRF<\/h3>\n<h4>server\u7aef\u9632\u79a6<\/h4>\n<p>*\u6aa2\u67e5HTTP Referer<br>\n*\u5728\u8acb\u6c42\u4e2d\u52a0\u5165CSRF token<br>\n*\u5716\u5f62\u9a57\u8b49\u78bc\u6216\u7c21\u8a0a\u9a57\u8b49\u78bc\u7b49<\/p>\n<h4>client\u7aef\u9632\u79a6<\/h4>\n<p>*SameSite cookie<\/p>\n<p>\u00a0<\/p>\n<h4>\u6aa2\u67e5HTTP Referer<\/h4>\n<p>\u6839\u64da HTTP \u5354\u8b70\uff0cHTTP \u982d\u4e2d\u6709\u4e00\u500b\u5b57\u6bb5\u7a31\u70ba Referer\uff0c\u5b83\u8a18\u9304\u4e86\u8a72 HTTP \u8acb\u6c42\u7684\u4f86\u6e90\u5730\u5740\u3002\u901a\u5e38\u60c5\u6cc1\u4e0b\uff0c\u8a2a\u554f\u5b89\u5168\u53d7\u9650\u9801\u9762\u7684\u8acb\u6c42\u4f86\u81ea\u540c\u4e00\u500b\u7db2\u7ad9<br>\n\u4f8b\u5982\u8a2a\u554f http:\/\/example.bank.com\/withdraw?account=bob&amp;amount=1000000&amp;for=Mallory\uff0c\u7528\u6236\u5fc5\u9808\u5148\u767b\u9304 example.bank.com\uff0c\u7136\u5f8c\u901a\u904e\u9ede\u64ca\u9801\u9762\u4e0a\u7684\u6309\u9215\u89f8\u767c\u8f49\u8cec\u4e8b\u4ef6\u3002\u9019\u6642\uff0c\u8a72\u8f49\u5e33\u8acb\u6c42\u7684Referer\u503c\u5c07\u662f\u8f49\u8cec\u6309\u9215\u6240\u5728\u9801\u9762\u7684URL\uff0c\u901a\u5e38\u662f\u4ee5example.bank.com\u57df\u540d\u958b\u982d\u7684\u5730\u5740\u3002\u4f46\u5982\u679c\u9ed1\u5ba2\u8981\u5c0d\u9280\u884c\u7db2\u7ad9\u5be6\u65bdCSRF\u653b\u64ca\uff0c\u4ed6\u53ea\u80fd\u5728\u4ed6\u81ea\u5df1\u7684\u7db2\u7ad9\u69cb\u9020\u8acb\u6c42\uff0c\u7576\u7528\u6236\u901a\u904e\u9ed1\u5ba2\u7684\u7db2\u7ad9\u767c\u9001\u8acb\u6c42\u5230\u9280\u884c\u6642\uff0c\u8a72\u8acb\u6c42\u7684 Referer \u6307\u5411\u9ed1\u5ba2\u81ea\u5df1\u7684\u7db2\u7ad9\u3002\u56e0\u6b64\uff0c\u8981\u9632\u79a6 CSRF \u653b\u64ca\uff0c\u9280\u884c\u7db2\u7ad9\u53ea\u9700\u5c0d\u6bcf\u500b\u8f49\u8cec\u8acb\u6c42\u9a57\u8b49\u5176Referer\u503c\uff0c\u5982\u679c\u662f\u4ee5example.bank.com\u958b\u982d\u7684\u57df\u540d\uff0c\u8aaa\u660e\u8a72\u8acb\u6c42\u4f86\u81ea\u9280\u884c\u7db2\u7ad9\u81ea\u5df1\uff0c\u662f\u5408\u6cd5\u7684\u3002\u5982\u679c Referer \u662f\u5176\u4ed6\u7db2\u7ad9\uff0c\u5247\u53ef\u80fd\u662f CSRF \u653b\u64ca\uff0c\u61c9\u8a72\u62d2\u7d55\u8a72\u8acb\u6c42\u3002\u7136\u800c\uff0c\u9019\u7a2e\u65b9\u6cd5\u9700\u8981\u6ce8\u610f\u4e09\u500b\u554f\u984c\uff1a<\/p>\n<ul>\n<li>\u6709\u4e9b\u700f\u89bd\u5668\u53ef\u80fd\u4e0d\u651c\u5e36Referer\u3002<\/li>\n<li>\u6709\u4e9b\u4f7f\u7528\u8005\u53ef\u80fd\u95dc\u9589\u81ea\u52d5\u651c\u5e36Referer \u7684\u529f\u80fd\uff0c\u9019\u5c07\u5c0e\u81f4\u4f3a\u670d\u5668\u62d2\u7d55\u771f\u5be6\u4f7f\u7528\u8005\u7684\u8acb\u6c42\u3002<\/li>\n<li>\u5224\u5b9a\u5408\u6cd5\u57df\u7684\u7a0b\u5f0f\u78bc\u5fc5\u9808\u78ba\u4fdd\u6c92\u6709bug\u3002<\/li>\n<\/ul>\n<h4>\u5728\u8acb\u6c42\u4e2d\u52a0\u5165CSRF token<\/h4>\n<p>\u70ba\u4e86\u9632\u6b62CSRF\u653b\u64ca\uff0c\u53ef\u4ee5\u5728\u8acb\u6c42\u4e2d\u6dfb\u52a0\u4e00\u500b\u7121\u6cd5\u88ab\u9ed1\u5ba2\u4f2a\u9020\u7684 token\uff0c\u4e26\u5728\u4f3a\u670d\u5668\u7aef\u5efa\u7acb\u4e00\u500b\u6514\u622a\u5668\u4f86\u9a57\u8b49\u8a72 token\u3002\u9019\u500b token \u53ef\u4ee5\u4ee5\u53c3\u6578\u7684\u5f62\u5f0f\u52a0\u5165\u5230HTTP\u8acb\u6c42\u4e2d\uff0c\u5982\u679c\u8acb\u6c42\u4e2d\u6c92\u6709 token \u6216\u8005 token \u4e0d\u6b63\u78ba\uff0c\u5247\u88ab\u8996\u70ba\u53ef\u80fd\u662fCSRF\u653b\u64ca\u800c\u62d2\u7d55\u8a72\u8acb\u6c42\u3002<br>\n\u7136\u800c\uff0c\u9700\u8981\u6ce8\u610f\u7684\u662f\uff0c\u5982\u679c\u4f3a\u670d\u5668\u652f\u63f4CORS\u7684\u8acb\u6c42\uff0c\u653b\u64ca\u8005\u53ef\u80fd\u4ecd\u7136\u53ef\u4ee5\u5728\u4ed6\u7684\u7db2\u9801\u4e2d\u767c\u8d77\u8acb\u6c42\uff0c\u4e26\u6210\u529f\u7372\u53d6CSRF token\u9032\u884c\u653b\u64ca\u3002\u9019\u53d6\u6c7a\u65bc\u4f3a\u670d\u5668\u662f\u5426\u63a5\u53d7\u8a72\u7db2\u57df\u7684\u8acb\u6c42\u3002<\/p>\n<h4>\u5716\u5f62\u9a57\u8b49\u78bc\u6216\u7c21\u8a0a\u9a57\u8b49\u78bc\u7b49<\/h4>\n<p>\u985e\u4f3c\u7db2\u8def\u9280\u884c\u8f49\u5e33\u6642\u8981\u6c42\u6536\u53d6\u7c21\u8a0a\u9a57\u8b49\u78bc\uff0c\u9019\u6a23\u591a\u4e86\u4e00\u9053\u6aa2\u67e5\u53ef\u4ee5\u78ba\u4fdd\u4e0d\u53d7CSRF\u653b\u64ca\u3002\u5716\u5f62\u9a57\u8b49\u78bc\u4e5f\u80fd\u9632\u7bc4\u653b\u64ca\u8005\uff0c\u56e0\u70ba\u4ed6\u5011\u7121\u6cd5\u77e5\u9053\u9a57\u8b49\u78bc\u7684\u7b54\u6848\u3002<\/p>\n<h4>SameSite cookie<\/h4>\n<p>\u4e00\u4e9b\u7db2\u7ad9\u4f7f\u7528SameSite cookie\u4f86\u9632\u79a6CSRF\u653b\u64ca\u3002SameSite\u5c6c\u6027\u53ef\u7528\u65bc\u63a7\u5236cookie\u5728CSRF\u653b\u64ca\u4e2d\u662f\u5426\u4ee5\u53ca\u5982\u4f55\u88ab\u63d0\u4ea4\u3002\u900f\u904e\u8a2d\u7f6e\u6703\u8a71cookie\u7684\u5c6c\u6027\uff0c\u61c9\u7528\u7a0b\u5e8f\u53ef\u4ee5\u963b\u6b62\u700f\u89bd\u5668\u7684\u9ed8\u8a8d\u884c\u70ba\uff0c\u5373\u81ea\u52d5\u5c07cookie\u6dfb\u52a0\u5230\u8acb\u6c42\u4e2d\uff0c\u800c\u4e0d\u7ba1\u8acb\u6c42\u4f86\u81ea\u4f55\u8655\u3002<\/p>\n<p>\u00a0<\/p>\n<p>refer<br>\nhttp:\/\/mycck.blogspot.tw\/2008\/04\/csrf.html<br>\nhttps:\/\/www.ithome.com.tw\/voice\/115822<br>\nhttps:\/\/www.ibm.com\/developerworks\/cn\/web\/1102_niugang_csrf\/index.html<br>\nhttps:\/\/blog.techbridge.cc\/2017\/02\/25\/csrf-introduction\/<br>\nhttps:\/\/www.anquanke.com\/post\/id\/204052<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[],"class_list":["post-240","post","type-post","status-publish","format-standard","hentry","category-clientside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/240","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=240"}],"version-history":[{"count":1,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/240\/revisions"}],"predecessor-version":[{"id":3009,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/240\/revisions\/3009"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=240"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=240"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=240"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}