Understanding CSRF: How GET Requests Can Delete Your Content and How to Defend Against It

CSRF是什么

CSRF (Cross Site Request Forgery) is a web attack listed among the top 20 internet security risks in 2007.

CSRF能干啥

Attackers can use a victim’s authenticated session to send malicious requests such as sending emails, posting messages, purchasing items, transferring virtual currency, deleting articles, etc.

CSRF原理

Typical flow: user logs into site A (which has a CSRF vulnerability), then visits a malicious site B that silently issues a request to A, automatically including A’s cookies because browsers send cookies with same‑origin requests.

Demo – Dangerous GET

Example: a blog provides a GET endpoint

http://imweb.io/cgi-bin/del?id=1

that deletes an article. An attacker can embed an

<img src="http://imweb.io/cgi-bin/del?id=123">

tag in a comment. When the victim’s browser loads the comment, the GET request is sent with the victim’s cookies, causing the article to be deleted.

Is POST the answer?

Switching the endpoint to POST mitigates the simple image‑based attack, but an attacker can still craft an auto‑submitting form:

<code><form action="http://imweb.io/cgi-bin/del" method="post">
<input type="text" name="id" value="233" />
</form>
<script> document.forms[0].submit(); </script></code>

Because browsers allow cross‑origin form POSTs without the same‑origin restriction, the attack remains possible, though the barrier is higher.

防范

Referrer validation CAPTCHA Token

Referrer checks can block some CSRF attempts but are unreliable (HTTPS→HTTP, empty referrers). CAPTCHAs provide strong protection but are impractical for every request. Tokens (e.g., CSRF tokens derived from the user’s session cookie) are the most common defense; the server verifies the token on each state‑changing request.