摘要
传统基于客户端的防御方法存在用户体验与兼容性差的问题,容易产生误报和漏报现象,不能有效地防御跨站请求伪造(CSRF)攻击。为此,提出一种对请求参数名随机化的防御方法。通过对网站的统一资源定位器地址中的参数名称,如Form表单中的参数名进行可逆加密,确保在一次会话交互过程中的所有请求的参数名都被随机化,防止攻击者获取参数名信息实施CSRF攻击。基于该方法设计并实现了开源PHP库,并部署在开源的PHP程序上。实验结果证明,与基于Token方法相比,该方法能够更有效地防御CSRF攻击。
Traditional client-based defense methods have poor user experience,poor compatibility,prone to false positives and false negatives,and cannot effectively prevent Cross-site Request Forgery(CSRF)attacks.To this end,a defense method for randomizing request parameter names is proposed.By reversibly encrypting the parameter names in the Uniform Resource Locator(URL)address of the website,such as the parameter names in the Form,it is ensured that the parameter names of all the requests in a session interaction are randomized,preventing the attacker from obtaining the parameter name information and implementing a CSRF attack.Based on this method,an open source PHP library is designed and implemented,which is deployed in open source PHP programs.Experimental results show that compared with Token-based methods,this method can effectively defend against CSRF attacks.
作者
王应军
傅建明
姜百合
WANG Yingjun;FU Jianming;JIANG Baihe(School of Computer,Wuhan University,Wuhan 430072,China)
出处
《计算机工程》
CAS
CSCD
北大核心
2018年第11期158-164,共7页
Computer Engineering
基金
国家自然科学基金(61373168)
关键词
WEB安全
跨站请求伪造攻击
基于多样性安全
参数名
随机化
Web security
Cross-site Request Forgery(CSRF)attack
diversity-based security
parameter name
randomization
