1 2 3 4 5 6 7 8 | POST /bank/transfer.aspx HTTP/1.1 Referer: http://evilsite.com/myevilblog User-Agent: Mozilla/4.... Host: www.altoromutual.com Content-Length: 42 Cookie: SessionId=x3q2v0qpjc0n1c55mf35fxid; creditAccount=1001160141&transferAmount=10 |
1 2 3 4 | If(request.getHeaders("referer") != null &&request.getHeaders("referer").indexOf( "http://www.altoromutual.com") != 0){ throw new Exception("Invalid referer"); } |
1 2 | GET /marketingannouncements HTTP/1.1 Referer: http://www.google.com |
1 2 3 4 5 6 7 8 9 10 11 12 | <form id="transferForm" action="https://www.altoromutual.com/bank/transfer.aspx" method="post"> Enter the credit account: <input type="text" name="creditAccount" value=""> Enter the transfer amount: <input type="text" name="transferAmount" value=""> <input type="hidden" name="xsrftoken" value="JKBS38633jjhg0987PPll"> <input type="submit" value="Submit"> </form> |
1 2 | https://www.altoromutual.com/bank/getuserinfo.aspx?creditAccount=1001160141&transferAmount=1000 &xsrftoken=JKBS38633jjhg0987PPll |
1 2 3 4 5 6 7 8 9 | POST /bank/transfer.aspx HTTP/1.1 Referer: https://www.altoromutual.com/bank xsrftoken: JKBS38633jjhg0987PPll User-Agent: Mozilla/4.... Host: www.altoromutual.com Content-Length: 42 Cookie: SessionId=x3q2v0qpjc0n1c55mf35fxid; creditAccount=1001160141&transferAmount=10 |
1 2 3 4 5 6 7 8 9 | <form id="transferForm" action="https://www.altoromutual.com/bank/transfer.aspx" method="post"> Enter the credit account: <input type="text" name="creditAccount" value=""> Enter the transfer amount: <input type="text" name="transferAmount" value=""> <button onClick="addXsrfHeaderAndSubmitForm(dojo.byId(transferForm))" value="Submit"> </form> |
1 2 3 4 5 6 7 8 9 10 11 12 13 | class AuthenticatedServletBase extends ServletBase { protected bool service(...){ ..... if(sessionUtil.getXsrfToken().equals(requestUtil.getXsrfToken())==false){ showXSRFTokenError(); return true;// handled..stop any further processing here } .... } } |
欢迎光临 电子技术论坛_中国专业的电子工程师学习交流社区-中电网技术论坛 (http://bbs.eccn.com/) | Powered by Discuz! 7.0.0 |