daohualiuxiang
/
AspNetCore.Docs
mirror of https://github.com/dotnet/AspNetCore.Docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

remove very unsafe link to bad-crook-site (#26877) 

* remove very unsafe link to bad-crook-site

The link to bad-crook-site is very unsafe. Nobody should click that ever. Not sure why you are linking to there, but it's an actual scam site with explicit porn ads on it.

* Update anti-request-forgery.md

changed to malicious site to www.example.com

* Update anti-request-forgery.md

Co-authored-by: Rick Anderson <3605364+Rick-Anderson@users.noreply.github.com>
pull/26872/head
ottodobretsberger 2022-08-30 14:23:09 -05:00 committed by GitHub
parent 3635172d9c
commit 31652a1cbc
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 15 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
aspnetcore/security/anti-request-forgery.md
View File

@ -18,17 +18,17 @@ Cross-site request forgery (also known as XSRF or CSRF) is an attack against web
An example of a CSRF attack:
1. A user signs into `www.good-banking-site.com` using forms authentication. The server authenticates the user and issues a response that includes an authentication cookie. The site is vulnerable to attack because it trusts any request that it receives with a valid authentication cookie.
1. The user visits a malicious site, `www.bad-crook-site.com`.
1. A user signs into `www.good-banking-site.example.com` using forms authentication. The server authenticates the user and issues a response that includes an authentication cookie. The site is vulnerable to attack because it trusts any request that it receives with a valid authentication cookie.
1. The user visits a malicious site, `www.bad-crook-site.example.com`.
The malicious site, `www.bad-crook-site.com`, contains an HTML form similar to the following example:
The malicious site, `www.bad-crook-site.example.com`, contains an HTML form similar to the following example:
:::code language="html" source="anti-request-forgery/samples_snapshot/vulnerable-form.html":::
Notice that the form's `action` posts to the vulnerable site, not to the malicious site. This is the "cross-site" part of CSRF.
1. The user selects the submit button. The browser makes the request and automatically includes the authentication cookie for the requested domain, `www.good-banking-site.com`.
1. The request runs on the `www.good-banking-site.com` server with the user's authentication context and can perform any action that an authenticated user is allowed to perform.
1. The user selects the submit button. The browser makes the request and automatically includes the authentication cookie for the requested domain, `www.good-banking-site.example.com`.
1. The request runs on the `www.good-banking-site.example.com` server with the user's authentication context and can perform any action that an authenticated user is allowed to perform.
In addition to the scenario where the user selects the button to submit the form, the malicious site could:
@ -285,17 +285,17 @@ Cross-site request forgery (also known as XSRF or CSRF) is an attack against web
An example of a CSRF attack:
1. A user signs into `www.good-banking-site.com` using forms authentication. The server authenticates the user and issues a response that includes an authentication cookie. The site is vulnerable to attack because it trusts any request that it receives with a valid authentication cookie.
1. The user visits a malicious site, `www.bad-crook-site.com`.
1. A user signs into `www.good-banking-site.example.com` using forms authentication. The server authenticates the user and issues a response that includes an authentication cookie. The site is vulnerable to attack because it trusts any request that it receives with a valid authentication cookie.
1. The user visits a malicious site, `www.bad-crook-site.example.com`.
The malicious site, `www.bad-crook-site.com`, contains an HTML form similar to the following example:
The malicious site, `www.bad-crook-site.example.com`, contains an HTML form similar to the following example:
:::code language="html" source="anti-request-forgery/samples_snapshot/vulnerable-form.html":::
Notice that the form's `action` posts to the vulnerable site, not to the malicious site. This is the "cross-site" part of CSRF.
1. The user selects the submit button. The browser makes the request and automatically includes the authentication cookie for the requested domain, `www.good-banking-site.com`.
1. The request runs on the `www.good-banking-site.com` server with the user's authentication context and can perform any action that an authenticated user is allowed to perform.
1. The user selects the submit button. The browser makes the request and automatically includes the authentication cookie for the requested domain, `www.good-banking-site.example.com`.
1. The request runs on the `www.good-banking-site.example.com` server with the user's authentication context and can perform any action that an authenticated user is allowed to perform.
In addition to the scenario where the user selects the button to submit the form, the malicious site could:
@ -537,17 +537,17 @@ Cross-site request forgery (also known as XSRF or CSRF) is an attack against web
An example of a CSRF attack:
1. A user signs into `www.good-banking-site.com` using forms authentication. The server authenticates the user and issues a response that includes an authentication cookie. The site is vulnerable to attack because it trusts any request that it receives with a valid authentication cookie.
1. The user visits a malicious site, `www.bad-crook-site.com`.
1. A user signs into `www.good-banking-site.example.com` using forms authentication. The server authenticates the user and issues a response that includes an authentication cookie. The site is vulnerable to attack because it trusts any request that it receives with a valid authentication cookie.
1. The user visits a malicious site, `www.bad-crook-site.example.com`.
The malicious site, `www.bad-crook-site.com`, contains an HTML form similar to the following example:
The malicious site, `www.bad-crook-site.example.com`, contains an HTML form similar to the following example:
:::code language="html" source="anti-request-forgery/samples_snapshot/vulnerable-form.html":::
Notice that the form's `action` posts to the vulnerable site, not to the malicious site. This is the "cross-site" part of CSRF.
1. The user selects the submit button. The browser makes the request and automatically includes the authentication cookie for the requested domain, `www.good-banking-site.com`.
1. The request runs on the `www.good-banking-site.com` server with the user's authentication context and can perform any action that an authenticated user is allowed to perform.
1. The user selects the submit button. The browser makes the request and automatically includes the authentication cookie for the requested domain, `www.good-banking-site.example.com`.
1. The request runs on the `www.good-banking-site.example.com` server with the user's authentication context and can perform any action that an authenticated user is allowed to perform.
In addition to the scenario where the user selects the button to submit the form, the malicious site could: