Help you trick: how to avoid CSRF attacks

We reported yesterday that researchers at Princeton University said that they found that many famous sites in the world contain CSRF attack vulnerabilities, and even ING is no exception. The most serious situation can cause an attacker to empty the victim's account. CSRF is forged client requests an attack, CSRF English name is cross site request forgery, literally means cross-site request forgery.

the above text may I didn't elaborate on the CSRF attack method. For example, if you log in to the credit card website first, the website will usually record your authentication information, such as through cookies or other methods. Then you access it in some way. It looks like the URL of the YouTube website, and this URL has been handled by hackers. Although it is the URL of YouTube, it gives you the feeling of normal YouTube. There may even be a normal video, but this page is Flash, or video, or script, etc.) may send an email with your credit card website authentication information to the hacker's mailbox; This way the hacker gets your authentication information and can take over your account.

CSRF is a loophole that is difficult to guard against. It is understood that there is currently no good way to monitor CSRF. Some of the more viable prevention methods I think of:

Do not use online banking. The so-called no-winning tricks, since I do not use online banking, hackers will naturally be difficult to marry. (just a joke:))
Change the password periodically. Regularly changing passwords is always the most advocated method in security.

After accessing sensitive websites (such as credit cards, online banking, etc.), actively clean up history, cookie records, form records, password records, and restart the browser to access other websites.
Keep browser updates, especially security patches. Also pay attention to the update of operating system, anti-virus, firewall and other software.

Don't upload websites with unknown origins. It is recommended to use ms ie7's site authentication function or google toolbar to identify illegal websites.

With certain browsers with a "private browsing" feature, such as Safari. The "Private Browsing" feature allows users to surf the web without leaving any traces, and the browser does not store cookies and any other material. Therefore, CSRF can't get useful information.

ie8 called it "InPrivate Browsing." Chrome calls it "Incognito mode."

If the browser prompts "link certificate and domain name mismatch" warning message, please do not continue, close the browser immediately or Back (if you're a web developer or hacker, When I didn't say).

cookie

to manage the browser. For example, in IE6.0, open the "Tools -> Internet Options -> Privacy" dialog box, here set "block all cookies", "high", "medium high", "medium", "low", " Accept all the six levels of cookies, you can easily set them by dragging the slider, and click the "Edit" button below to enter a specific URL in the "Website Address", you can set it to allow Or refuse them to use cookies.

to disable or restrict the use of Java programs and ActiveX controls (sites may cause some normal access error).

Clear History on a regular basis, is to find similar "Clear Forms" and "Clear Passwords" button in the browser options, and click on a regular basis, YY is recommended once a week.

In fact, these tricks are not mysterious at all, mainly to improve their security awareness and hide sensitive information from hackers.