Web applications have good compatibility and interactive experience.While being widely used,they also face various unstable factors.Among them,POST-type CSRF(cross-site request forgery)requests are extremely easy Cause serious consequences.In the case that the CSRF protection methods provided by mainstream commercial web application firewalls are not effective,an improved protection method is studied and applied to web application firewall.This thesis is based on the JavaScript and Web application firewall.The JavaScript file is automatically inserted into the HTML page through content parsing,and clients generate and refresh the token by running the file.For POST requests,event listener,htmlformelement redefinition and Ajax hook technology are used to refresh the token.CSRF requests from malicious web pages can't refresh the token dynamically and can't pass token verification,which can effectively prevent malicious requests.This thesis defines the token form and token content,analyzes and implements the main functions of JavaScript and web application firewall,and finally tests the design Based on the above design.The results show that this design scheme can effectively protect the CSRF forged requests against post requests,and is compatible with various server development languages. |