๐Ÿ€์˜ค์›”์˜ ์ฝ”๋”ฉ์ผ์ง€

Framework/Spring Framework

(23.01.12) Spring ํ”„๋ ˆ์ž„ ์›Œํฌ : CRSF(Cross Site Request Forgery)

ํ”„๋กœ๊ทธ๋ž˜๋จธ ์˜ค์›” 2023. 1. 13.

CRSF(Cross Site Request Forgery)

ํฌ๋กœ์Šค ์‚ฌ์ดํŠธ ์š”์ฒญ ์‚ฌ๊ธฐ

์›๋ž˜ ์‚ฌ์ดํŠธ์—์„œ ๋ฐ›์•„์˜ค์ง€ ์•Š์€ ์กฐ์ž‘ํ•œ ์›นํŽ˜์ด์ง€๋ฅผ ์‚ฌ์šฉํ•˜์—ฌ ์š”์ฒญ

 

์˜ˆ์‹œ

์š”์ฒญ url์„ ์•Œ๊ณ  ์ž˜๋ชป๋œ ์š”์ฒญ์„ ๋ณด๋‚ด๋ ค ํ•  ์ˆ˜ ์žˆ๋‹ค.

 

 

 

 

 

CsrfTestConrtroller.java

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.ResponseBody;
 
@Controller
@RequestMapping("csrf")
public class CsrfTestController 
{
   @GetMapping("/")
   @ResponseBody
   public String index()
   {
      return "CSRF TEST";
   }
   
   @GetMapping("/score")
   public String score(Model model)
   {
      //int score = svc.getScore();
      model.addAttribute("score"75); //DB์—์„œ ๊ฐ€์ ธ์˜จ ์ ์ˆ˜๋ฅผ ๋ณด์—ฌ์ค€๋‹ค
      return "thymeleaf/csrf/show_score";
   }
   
   @GetMapping("/save_score")
   @ResponseBody
   public String saveScore(@RequestParam("score"int score)
   {
      // DB์— ์ ์ˆ˜๋ฅผ ์ €์žฅํ•œ๋‹ค
      // svc.saveScore(score);
      return "์ ์ˆ˜(" + score + ")๋ฅผ ์ €์žฅํ–ˆ์Šต๋‹ˆ๋‹ค";
   }
}
 cs

 

 

 

show_score.html

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title></title>
<style type="text/css">
   #score_panel { width:100px; border:3px double red; text-align: center;}
   main{border:1px solid black; width:fit-content; padding:1em;}
</style>
<script src="https://code.jquery.com/jquery-3.6.3.min.js" 
integrity="sha256-pvPw+upLPUjgMXY0G+8O0xUf+/Im1MZjXxxgOcBQBXU=" crossorigin="anonymous">
</script>
 
<script type="text/javascript">
   var score = [[${score}]];
   alert('ํš๋“ํ•œ ์ ์ˆ˜๋Š” '+ score +'์ ์ž…๋‹ˆ๋‹ค');
   
   $(function(){ $('#score_panel').text(score+''); });
   
   function add_score()
   {
      score += 1;
      $('#score_panel').text(score+'');
   }
   
   function save_score()
   {
      location.href="/csrf/save_score?score="+score;
   }
</script>
 
</head>
<body>
<h1>์ ์ˆ˜ ์˜ฌ๋ฆฌ๊ธฐ</h1>
<h3>์ ์ˆ˜๋ฅผ ์˜ฌ๋ฆฌ๋ ค๋ฉด ์•„๋ž˜์˜ ๋ฒ„ํŠผ์„ ๋ˆŒ๋Ÿฌ ์ฃผ์„ธ์š”</h3>
<main>
<p id="score_panel"></p>
<button type="button" onclick="add_score();">์ ์ˆ˜ ์˜ฌ๋ฆฌ๊ธฐ</button>
<p>
</main>
<p>
<button type="button" onclick="save_score();">ํš๋“ํ•œ ์ ์ˆ˜ ์ €์žฅํ•˜๊ธฐ</button>
</body>
</html>
 cs

 

 

์‹คํ–‰๊ฒฐ๊ณผ : 

 

 

 

 

 

์ž˜๋ชป๋œ ์š”์ฒญ์„ ๋ณด๋‚ด๊ธฐ ์œ„ํ•ด ๋งŒ๋“  html

 

csrf.html

 

 

 

 

 

 

 

์œ„ ๊ฐ™์€ ์‚ฌ๊ธฐ ์š”์ฒญ์„ ๋ง‰๊ธฐ ์œ„ํ•ด์„  ์š”์ฒญ์„ ํ•  ๋•Œ ํ† ํฐ์„ ํ•จ๊ป˜ ์ฃผ์–ด ํ† ํฐ์ด ์žˆ๋Š” ์š”์ฒญ์€ ๋ฐ›์•„์˜ค๊ณ  

 

 

pom.xml ๋ณ€๊ฒฝ

controller : post ๋ฐฉ์‹์œผ๋กœ ๋ณ€๊ฒฝ

show_score.html ์— ํ† ๊ทผ ์ „์†ก ๋กœ์ง ์ถ”๊ฐ€

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

'Framework > Spring Framework' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

(23.01.14.)Spring ํ”„๋ ˆ์ž„ ์›Œํฌ : ์—๋Ÿฌ ํŽ˜์ด์ง€ ๋งŒ๋“ค๊ธฐ  (0) 2023.01.17
(23.01.13)Spring ํ”„๋ ˆ์ž„์›Œํฌ : ์—…๋กœ๋“œ๋œ ์ด๋ฏธ์ง€๋ฅผ ๋ธŒ๋ผ์šฐ์ €์—์„œ ๋ณด๊ธฐ(์ด๋ฏธ์ง€ ํƒœ๊ทธ, Thymeleaf์—์„œ ์ด๋ฏธ์ง€ ๊ฐ€์ ธ์˜ค๊ธฐ)  (0) 2023.01.16
(23.01.11.)Spring ํ”„๋ ˆ์ž„์›Œํฌ : Spring Security -JDBC Authentication  (1) 2023.01.11
(23.01.06)Spring ํ”„๋ ˆ์ž„์›Œํฌ : thymeleaf๋ฅผ ์ด์šฉํ•œ ๋ณด์•ˆ ๋กœ๊ทธ์ธ - ๋กœ๊ทธ์ธ ์—๋Ÿฌ  (0) 2023.01.09
(23.01.05)Spring ํ”„๋ ˆ์ž„์›Œํฌ: ๋กœ๊ทธ์ธ ๋ณด์•ˆ (SimpleSecurity)  (0) 2023.01.09

๋Œ“๊ธ€

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”