关键词: Web安全, 跨站请求伪造, MD5消息摘要算法, 随机化, 过滤器

Abstract: Since the 1990s, the Internet has been open to the public, and the number of people using the Internet has soared. Nowadays, the Internet is inseparable fromlife, work and study. Many Internet services and applications are available to users in the form of web pages. The security of web applications has become the most important thing.Among them, the security risk of CSRF (Cross-site request forgery) is high, which is called “the sleeping giant” because it's easy to be ignored. For the CSRF attack mode, This paper designs a CSRF defense module based on MD5 message digest algorithm to randomize the parameter names. Its mainly implemented by using a Java filter, and adding a random parameter generated by MD5 by parameter name in the uniform resource positioning symbol (URL) and the table form, which increase the difficulty of the attacker to request forgery, and achieve the purpose of CSRF defense to protect user’s security. The result of experiments demonstrates that the defend module is effective. It can effectively defend against CSRF attacks and increaseless impact of the defense module on the performance of the Web server within an acceptable range.

Key words: Web security, cross-site request forgery, MD5 message-digest algorithm, randomization, filter