{"id":14207,"date":"2025-06-03T10:43:48","date_gmt":"2025-06-03T07:43:48","guid":{"rendered":"https:\/\/www.inetmar.com\/blog\/?p=14207"},"modified":"2025-06-03T10:43:48","modified_gmt":"2025-06-03T07:43:48","slug":"csrf-nedir","status":"publish","type":"post","link":"https:\/\/www.inetmar.com\/blog\/csrf-nedir\/","title":{"rendered":"CSRF Nedir?"},"content":{"rendered":"<p>\u0130nternette gezinirken bir t\u0131kla banka hesab\u0131n\u0131z\u0131n tehlikeye girebilece\u011fini biliyor muydunuz? <strong>CSRF nedir<\/strong> sorusunun cevab\u0131 tam da burada devreye giriyor. <strong>Cross-Site Request Forgery<\/strong> (CSRF), yani Siteler Aras\u0131 \u0130stek Sahtecili\u011fi, siber su\u00e7lular\u0131n kullan\u0131c\u0131lar\u0131 kand\u0131rarak yetkisiz i\u015flemler yapmas\u0131na olanak tan\u0131yan bir sald\u0131r\u0131 t\u00fcr\u00fc. \u00d6rne\u011fin, bir sosyal medya hesab\u0131ndan habersizce payla\u015f\u0131m yap\u0131lmas\u0131 ya da e-posta hesab\u0131n\u0131z\u0131n \u015fifresinin de\u011fi\u015ftirilmesi\u2026 Korkutucu, de\u011fil mi? Ama merak etmeyin! Bu makalede <strong>CSRF yani Cross-Site Request Forgery<\/strong> ile ilgili her\u015feyi derinlemesine inleyece\u011fiz.<\/p>\n<h2>CSRF Nedir? (Cross-Site Request Forgery)<\/h2>\n<p>CSRF bir kullan\u0131c\u0131n\u0131n taray\u0131c\u0131s\u0131nda oturum a\u00e7\u0131kken k\u00f6t\u00fc niyetli bir web sitesinin o kullan\u0131c\u0131n\u0131n ad\u0131na yetkisiz i\u015flemler yapmas\u0131n\u0131 sa\u011flayan bir siber sald\u0131r\u0131 t\u00fcr\u00fcd\u00fcr. Kula\u011fa karma\u015f\u0131k gelebilir, ama basit\u00e7e \u015f\u00f6yle d\u00fc\u015f\u00fcn\u00fcn: Bir banka sitesinde oturum a\u00e7t\u0131n\u0131z ve ba\u015fka bir sekmede zararl\u0131 bir ba\u011flant\u0131ya t\u0131klad\u0131n\u0131z. Bu ba\u011flant\u0131 sizin ad\u0131n\u0131za bankan\u0131za para transferi emri g\u00f6nderebilir! <strong>CSRF sald\u0131r\u0131s\u0131<\/strong>\u00a0kullan\u0131c\u0131n\u0131n kimlik bilgilerini \u00e7almaz; sadece mevcut oturumu k\u00f6t\u00fcye kullan\u0131r. Bu da onu hem sinsi hem de tehlikeli yapar.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-14213 aligncenter\" src=\"https:\/\/www.inetmar.com\/blog\/wp-content\/uploads\/2025\/06\/CSRFnedir-300x169.jpg\" alt=\"csrf nedir\" width=\"698\" height=\"393\" srcset=\"https:\/\/www.inetmar.com\/blog\/wp-content\/uploads\/2025\/06\/CSRFnedir-300x169.jpg 300w, https:\/\/www.inetmar.com\/blog\/wp-content\/uploads\/2025\/06\/CSRFnedir-1024x576.jpg 1024w, https:\/\/www.inetmar.com\/blog\/wp-content\/uploads\/2025\/06\/CSRFnedir-768x432.jpg 768w, https:\/\/www.inetmar.com\/blog\/wp-content\/uploads\/2025\/06\/CSRFnedir.jpg 1280w\" sizes=\"auto, (max-width: 698px) 100vw, 698px\" \/><\/p>\n<h2>CSRF Sald\u0131r\u0131s\u0131 Nas\u0131l \u00c7al\u0131\u015f\u0131r?<\/h2>\n<p><strong>CSRF sald\u0131r\u0131s\u0131<\/strong> nas\u0131l ger\u00e7ekle\u015fir? \u0130\u015fte tipik bir senaryo:<\/p>\n<ol>\n<li><strong>Oturum A\u00e7\u0131k:<\/strong> Kullan\u0131c\u0131, g\u00fcvenilir bir web sitesinde (\u00f6rne\u011fin, banka veya sosyal medya) oturum a\u00e7ar ve taray\u0131c\u0131da bir \u00e7erez (cookie) saklan\u0131r.<\/li>\n<li><strong>Tuzak Ba\u011flant\u0131:<\/strong> Kullan\u0131c\u0131, ba\u015fka bir yerde (e-posta, sosyal medya, sahte bir site) zararl\u0131 bir ba\u011flant\u0131ya t\u0131klar.<\/li>\n<li><strong>Sahte \u0130stek:<\/strong> Bu ba\u011flant\u0131, kullan\u0131c\u0131n\u0131n taray\u0131c\u0131s\u0131n\u0131 kand\u0131rarak g\u00fcvenilir siteye gizlice bir istek g\u00f6nderir (\u00f6rne\u011fin, para transferi veya \u015fifre de\u011fi\u015fikli\u011fi).<\/li>\n<li><strong>Yetkisiz \u0130\u015flem:<\/strong> G\u00fcvenilir site, iste\u011fin kullan\u0131c\u0131dan geldi\u011fini san\u0131r ve i\u015flemi ger\u00e7ekle\u015ftirir, \u00e7\u00fcnk\u00fc \u00e7erez hala ge\u00e7erlidir.<\/li>\n<\/ol>\n<p>\u00d6rne\u011fin, bir sald\u0131rgan, \u201c\u00dccretsiz hediye kazan!\u201d gibi bir ba\u011flant\u0131yla sizi sahte bir siteye \u00e7eker ve arka planda bankan\u0131za \u201c1000 TL transfer et\u201d komutu g\u00f6nderir. <strong>Web g\u00fcvenli\u011fi<\/strong> a\u00e7\u0131s\u0131ndan bu, ciddi bir tehdit!<\/p>\n<h2>CSRF Neden Tehlikelidir?<\/h2>\n<p><strong>CSRF sald\u0131r\u0131s\u0131<\/strong>\u00a0hem kullan\u0131c\u0131lar hem de web siteleri i\u00e7in b\u00fcy\u00fck riskler ta\u015f\u0131r:<\/p>\n<ul>\n<li><strong>Finansal Kay\u0131p:<\/strong> Banka hesaplar\u0131ndan yetkisiz transferler yap\u0131labilir.<\/li>\n<li><strong>Veri G\u00fcvenli\u011fi:<\/strong> Ki\u015fisel bilgileriniz de\u011fi\u015ftirilebilir veya silinebilir.<\/li>\n<li><strong>\u0130tibar Kayb\u0131:<\/strong> Web siteleri, kullan\u0131c\u0131 g\u00fcvenini kaybedebilir.<\/li>\n<li><strong>Kolay Uygulanabilirlik:<\/strong> CSRF, teknik olarak basit bir sald\u0131r\u0131 t\u00fcr\u00fcd\u00fcr ve az bilgiyle yap\u0131labilir.<\/li>\n<\/ul>\n<p>Bu y\u00fczden <strong>CSRF \u00f6nleme<\/strong> y\u00f6ntemleri, her web geli\u015ftiricisinin ve site sahibinin \u00f6nceli\u011fi olmal\u0131.<\/p>\n<h2>CSRF \u00d6nleme Y\u00f6ntemleri<\/h2>\n<p>Neyse ki <strong>CSRF \u00f6nleme<\/strong> i\u00e7in etkili y\u00f6ntemler var! \u0130\u015fte web sitenizi ve kullan\u0131c\u0131lar\u0131n\u0131z\u0131 korumak i\u00e7in yapabilecekleriniz:<\/p>\n<h3>1. CSRF Token Kullan\u0131m\u0131<\/h3>\n<p>En yayg\u0131n ve etkili y\u00f6ntem, her form iste\u011fine benzersiz bir <strong>CSRF token<\/strong> eklemektir. Bu token, yaln\u0131zca g\u00fcvenilir site taraf\u0131ndan olu\u015fturulur ve her i\u015flemle g\u00f6nderilir. Sald\u0131rganlar, bu token\u2019\u0131 tahmin edemez veya kopyalayamaz. \u00d6rne\u011fin:<\/p>\n<ul>\n<li>Formda gizli bir alan: <code>&lt;input type=\"hidden\" name=\"csrf_token\" value=\"benzersiz_token\"&gt;<\/code><\/li>\n<li><a href=\"https:\/\/www.inetmar.com\/sunucu\/\" target=\"_blank\" rel=\"noopener\">Sunucu<\/a> iste\u011fi kontrol eder ve token ge\u00e7erli de\u011filse i\u015flemi reddeder.<\/li>\n<\/ul>\n<p>\u00c7o\u011fu web framework\u2019\u00fc (Django, Laravel, Rails) CSRF token\u2019lar\u0131n\u0131 otomatik olarak destekler.<\/p>\n<h3>2. SameSite \u00c7erez \u00d6zelli\u011fi<\/h3>\n<p>\u00c7erezlere <strong>SameSite<\/strong> \u00f6zelli\u011fi eklemek, CSRF sald\u0131r\u0131lar\u0131n\u0131 b\u00fcy\u00fck \u00f6l\u00e7\u00fcde engeller. SameSite, \u00e7erezlerin yaln\u0131zca ayn\u0131 domain\u2019den gelen isteklere dahil edilmesini sa\u011flar. \u00d6rne\u011fin:<\/p>\n<ul>\n<li><code>SameSite=Strict<\/code>: \u00c7erez, sadece ayn\u0131 site i\u00e7indeki isteklere g\u00f6nderilir.<\/li>\n<li><code>SameSite=Lax<\/code>: Baz\u0131 \u00e7apraz site isteklerine izin verir, ama form g\u00f6nderimlerini engeller.<\/li>\n<\/ul>\n<p>Modern taray\u0131c\u0131lar (Chrome, Firefox) bu \u00f6zelli\u011fi destekler.<\/p>\n<h3>3. \u00c7ift G\u00f6nderim \u00c7erezleri<\/h3>\n<p>Form isteklerine bir \u00e7erez ve bir ba\u015fl\u0131k (header) ekleyerek, sunucunun iste\u011fin do\u011frulu\u011funu kontrol etmesini sa\u011flayabilirsiniz. Sald\u0131rganlar, taray\u0131c\u0131 g\u00fcvenlik politikalar\u0131 nedeniyle ba\u015fl\u0131klar\u0131 manip\u00fcle edemez.<\/p>\n<h3>4. Kullan\u0131c\u0131 Do\u011frulama Ad\u0131mlar\u0131<\/h3>\n<p>Hassas i\u015flemler (\u00f6rne\u011fin, \u015fifre de\u011fi\u015fikli\u011fi) i\u00e7in ek do\u011frulama isteyin:<\/p>\n<ul>\n<li>\u015eifre yeniden giri\u015fi.<\/li>\n<li>\u00c7ok fakt\u00f6rl\u00fc kimlik do\u011frulama (MFA).<\/li>\n<li>E-posta veya SMS onay\u0131.<\/li>\n<\/ul>\n<p>Bu, <strong>web g\u00fcvenli\u011fi<\/strong>ni art\u0131r\u0131r ve CSRF riskini azalt\u0131r.<\/p>\n<h3>5. HTTP Y\u00f6ntemlerini Do\u011fru Kullan\u0131n<\/h3>\n<p>CSRF sald\u0131r\u0131lar\u0131 genellikle POST istekleriyle yap\u0131l\u0131r. GET isteklerini de\u011fi\u015ftirme i\u015flemleri i\u00e7in kullanmaktan ka\u00e7\u0131n\u0131n. \u00d6rne\u011fin, \u201chesap silme\u201d gibi i\u015flemler sadece POST ile yap\u0131lmal\u0131.<\/p>\n<h2>CSRF \u00d6rnekleri: Ger\u00e7ek Hayatta Ne Oluyor?<\/h2>\n<p><strong>CSRF sald\u0131r\u0131s\u0131<\/strong> nas\u0131l g\u00f6r\u00fcn\u00fcr? \u0130\u015fte birka\u00e7 ger\u00e7ek\u00e7i senaryo:<\/p>\n<ul>\n<li><strong>Sosyal Medya:<\/strong> Sahte bir ba\u011flant\u0131ya t\u0131klayan kullan\u0131c\u0131, fark\u0131nda olmadan hesab\u0131ndan reklam payla\u015f\u0131m\u0131 yapar.<\/li>\n<li><strong>Online Al\u0131\u015fveri\u015f:<\/strong> Sald\u0131rgan, kullan\u0131c\u0131n\u0131n sepetine istenmeyen \u00fcr\u00fcnler ekler veya adresi de\u011fi\u015ftirir.<\/li>\n<li><strong>Bankac\u0131l\u0131k:<\/strong> Kullan\u0131c\u0131, habersizce ba\u015fka bir hesaba para transferi yapar.<\/li>\n<\/ul>\n<p>Bu \u00f6rnekler, <strong>CSRF nedir<\/strong> sorusunu daha iyi anlaman\u0131z\u0131 sa\u011flar.<\/p>\n<h2>CSRF \u00d6nlerken Dikkat Edilmesi Gerekenler<\/h2>\n<p><strong>CSRF \u00f6nleme<\/strong> i\u00e7in \u015fu noktalara dikkat edin:<\/p>\n<ul>\n<li><strong>Test Edin:<\/strong> Web sitenizi d\u00fczenli olarak CSRF a\u00e7\u0131klar\u0131na kar\u015f\u0131 test edin (\u00f6rne\u011fin, Burp Suite gibi ara\u00e7larla).<\/li>\n<li><strong>G\u00fcncel Kal\u0131n:<\/strong> Framework ve k\u00fct\u00fcphanelerinizi en son s\u00fcr\u00fcme g\u00fcncelleyin.<\/li>\n<li><strong>Kullan\u0131c\u0131 Deneyimi:<\/strong> G\u00fcvenlik \u00f6nlemleri, kullan\u0131c\u0131 dostu olmal\u0131; \u00f6rne\u011fin, \u00e7ok fazla do\u011frulama kullan\u0131c\u0131y\u0131 yormamal\u0131.<\/li>\n<li><strong>E\u011fitim:<\/strong> Kullan\u0131c\u0131lar\u0131n\u0131z\u0131 \u015f\u00fcpheli ba\u011flant\u0131lara t\u0131klamama konusunda bilgilendirin.<\/li>\n<\/ul>\n<h2>CSRF ve Di\u011fer Sald\u0131r\u0131 T\u00fcrleri: Fark Nedir?<\/h2>\n<p><strong>CSRF sald\u0131r\u0131s\u0131<\/strong>\u00a0di\u011fer web sald\u0131r\u0131 t\u00fcrlerinden farkl\u0131d\u0131r:<\/p>\n<ul>\n<li><strong>CSRF vs. XSS:<\/strong> XSS (Cross-Site Scripting), k\u00f6t\u00fc niyetli kod enjeksiyonu yapar; CSRF ise mevcut oturumu k\u00f6t\u00fcye kullan\u0131r.<\/li>\n<li><strong>CSRF vs. Phishing:<\/strong> Phishing, kullan\u0131c\u0131y\u0131 sahte bir siteye y\u00f6nlendirir; CSRF, ger\u00e7ek siteye sahte istek g\u00f6nderir.<\/li>\n<\/ul>\n<p>Bu farklar\u0131 bilmek <strong>web g\u00fcvenli\u011fi<\/strong> stratejilerinizi g\u00fc\u00e7lendirir.<\/p>\n<h2>Neden CSRF\u2019yi Ciddiye Almal\u0131s\u0131n\u0131z?<\/h2>\n<p><strong>Cross-Site Request Forgery<\/strong> basit ama etkili bir sald\u0131r\u0131 y\u00f6ntemi. Hem bireysel kullan\u0131c\u0131lar hem de i\u015fletmeler i\u00e7in ciddi sonu\u00e7lar do\u011furabilir. Bir web sitesi sahibiyseniz kullan\u0131c\u0131 verilerini korumak ve itibar\u0131n\u0131z\u0131 s\u00fcrd\u00fcrmek i\u00e7in CSRF\u2019ye kar\u015f\u0131 \u00f6nlem alman\u0131z \u015fart. Kullan\u0131c\u0131ysan\u0131z, g\u00fcvenmedi\u011finiz ba\u011flant\u0131lara t\u0131klamaktan ka\u00e7\u0131narak kendinizi koruyabilirsiniz. <strong>CSRF \u00f6nleme<\/strong>\u00a0siber g\u00fcvenlikte k\u00fc\u00e7\u00fck ama g\u00fc\u00e7l\u00fc bir ad\u0131m!<\/p>\n<h2>S\u0131k Sorulan Sorular<\/h2>\n<h3>1. CSRF nedir?<\/h3>\n<p>Cross-Site Request Forgery bir kullan\u0131c\u0131n\u0131n ad\u0131na yetkisiz i\u015flemler yapan bir siber sald\u0131r\u0131 t\u00fcr\u00fcd\u00fcr.<\/p>\n<h3>2. CSRF sald\u0131r\u0131s\u0131 nas\u0131l \u00f6nlenir?<\/h3>\n<p><strong>CSRF \u00f6nleme<\/strong> i\u00e7in CSRF token\u2019lar\u0131, SameSite \u00e7erezleri, \u00e7ift g\u00f6nderim \u00e7erezleri ve ek do\u011frulama ad\u0131mlar\u0131 kullan\u0131labilir.<\/p>\n<h3>3. CSRF ve XSS ayn\u0131 m\u0131?<\/h3>\n<p>Hay\u0131r, <strong>CSRF sald\u0131r\u0131s\u0131<\/strong> mevcut oturumu k\u00f6t\u00fcye kullan\u0131r; XSS ise k\u00f6t\u00fc niyetli kod enjeksiyonu yapar.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u0130nternette gezinirken bir t\u0131kla banka hesab\u0131n\u0131z\u0131n tehlikeye girebilece\u011fini biliyor muydunuz? CSRF nedir sorusunun cevab\u0131 tam da burada devreye giriyor. Cross-Site Request Forgery (CSRF), yani Siteler Aras\u0131 \u0130stek Sahtecili\u011fi, siber su\u00e7lular\u0131n kullan\u0131c\u0131lar\u0131 kand\u0131rarak yetkisiz i\u015flemler yapmas\u0131na&#46;&#46;&#46;<\/p>\n","protected":false},"author":2,"featured_media":14216,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[52],"tags":[],"class_list":["post-14207","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guvenlik"],"_links":{"self":[{"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/posts\/14207","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/comments?post=14207"}],"version-history":[{"count":8,"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/posts\/14207\/revisions"}],"predecessor-version":[{"id":14217,"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/posts\/14207\/revisions\/14217"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/media\/14216"}],"wp:attachment":[{"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/media?parent=14207"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/categories?post=14207"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inetmar.com\/blog\/wp-json\/wp\/v2\/tags?post=14207"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}