当前位置:网站首页>CSRF vulnerability analysis
CSRF vulnerability analysis
2022-07-06 18:21:00 【xiaochuhe.】
Warning
Do not Use the content mentioned in this article Breach of law .
this paper No guarantee is given
Catalog
3、 ... and 、 Introduction to the experimental environment
Four 、 Practical vulnerability learning
( One ) be based on Get Formal CSRF attack
( Two ) be based on Post Formal CSRF attack
Experimental environment : Hetian Laboratory
One 、 Preliminary knowledge ——cookie brief introduction
The current mainstream Web Applications are all based on Cookie Way to save the session state , But browsers are introducing Cookie But a very important safety factor was ignored , From WEB The file requests generated by the page will be brought with COOKIE. Just request the domain and Cookie The domain specified by the information is consistent , Whether it's a visit Web page , Or ask for pictures , Text and other resources , Users will bring... When making requests Cookie. The following picture shows the attached message we sent when visiting Baidu homepage Cookie Information :
notes :Cookie This feature makes it convenient for users to always visit the website as login , But at the same time , It also facilitates attackers to steal identity information and perform malicious acts .
Two 、 Vulnerability profile
CSRF(Cross-site request forgery) Cross-site request forgery , Also known as “one click attack” perhaps session riding, Commonly abbreviated as CSRF perhaps XSRF, Is a malicious use of the site .CSRF Take advantage of trusted sites by masquerading requests from trusted users . And XSS Compared to attack ,CSRF Attacks are often unpopular ( So there are few resources to guard against it ) And hard to prevent , So it's considered a ratio XSS More dangerous .
The picture below is a complete CSRF Attack map . The user logged in and visited a normal website , After successful login , The website returns the user's identity Cookie To the user . When a user visits a malicious website , Malicious websites force users to send malicious requests to normal websites . Because the user has a normal website at this time Cookie, So it's equivalent to the attacker stealing the user's identity , To visit the normal ( The goal is ) Website .
Once complete CSRF attack , The victim user needs to complete two steps :
- Log in to the normal website , And build locally Cookie.
- Without quitting the normal website , Visit malicious websites .
3、 ... and 、 Introduction to the experimental environment
A machine deploys a normal website ( Message board ):10.1.1.189
A machine deploys malicious websites :10.1.1.23
Four 、 Practical vulnerability learning
( One ) be based on Get Formal CSRF attack
1. Open the message board , Input user ID admin With the code 123456 Sign in :
2. Click the add message button to enter the message adding page , Press F12 Button opens Chrome Browser debugging tools ( Or open other equivalent Http Debugging software ), Switch to Network Label column , Choose Preserve Log Options , Ready to grab the message packet . Enter the title and content in the input box respectively , Click on add Button . Click... In the debug window ”add.php?title=…” A view of the message request just sent Http Content of agreement , As shown in the figure below :
You can see from the screenshot , What we entered in the message board , Attached to the page request address sent to the server , This parameter field is stored in URL The request in is called GET request . That is, the first thing we try is based on GET Request form CSRF attack , Next section will introduce POST Request form CSRF attack . At the same time, we found that users are adding message requests , The user ID is attached Cookie Field . Of course, this is for demonstration , Let's go straight to Plaintext user name and password are regarded as Cookie value .
4. Log in to the malicious website and view CSRF Attack effect , The user creates a new tab in the browser , Visit malicious websites : http://10.1.1.23/csrf-get-attacker/attacker.html We found that the malicious website looks like a normal web page , But in fact, malicious websites have issued malicious scripts to users in the background , This script makes use of the information saved in the message board before the user logs in Cookie Information , Pretend to be a user and leave a message on the message board .
5. Revisit the message board website : http://10.1.1.189/csrf-get-target/list.php I found a malicious message on the message board , As shown in the figure below . The content of this message was just published when our identity was pretended during our login to the malicious website .
Review malicious website code , understand CSRF Attack principle :
You can see that in the code , The malicious website implanted a <img> label , Because it passes CSS Style set to hidden , So we didn't see the actual label content during the visit . This tag is set by src Address , Sent a malicious message request to the message board website . Because the browser saves our identity on the message board website Cookie, And automatically send Cookie Attached , So the malicious website successfully stole our identity , Completed a malicious message behavior , This is based on GET Requested CSRF The whole process of attack .
( Two ) be based on Post Formal CSRF attack
1. Follow the method in step 1 , Recapture the uploaded packets , Check the message content format :
You can see from the screenshot , What we entered in the message board , Attached to HTTP Requested Data Sent to the server in the domain , This parameter field is stored in HTTP Data The request in the domain is called Post request .
2. Create a new tab in the browser , Visit malicious websites :http://10.1.1.23/csrf-post-attacker/attacker.html
I found a malicious message on the message board . The content of this message was just published when our identity was pretended during our login to the malicious website .
Review malicious website code , understand CSRF Attack principle :
You can see that in the code , The malicious website implanted a form Forms , Of this form action Set as the address of the message website . At the same time, there is another segment implanted Javascript Code , The function of this code is to automatically submit form The form data . such , When the user visits the malicious website , In fact, it passes Post Method sends a malicious message request to the message board .
5、 ... and 、 Bug repair
● Verify requested Referer value , If Referer Is a domain name starting with your own website , It means that the request comes from the website itself , It's legal. . If Referer Is another website domain name or blank , It could be CSRF attack , Then the server should reject the request , However, this method may be bypassed .
● CSRF The attack was successful , It's because an attacker can fake a user's request , thus , To resist CSRF The key to the attack is : Put information in the request that the attacker cannot forge . For example, it can be in HTTP Was added a request in the form of randomly generated parameter token, And verify on the server side token, If not in the request token perhaps token The content of is incorrect , It is considered that the request may be CSRF Attack to reject the request .
Experimental environment : Hetian Laboratory
Reference resources : Hetian network security laboratory - Professional network security \ Network shooting range of information security online experimental service
Warning
Do not Use the content mentioned in this article Breach of law .
this paper No guarantee is given !
边栏推荐
- 带你穿越古罗马,元宇宙巴士来啦 #Invisible Cities
- STM32按键状态机2——状态简化与增加长按功能
- 2022暑期项目实训(三)
- Four processes of program operation
- On time and parameter selection of asemi rectifier bridge db207
- I want to say more about this communication failure
- This article discusses the memory layout of objects in the JVM, as well as the principle and application of memory alignment and compression pointer
- 2022暑期项目实训(二)
- D binding function
- 模板于泛型编程之declval
猜你喜欢
[Android] kotlin code writing standardization document
30 minutes to understand PCA principal component analysis
Alibaba cloud international ECS cannot log in to the pagoda panel console
I want to say more about this communication failure
Shangsilicon Valley JUC high concurrency programming learning notes (3) multi thread lock
Prophet模型的简介以及案例分析
Tree-LSTM的一些理解以及DGL代码实现
CSRF漏洞分析
第三季百度网盘AI大赛盛夏来袭,寻找热爱AI的你!
带你穿越古罗马,元宇宙巴士来啦 #Invisible Cities
随机推荐
Unity资源顺序加载的一个方法
Jielizhi obtains the currently used dial information [chapter]
MSF横向之MSF端口转发+路由表+SOCKS5+proxychains
Implementation of queue
Numerical analysis: least squares and ridge regression (pytoch Implementation)
UDP协议:因性善而简单,难免碰到“城会玩”
2022暑期项目实训(二)
高精度运算
ADB common commands
bonecp使用数据源
测试123
Insert dial file of Jerry's watch [chapter]
declval(指导函数返回值范例)
Why does wechat use SQLite to save chat records?
STM32按键状态机2——状态简化与增加长按功能
Compilation principle - top-down analysis and recursive descent analysis construction (notes)
从交互模型中蒸馏知识!中科大&美团提出VIRT,兼具双塔模型的效率和交互模型的性能,在文本匹配上实现性能和效率的平衡!...
Coco2017 dataset usage (brief introduction)
Running the service with systemctl in the container reports an error: failed to get D-Bus connection: operation not permitted (solution)
重磅硬核 | 一文聊透对象在 JVM 中的内存布局,以及内存对齐和压缩指针的原理及应用