0x00Brief Introduction
CSRF (Cross-site request forgery) Cross-site request forgery. Because the target site has no token/referer restrictions, attackers can perform operations as users for various purposes. Based on the HTTP request method, CSRF can be used in two ways.
0x01 GET
Type CSRF
This type of CSRF is generally caused by poor security awareness of programmers. The use of GET-type CSRF is very simple, and only one HTTP request is required. Therefore, it is generally used as follows:
such as, after accessing the page containing this img, successfully to http://wooyun.org/csrf.php? Xx = 11 issued an HTTP request. Therefore, if you replace the URL with a CSRF address, the attack can be completed.
Related cases:
Http://www.bkjia.com/Article/201307/224047.html
0x02 POST
Type CSRF
This type of CSRF poses no harm to the GET type, and usually uses an automatically submitted form, such:
<Form action = http://wooyun.org/csrf.php method = POST>
<Input type = "text" name = "xx" value = "11"/>
</Form>
<Script> document. forms [0]. submit (); </script>.
Case: http://www.bkjia.com/Article/201306/220144.html
0x03
CSRF
CSRF with basic authentication (commonly used in routers ):
POC:
after loading the image, the router will give the user a valid SESSION, you can perform the next operation.
0x04
How to fix
To prevent CSRF attacks, pay attention to the following points:
Key operations only accept POST requests
Verification Code
CSRF attacks usually involve the construction of network requests without your knowledge. Therefore, if you use the verification code, you must interact with each operation to defend against CSRF attacks.
However, if you make any action on a website, entering the verification code will seriously affect the user experience. Therefore, the verification code is generally only displayed in special operations or used during registration.
Detect refer
Common Internet pages are related to pages. For example, you cannot find a link to www.google.com on www.baidu.com, or leave a message on the forum, no matter where the message is redirected, the previous website will contain the message input box, and the previous website will be Referer in the header file of the new page.
By checking the Referer value, we can determine whether the request is legal or illegal, but the problem is that the server does not receive the Referer value at any time, therefore, Refere Check is generally used to monitor the occurrence of CSRF attacks, rather than resisting attacks.
Token
Currently, the mainstream practice is to use Token to defend against CSRF attacks. Next we will analyze the CSRF attack to understand why Token is valid.
The condition for successful CSRF attacks is that attackers can predict all the parameters to construct valid requests. Therefore, according to the unpredictability principle, we can encrypt parameters to prevent CSRF attacks.
Another more common method is to keep the original parameters unchanged, and add another parameter Token, whose values are random. In this way, attackers cannot construct valid requests for attacks because they do not know the Token.
Token usage principles
Token should be random enough-only in this way is unpredictable
The Token is one-time, that is, the Token must be updated after each request is successful ---- This increases the attack difficulty and the Prediction difficulty.
Token confidentiality-use post for sensitive operations to prevent Token from appearing in the URL
0x05
Notes during CSRF Testing
If xss exists in the same domain, other methods except the Verification Code cannot defend against this problem.
There is a program backend that may be accepted using the REQUEST method, and the program uses the post request by default. In fact, a get request can also be sent in the past, which poses a serious risk.
When only refer defense is adopted, you can modify the refer in the request to try to bypass it as follows:
Original refer: http://test.com/index.php
Test several methods (problems may occur if the following methods are available ):
Http://test.com.attack.com/index.php
Http://attack.com/test.com/index.php
[Null] method for constructing a refer with NULL:
Due to browser features, cross-Protocol requests do not contain refer (except for the Geckos kernel). For example, if https is redirected to http, ftp is also possible if the https environment is poor :)
<Iframe src = "data: text/html, <script src = http://www.baidu.com> </script>"> // IE does not support
Use xxx. src = 'javascript: "HTML code method" '; you can remove refer, which must be included in IE8.
<Iframe id = "aa" src = ""> </iframe>
<Script>
Document. getElementById ("aa "). src = 'javascript: "</Script>
// From gainover
