Analysis of web security--CSRF

CSRF attack: An attacker constructs a legitimate HTTP request and then uses the user's identity to manipulate a user account in an attack manner.

First, CSRF attack principle
CSRF attacks are based on the browser's session with the Web server, and the user is tricked into accessing the URL.

Second, CSRF attack scenario (GET)
Cases:
Http://www.example.com is the world's largest microblogging platform, an accidental situation, hacker Tom to the micro-Bo listening function to do a grab bag

get/listen?uid=218805&listenid=100 http/1.1  

Tom parses the UID on behalf of himself and Listenid represents the user being listened to.
It is then envisaged that a url:http://www.example.com/listen?uid=218805&listenid=228820 can be constructed directly
But other people's ID is not known to Tom, so try to construct url:http://www.example.com/listen?listenid=228820 directly, experimental success, even without UID, access to this URL can also successfully listen to the number No. 228820 users.
So Tom is preparing to make a worm attack on the Weibo platform, and Tom has published a seductive microblog on Weibo: inducing users to click on the URL link.
Further, Tom thought to let each user help themselves to send a message to the station, or to forward the microblog, so once again intercept the packet:

get/publish?id=928978 http/1.1  Host:www.example.com  

So as long as the user access to http://www.example.com/publish?id=928978, you can automatically forward this microblogging.
New question: How do I let a user click on a URL to access these two URLs at the same time?
Tom constructs a separate HTML page open.html

<HTML>      <Head>          <title>tease you to play ... </title>      </Head>      <Body>You've been fooled, it's just a joke. <ahref= "http://www.example.com">Click I return</a>          <iframesrc= "http://www.example.com/listen?listenid=228820"frameborder= "0"width= "0px"/>          <iframesrc= "http://www.example.com/publish.php?id=928978"frameborder= "0"width= "0px"/>      </Body>  </HTML>  

When user a clicks on open.html, it automatically listens to Tom's users and forwards the article to his or her microblog, and A's friend B may also click after seeing it, so it's stuck in a loop.

three, csrf attack scene (POST)
Using the Post method, there is the possibility of a csrf attack, only increasing the difficulty of the attack.
Cases:

Post/publish http/1.1  Host:www.example.com    listenid=228820  

An attacker could construct a page similar to the following, post.html

<HTML>      <Head>          <title>Post Data</title>      </Head>      <Body>          <formID= "MyForm"Method= "POST"Action= "Http://www.example.com/publish">              <inputtype= "hidden"name= "Listenid"value= "228820">          </form>          <Script>              varMyForm=document.getElementById ("MyForm");          Myform.submit (); </Script>      </Body>  </HTML>  

Construct a form form in post.html and then automatically submit the form using JavaScript.

Iv. Detection of CSRF

Detection of CSRF attacks is mainly divided into two types: manual detection and semi-automatic detection. The false alarm rate of the automatic CSRF tool is large and is not considered.

4.1 Manual Inspection
In the detection of CSRF vulnerability, the first thing to determine is: CSRF only through the user's normal operation to attack, in fact, the hijacking of user operations. Therefore, before testing, you need to determine all the features of the Web application, and determine which actions are sensitive, such as changing passwords, transferring money, posting messages, and so on.
After identifying the sensitive operation, use this "function" to intercept the HTTP request, for example, the Delete user action URL is: http://www.example.com/delUser.action?id=1
Write the CSRF POC for:

<HTML>      <Body>          <formname= "MyForm"Action= "Deluser.action"Method= "GET">              <inputtype= "hidden"name= "id"value= "5"/>          </form>          <Script>              varMyForm=document.getElementById ("MyForm");          Myform.submit (); </Script>      </Body>  </HTML>  

The CSRF vulnerability can also be understood as whether the server has a request to execute the POC, or if it is executed, represents a csrf vulnerability.

4.2 Semi-automatic detection
With tool Csrftester, you can log each URL of the request and automatically generate the CSRF POC.

Anatomy of web Security--csrf