Bypassing CSRF Protection

Bypassing CSRF Protection
Signature = [HOST] | utmccn = (referral) | utmcmd = referral | utmcct = [PATH] example: 123456.123456789.11.2.utmcsr = blackfan.ru | utmccn = (referral) | utmcmd = referral | utmcct =/path/2) users can completely control the reference path and will not filter out the second part before entering it to _ utmz. resolution features of cookies on different Web servers 1) a typical Cookie sent by a Web browser should be like this: Cookie: param1 = value1; param2 = value2; 2) many Web servers allow Cookie parameters not only to be separated by semicolons, but also to be separated by commas: Cookie: param1 = value2, param2 = value2 3) If For multiple cookies with the same name, different Web servers may only use the first or last cookie passed. Part 3. processing Features of cookies in different Web browsers 1) in all browsers except Safari, the Cookie value can use spaces, Iot, commas, and [\] (backslash). Safari only allows cookies to be separated by commas. 2) the cookie attributes that Chrome can process are very limited. For example, Set-Cookie: test = test; domain = .google.com; domain = blh.blah.blh.google.com; the configured cookie will be sent to .google.com, instead of sending it to blah, blah.bla.com, we provide the following information: 1) a website using Google Analysis 2) The website is hosted on a Web server, the resolution of cookies on this website has the above characteristics. 3) the website uses the CSRF mechanism to protect cookies (the values in cookies must be the same as the request parameters submitted by some users) and then: 1) we can set new cookies or modify the values of existing cookies at will. 2) this website has CSRF protection Bypass Vulnerability _ utmz cookie the main problem is that its effective time is set to six months, and will not be refreshed. If you find a subdomain that uses Google analysis or the method described in Part 3 to overwrite the domain attributes, you can solve this problem in Google Chrome. In other browsers, we can use cookie injection to exploit browser vulnerabilities when _ utmz is refreshed. Use Google Chrome to exploit the twitter.com vulnerability: 1) One user authenticates on twitter.com. 2) assume that he has not accessed translate.twitter.com and has not set _ utmz in this subdomain, then we can let him access the following address: http://blackfan.ru/r/,m5_csrf_tkn=x,;domain=.twitter.com;?r=http://translate.twitter.com/ The new path and domain name will overwrite the Cookie, so the cookie set for .twitter.com will be modified: __utmz = 90378079.1401420.37.1.1.utmcsr = bf. am | utmccn = (referral) | utmcmd = referral | utmcct =/r/, m5csrf_tkn = x, 3) at this time, users logging on to this website from their computers do not set cookies on mobile.twitter.com, this is why the Web server's access request causes the server to believe that cookie _ utmz is composed of two cookies. 4) The submitted compose tweet format should be in the x format of CSRF on mobile.twitter.com.