Cross-Site Request Forgery (CSRF) due to multiple functional design defects in the entire site of huaban network (the private message function can be used to affect registered users of the whole site)
Multiple Functional design defects in the entire site of the petal Network lead to cross-site Request Forgery (CSRF) (the private message function can be used to affect registered users of the whole site ).
Cross-Site Request Forgery (CSRF) is caused by Multiple Functional design defects on the Apsara stack website ).
The poc is all below.
Impact scope: (including but not limited)
Personal data of website users is tampered.
Any user on the website clicks fans.
Private messages of Full-site users can be infected with worms.
Personal Data tampering of website users:
<Html>
Followers of any website users:
<Html>
Private messages of Full-site users can be infected with worms:
<Html>
Solution:
1. The verification code is considered to be the most concise and effective defense method against CSRF attacks.
2. Referer Check.
3. Anti CSRF Token.