CSRF exploit and defense of vulnerability analysis

0x00 Brief Introduction

CSRF (Cross-site request forgery) cross-site requests forgery, because the target station has no token/refer limit, the attacker can complete the operation as a user to achieve various purposes. Depending on the HTTP request method, the CSRF can be divided into two types

0x01 Get Type CSRF

This type of CSRF is usually caused by a lack of programmer security. The CSRF use of get types is very simple and requires only one HTTP request to be constructed.

This is generally used:

When the target loads the image, the link is automatically loaded and the attack is completed.

For example: in a Message or blog forum environment, when the content of the message is not filtered, you can follow the above method to construct a delete the article Image link. When the target View blog message, because it is a picture tag, so the browser will automatically load the URL at this time, the target is logged in, then the article will be deleted. This is a use of Csrf-get requests.

0x02 post-type CSRF

      The so-called post type is to construct an auto-submit form, and when the target hits the tag, it sends the HTTP request as a post.

<! Doctype html>
The above content is a form that can be automatically submitted, when the user triggers, send an HTTP request, modify personal information.

0x03 How to fix
Precautions against CSRF:
The critical operation only accepts the POST request and adds a verification code.
CSRF attack Engineering, often the user unknowingly triggered, when adding a verification code or confirmation operation, it can be simple and effective defense csrf.
detection Refer
There is a common Internet page and the link between the page, such as you in www.baidu.com should not be able to find links to www.google.com, such as you in the forum message, then no matter where you redirect after the message, the previous URL will contain the message input box, This previous URL will remain in the referer of the new page header file.

By checking the value of the referer, we can determine whether the request is legitimate or illegal, but the problem is that the server is not always able to accept the value of Referer, so refere check is typically used to monitor the occurrence of CSRF attacks, rather than defending against attacks.

Token
The current mainstream approach is to use tokens to defend against CSRF attacks. The following analysis CSRF attack to understand why token can effectively

The condition for the CSRF attack to succeed is that the attacker is able to predict all parameters to construct a legitimate request. So, based on the principle of unpredictability, we can encrypt the parameters to prevent CSRF attacks.

Another more general practice is to keep the original parameter unchanged, add a parameter token, and its value is random. This way the attacker could not construct a legitimate request for an attack because he did not know the token.

Token usage Principles
Token to be enough random ———— only This is unpredictable token is a one-time, that is, every request to update token ———— This can increase the difficulty of the attack, increase the difficulty token to pay attention to confidentiality ———— sensitive operation using post, Prevent tokens from appearing in URLs---reference learning with dark clouds drops
This article is from the "Creative Pilgrim" blog, so be sure to keep this source http://dearch.blog.51cto.com/10423918/1793767
 CSRF Vulnerability Analysis utilization and defense