CSRF Simple Introduction and utilization Method-cross-site request forgery

0x00 Brief Introduction

CSRF (Cross-site request forgery) cross-site requests forgery, because the target station has no token/referer restrictions, resulting in the attacker can complete the user's identity to achieve various purposes. Depending on the HTTP request method, CSRF can be divided into two types.

0x01 Get Type CSRF

This type of CSRF is generally caused by a lack of security awareness among programmers. The CSRF use of get types is very simple and requires only one HTTP request, so this is generally exploited:

For example, after accessing the page containing this IMG, a successful HTTP request was made to http://wooyun.org/csrf.php?xx=11. Therefore, if you replace the URL with a Get-type CSRF address, you can complete the attack.

Cloud-related cases:

http://wooyun.org/bugs/wooyun-2010-023783

http://wooyun.org/bugs/wooyun-2010-027258 (not yet publicly available)

0x02 post-type CSRF

This type of CSRF Hazard does not have a large get type, which is usually used by an auto-submitted form, such as:

When the page is accessed, the form is automatically submitted, which is equivalent to simulating the user completing a post operation.

Cloud-related cases:

http://wooyun.org/bugs/wooyun-2010-026622

http://wooyun.org/bugs/wooyun-2010-022895

0x03 Other wretched stream csrf

CSRF (commonly used in routers) for Basic authentication:

Poc:

After loading the picture, the router will give the user a valid session and the next step can be done.

Cloud-related cases:

Wooyun:tp-link Router csrf, can do a lot of things (affect the use of the default password or simple password users)

0x04 How to fix

For the prevention of CSRF, there are the following points to note:

Critical operation only accepts POST request verification code

The process of CSRF attacks is often to construct network requests without the user's knowledge. So if you use a verification code, then each operation requires the user to interact, which is a simple and effective defense against the CSRF attack.

But if you make any move on a website to enter a verification code will seriously affect the user experience, so the verification code is usually only in the special operation, or in the registration time to use

Detection refer

There is a connection between the common Internet page and the page, For example, you in www.baidu.com should be unable to find the link to www.google.com, such as you in the forum message, then no matter where you redirect after the message, the previous URL will contain the message input box, the previous URL will remain in the new page header file Referer

By checking the value of the referer, we can determine whether the request is legitimate or illegal, but the problem is that the server is not always able to accept the value of Referer, so refere check is typically used to monitor the occurrence of CSRF attacks, rather than defending against attacks.

Token

The current mainstream approach is to use tokens to defend against CSRF attacks. The following analysis CSRF attack to understand why token can effectively

The condition for the CSRF attack to succeed is that the attacker is able to predict all parameters to construct a legitimate request. So, based on the principle of unpredictability, we can encrypt the parameters to prevent CSRF attacks.

Another more general practice is to keep the original parameter unchanged, add a parameter token, and its value is random. This way the attacker could not construct a legitimate request for an attack because he did not know the token.

Token usage Principles

Token to be enough random ———— only This is unpredictable token is a one-time, that is, every request to update token ———— This can increase the difficulty of the attack, increase the difficulty token to pay attention to confidentiality ———— sensitive operation using post, Prevent tokens from appearing in URLs

The problems in 0x05 test CSRF

If there is XSS in the same domain, there is no other way to defend the problem except the CAPTCHA.

There is a program backend may be accepted by request, and the program is the default post request, in fact, change to get request can also send the past, there is a serious hidden trouble.

When only using refer defense, you can change the request to the following test can be bypassed:

Original refer:http://test.com/index.php

Test several ways (you may have problems if you pass the following way):

http://test.com.attack.com/index.phphttp://attack.com/test.com/index.php[Empty]

Refer is an empty construction method:

Due to browser features, cross-protocol requests without refer (except the Geckos kernel), such as HTTPS jump to HTTP, if the HTTPS environment is not good to build, FTP can actually be:) <iframe src= "data:text/html,< Script Src=http://www.baidu.com></script> ">//ie does not support the use of xxx.src= ' javascript:" The way HTML code "; Can remove Refer,ie8 to take. <iframe id= "AA" src= "" ></iframe><script>document.getelementbyid ("AA"). src= ' javascript: ' < Html><body>wooyun.org<scr ' + ' Ipt>eval (the code you want to use) </SCR ' + ' ipt></body>


http://www.ibm.com/developerworks/cn/web/1102_niugang_csrf/

Csrf Simple Introduction and use Method-cross-site request forgery