DVWA series of CSRF attack introduction and implementation

CSRF (Cross-site request forgery) cross-site requests forgery, which is characterized by an attacker who steals your identity and does some illegal work on your behalf. CSRF can use your account to send mail, get your sensitive information, and even steal your property.

When we open or log in to a website, there will be a session between the browser and the website, and at the end of this session, you can take advantage of your permission to do certain things about the site, such as: Post an article, send an email, delete an article, etc. When this session is finished and you do something, the Web application may prompt "Your session has expired", "Please Sign in again", and so on.

For example, when we log on to the Internet bank, the browser has established a certified session with the trusted site. Thereafter, all requests that are sent through this authenticated session are considered credible actions, such as transfers, remittances, and so on. When we do not operate for a period of time, the authenticated session may be disconnected, another transfer, remittance operation, this site may prompt you: Your identity has expired, please re-login, the end of the session and other information.

CSRF attack is based on the session, such as when you log on to the Internet bank, the transfer business, then one of your QQ friends (the attacker) sent a message (URL), this message is the attacker's carefully structured transfer business code, and you are logged in the same network bank, You may think that the site is secure, but when you open the URL, the balance in your account may be lost.

Here we will implement a csrf attack. Enter DVWA, choose the low level, you can see here the CSRF test is to change the Administrator password action. The default administrator password is password, in order to be able to visually view the administrator password, we found in the Start menu Appserv, execute the "MySQL Command line Client", into the MySQL interface. Execute "use DVWA;" command to open the DVWA database, execute "Select User,password from users where user = ' admin ';" command, you can view the MD5 value of the current Admin user password.

650) this.width=650; "title=" 1.jpg "src=" Http://s5.51cto.com/wyfs02/M01/78/61/wKiom1Z7ObLylRavAAAtLNBkEVQ023.jpg " alt= "Wkiom1z7oblylravaaatlnbkevq023.jpg"/>

Below we will change the administrator password to 123 on the CSRF page, and we can see that the MD5 value changes accordingly.

650) this.width=650; "title=" 2.jpg "src=" Http://s5.51cto.com/wyfs02/M00/78/5F/wKioL1Z7OdHjPH63AAA3TzwWA0w443.jpg " alt= "Wkiol1z7odhjph63aaa3tzwwa0w443.jpg"/>

At this point we carefully observe the URL in the browser address bar:

http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=123&password_conf=123&Change=Change#

If the hacker learns this URL, is it possible to change the administrator password at will? For example, if the following URL is constructed, can I change the administrator password to ABC?

http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=abc&password_conf=abc&Change=Change#

If a hacker executes the URL directly on his or her computer, it is definitely invalid. The reason is that you must have administrator permissions before you can modify the password. As described earlier, you must establish a good one session between the Administrator and the site before you can perform a password change operation.

Then the hacker can construct a Web page, put the above code into the page, and then trick the administrator to open the page, if the administrator happens to be working on the site, the administrator's browser and the site to establish a good session, then the above code will take effect.

For example, we write a Web page called csrf.html in a virtual machine (IP address 192.168.80.132), which is already set up in a Web environment, with the following code:

<iframe src= "http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=abc&password_conf=abc&Change= change# "frameborder=" 0 "; 0"/>

Then, when you have logged in to DVWA, open this page in your local browser http://192.168.80.132/csrf.html:

650) this.width=650; "title=" 3.jpg "src=" Http://s2.51cto.com/wyfs02/M01/78/5F/wKioL1Z7OfnCI9DyAAFJY4qQiAA923.jpg " alt= "Wkiol1z7ofnci9dyaafjy4qqiaa923.jpg"/>

You will notice that the administrator password has been automatically modified for ABC:

650) this.width=650; "title=" 4.jpg "src=" Http://s2.51cto.com/wyfs02/M00/78/5F/wKioL1Z7OgnRoRgIAAA1Qif9xfc463.jpg " alt= "Wkiol1z7ognrorgiaaa1qif9xfc463.jpg"/>

This is a typical csrf attack, which shows the two main features of CSRF:

• CSRF attacks are based on the browser's session with the Web server;

• Spoofing the user to access the URL.

This article from "a pot of turbid wine" blog, reproduced please contact the author!

DVWA series of CSRF attack introduction and implementation