Csrf
CSRF principle: Often confused with XSS.
Differentiate from the perspective of trust: XSS: Leveraging the trust of the user to the site; CSRF: Take advantage of the site's trust in authenticated (with certain trust) "default: site does not trust clients"
Combining social workers to attack during identity authentication session
Scene:
1, modify the account password, personal information (email, shipping address)
2. Sending forged business requests (online banking, shopping, voting)
3. Focus on other people's social accounts, push blog posts
4. Submit the request involuntarily and without the knowledge of the user
belongs to the business Logic vulnerability (all requests are normal requests)
Lack of confirmation mechanism (e.g. verification code) for critical operations (payment, order submission, etc.)
The automatic scanner could not find such a vulnerability
Vulnerability utilization Conditions
The victim has completed authentication (i.e. logged in)
New request Submission (important) does not require re-authentication
An attacker must understand the parameter construction of a Web application request
An instruction that convinces a user to trigger an attack (social worker)
Burpsuite CSRF PoC Generator
Post/get method
CSRF Vulnerability Demonstration process "Win7 for victim, Change Password page, Kali for attack"
Low level, no need to enter the original password "forge pages and links to entice victims to click"
Note: Get method : will be visible on the page,Post method : will be hidden operation
GET
POST
View the source code of the Web page, modify the form's code directly, save it as a paging file, and persuade the user to click "Use Burpsuite truncation Replay"
Save as HTML file, fake link, send to victim
Code audits
Low
1<?PHP2 3 if(isset($_get[' Change '])) {4 5 //Turn requests into variables6 $pass _new=$_get[' Password_new '];7 $pass _conf=$_get[' password_conf '];8 9 Ten if(($pass _new==$pass _conf)){ One $pass _new=mysql_real_escape_string($pass _new); A $pass _new=MD5($pass _new); - - $insert= "UPDATE ' users ' SET password = '$pass _new' WHERE user = ' admin ';; the $result=mysql_query($insert) or die(' <pre> '.Mysql_error() . ' </pre> ' ); - - Echo"<pre> Password Changed </pre>"; - Mysql_close(); + } - + Else{ A Echo"<pre> passwords did not match. </pre> "; at } - - } -?>
Medium "bypass Referer"
1<?PHP2 3 if(isset($_get[' Change '])) {4 5 //Checks the HTTP referer header6 if(Eregi("127.0.0.1",$_server[' Http_referer ']) {//Determine the source, limit the packets that accept the native IP "to replace it or include 127.0.0.1 in Referer )7 8 //Turn requests into variables9 $pass _new=$_get[' Password_new '];Ten $pass _conf=$_get[' password_conf ']; One A if($pass _new==$pass _conf){ - $pass _new=mysql_real_escape_string($pass _new); - $pass _new=MD5($pass _new); the - $insert= "UPDATE ' users ' SET password = '$pass _new' WHERE user = ' admin ';; - $result=mysql_query($insert) or die(' <pre> '.Mysql_error() . ' </pre> ' ); - + Echo"<pre> Password Changed </pre>"; - Mysql_close(); + } A at Else{ - Echo"<pre> passwords did not match. </pre> "; - } - - } - in } -?>
High "need to enter the original password"
1<?PHP2 3 if(isset($_get[' Change '])) {4 5 //Turn requests into variables6 $pass _curr=$_get[' Password_current '];7 $pass _new=$_get[' Password_new '];8 $pass _conf=$_get[' password_conf '];9 Ten //sanitise Current Password input One $pass _curr=stripslashes($pass _curr ); A $pass _curr=mysql_real_escape_string($pass _curr ); - $pass _curr=MD5($pass _curr ); - the //Check The current password is correct - $qry= "Select password from ' users ' WHERE user= ' admin ' and password= '$pass _curr‘;"; - $result=mysql_query($qry) or die(' <pre> '.Mysql_error() . ' </pre> ' ); - + if(($pass _new==$pass _conf) && ($result&&mysql_num_rows($result) = = 1 )){ - $pass _new=mysql_real_escape_string($pass _new); + $pass _new=MD5($pass _new); A at $insert= "UPDATE ' users ' SET password = '$pass _new' WHERE user = ' admin ';; - $result=mysql_query($insert) or die(' <pre> '.Mysql_error() . ' </pre> ' ); - - Echo"<pre> Password Changed </pre>"; - Mysql_close(); - } in - Else{ to EchoThe <pre> passwords did not match or the current password incorrect. </pre> "; + } - the } *?>
Detection method of automatic scanning program "code security, confirming mechanism angle"
Check for ANTI-CSRF token names during request and response
Check if the server verifies the name value of the ANTI-CSRF token
Check for editable strings in token
Check if the referrer head can be forged
Countermeasures
Captcha
ANTI-CSRF token
Referrer Head "can be bypassed for a larger chance"
Reduce the session timeout period
Small white diary 50:kali penetration test Web penetration-csrf