Small white diary 50:kali penetration test Web penetration-csrf

Csrf

CSRF principle: Often confused with XSS.

Differentiate from the perspective of trust: XSS: Leveraging the trust of the user to the site; CSRF: Take advantage of the site's trust in authenticated (with certain trust) "default: site does not trust clients"

Combining social workers to attack during identity authentication session

Scene:

1, modify the account password, personal information (email, shipping address)

2. Sending forged business requests (online banking, shopping, voting)

3. Focus on other people's social accounts, push blog posts

4. Submit the request involuntarily and without the knowledge of the user

belongs to the business Logic vulnerability (all requests are normal requests)

Lack of confirmation mechanism (e.g. verification code) for critical operations (payment, order submission, etc.)

The automatic scanner could not find such a vulnerability

Vulnerability utilization Conditions

The victim has completed authentication (i.e. logged in)

New request Submission (important) does not require re-authentication

An attacker must understand the parameter construction of a Web application request

An instruction that convinces a user to trigger an attack (social worker)

Burpsuite CSRF PoC Generator

Post/get method

CSRF Vulnerability Demonstration process "Win7 for victim, Change Password page, Kali for attack"

Low level, no need to enter the original password "forge pages and links to entice victims to click"

Note: Get method : will be visible on the page,Post method : will be hidden operation

GET

POST

View the source code of the Web page, modify the form's code directly, save it as a paging file, and persuade the user to click "Use Burpsuite truncation Replay"

Save as HTML file, fake link, send to victim

Code audits

Low

1<?PHP2                 3     if(isset($_get[' Change '])) {4     5         //Turn requests into variables6         $pass _new=$_get[' Password_new '];7         $pass _conf=$_get[' password_conf '];8 9 Ten         if(($pass _new==$pass _conf)){ One             $pass _new=mysql_real_escape_string($pass _new); A             $pass _new=MD5($pass _new); -  -             $insert= "UPDATE ' users ' SET password = '$pass _new' WHERE user = ' admin ';; the             $result=mysql_query($insert) or die(' <pre> '.Mysql_error() . ' </pre> ' ); -                          -             Echo"<pre> Password Changed </pre>";  -             Mysql_close(); +         } -      +         Else{         A             Echo"<pre> passwords did not match. </pre> ";  at         } -  -     } -?>

Medium "bypass Referer"

1<?PHP2             3     if(isset($_get[' Change '])) {4     5         //Checks the HTTP referer header6         if(Eregi("127.0.0.1",$_server[' Http_referer ']) {//Determine the source, limit the packets that accept the native IP "to replace it or include 127.0.0.1 in Referer )7     8             //Turn requests into variables9             $pass _new=$_get[' Password_new '];Ten             $pass _conf=$_get[' password_conf ']; One  A             if($pass _new==$pass _conf){ -                 $pass _new=mysql_real_escape_string($pass _new); -                 $pass _new=MD5($pass _new); the  -                 $insert= "UPDATE ' users ' SET password = '$pass _new' WHERE user = ' admin ';; -                 $result=mysql_query($insert) or die(' <pre> '.Mysql_error() . ' </pre> ' ); -                          +                 Echo"<pre> Password Changed </pre>";  -                 Mysql_close(); +             } A      at             Else{         -                 Echo"<pre> passwords did not match. </pre> ";  -             }     -  -         } -          in     } -?>

High "need to enter the original password"

1<?PHP2             3     if(isset($_get[' Change '])) {4     5         //Turn requests into variables6         $pass _curr=$_get[' Password_current '];7         $pass _new=$_get[' Password_new '];8         $pass _conf=$_get[' password_conf '];9 Ten         //sanitise Current Password input One         $pass _curr=stripslashes($pass _curr ); A         $pass _curr=mysql_real_escape_string($pass _curr ); -         $pass _curr=MD5($pass _curr ); -          the         //Check The current password is correct -         $qry= "Select password from ' users ' WHERE user= ' admin ' and password= '$pass _curr‘;"; -         $result=mysql_query($qry) or die(' <pre> '.Mysql_error() . ' </pre> ' ); -  +         if(($pass _new==$pass _conf) && ($result&&mysql_num_rows($result) = = 1 )){ -             $pass _new=mysql_real_escape_string($pass _new); +             $pass _new=MD5($pass _new); A  at             $insert= "UPDATE ' users ' SET password = '$pass _new' WHERE user = ' admin ';; -             $result=mysql_query($insert) or die(' <pre> '.Mysql_error() . ' </pre> ' ); -                          -             Echo"<pre> Password Changed </pre>";  -             Mysql_close(); -         } in      -         Else{         to             EchoThe <pre> passwords did not match or the current password incorrect. </pre> ";  +         } -  the     } *?>

Detection method of automatic scanning program "code security, confirming mechanism angle"

Check for ANTI-CSRF token names during request and response

Check if the server verifies the name value of the ANTI-CSRF token

Check for editable strings in token

Check if the referrer head can be forged

Countermeasures

Captcha

ANTI-CSRF token

Referrer Head "can be bypassed for a larger chance"

Reduce the session timeout period

Small white diary 50:kali penetration test Web penetration-csrf