Principle introduction and classification
table of Contents
CSRF is a common vulnerability in Web applications. Its attack characteristics are very harmful but very hidden. Especially in the context of a large number of Web 2.0
technology applications, an attacker can launch a CSRF
attack without the user's awareness . This article will make a systematic description of its basic characteristics, attack principles, attack classification, detection methods and prevention methods, and list examples of attacks
Introduction to CSRF Vulnerability
CSRF (Cross-Site Request Forgery, cross-site forgery request) is a network attack method. This attack
can send a forged request to the attacked site in the name of the victim without the victim ’s knowledge, so that it is not authorized The operation under the protection of authority is very harmful.
Specifically, the CSRF attack can be understood as follows: the attacker misappropriated your identity and sent a malicious request in your name. The request is completely legal for the server, but it completes an operation expected by the attacker, such as Send e-mails and messages in your name, steal your account, add system administrators, and even purchase goods, transfer virtual currency, etc.
The CSRF attack method is not well-known to everyone. In fact, many websites have CSRF security vulnerabilities. As early as 2000, the attack method of CSRF has been proposed by foreign security personnel, but in China, it was not noticed until 2006. In 2008, many large communities and interactive websites at home and abroad successively exposed CSRF vulnerabilities, such as Baidu HI, NYTimes.com (New York Times), Metafilter (a large BLOG website), and YouTube.
But until now, many sites on the Internet are still unprepared for this, so that the security industry calls CSRF a "sleeping giant", and the degree of threat can be seen from this.
CSRF attack principle and examples
When we open a website or log in to a certain website, a session (here after the user logs in) will be generated. This session may be controlled by SESSION and Cookie, but this is irrelevant.
The only important point is that the browser and the server are in a session. When the session is not over, you can use your permissions to perform operations on the website, such as publishing articles, sending emails, and deleting articles. When this session ends, the web application will usually remind you when you are performing certain operations that your session has expired, or you will be prompted to log in again.
The CSRF attack is an attack on session establishment. For example, when you log in to online banking and are in the process of transferring money, then one of your QQ friends (attacker) sends a message (URL). This message is the transfer business code carefully constructed by the attacker. And it is the same bank as the website you are logged into. You may think that this website is safe, not a phishing website or the like, and then open this
URL, then the money in your account may be yours All clicks are lost.
Mainly because your browser is in a conversation with this website, then some operations are legal, and the code constructed by the intruder is just a normal transfer operation code.
E.g
For example, if you want to transfer 1000 yuan to the user spikec, then after clicking the submit button, the following request may be sent:
http://www.taobao.com/pay.jsp?user=spisec&money=1000
and the attacker just changes the user Parameters and money parameters can complete a "legal" attack, such as:
http://www.taobao.com/pay.jsp?user=hack&money=10000 When you visit this URL, it will automatically hack this Transfer 10,000 yuan into the account. And this is caused by your own, and your money is not lost because someone has cracked your password or the web server was hacked.
Process overview
- User C opens the browser, visits the trusted website A, enters the user name and password to request to log in to the website A;
2. After the user information is verified, the website A generates cookie information and returns to the browser, at this time the user logs in to the website A successfully, you can Send the request to website A normally;
3. Before the user exits website A, open a TAB page in the same browser to visit website B;
4. After website B receives the user request, it returns some offensive code and issues a request Require access to the third-party site A;
5. After receiving these offensive codes, the browser carries the cookie information without the user ’s knowledge and sends a request to the site A according to the request of the site B. Website A does not know that the request was actually initiated by B, so it will process the request with the authority of C according to the cookie information of user C, resulting in the execution of malicious code from website B.
Through the above attack principle description, personal summary CSRF two focuses
1、CSRF 的攻击建立在浏览器与 Web 服务器的会话之中。(或者是有用户信息,用户登录不用密码)
2、欺骗用户访问 URL
也就是说攻击者盗用了用户的身份,用用户合法手段进行自己的操作
CSRF attack classification
CSRF vulnerabilities are generally divided into two types: off-site and on-site
CSRF off-site types of vulnerabilities are essentially external data submission issues in the traditional sense. Usually programmers will consider
adding watermarks to some message or comment forms to prevent SPAM problems (here, SPAM can be simply understood as spam
messages, spam comments, or malicious replies with off-site links), but sometimes to improve The user's experience may
not have any restrictions on some operations, so the attacker can predict and set the parameters of the request in advance
, write a script in the Web page outside the station to forge the file request, or use it with an automatically submitted form to achieve GET and POST requests. When the
user clicks the link to access the off-site Web page in the session state, the client is forced to initiate the request.
The types of vulnerabilities in the CSRF site are partly $_REQUESTcaused by programmers misusing class variables. In some
sensitive operations (such as changing the password, adding a user, etc.), the user was originally required to initiate a POST request from the form submission to pass parameters
to the program, but due to the use of $_REQUESTvariables such as, the program also
supports the parameters received by the POST request. Receive the parameters passed by the GET request, which will create conditions for attackers to use CSRF attacks. Generally, an attacker only needs
to put the predicted request parameters in a post or a picture link in the message, and the victim
will be forced to initiate these requests after viewing such a page .
CSRF vulnerability detection
Detecting CSRF vulnerabilities is a relatively tedious task. The easiest way is to grab a normal request packet,
remove the Referer field, and resubmit. If the submission is still valid, you can basically determine that there is a CSRF vulnerability .
With the continuous deepening of the research on CSRF vulnerabilities, tools that specifically detect CSRF vulnerabilities have emerged, such as
CSRFTester and CSRF Request Builder. To CSRFTester tool, for example, measuring CSRF vulnerability detection tool
test works as follows: When using CSRFTester test, you first need to grab all the information we visited links in a browser, and all the forms, etc., and by modifying the corresponding in CSRFTester Re-submit the information such as the form, which is equivalent to a fake client request. If the modified test request is successfully accepted by the website server, it indicates that there is a CSRF vulnerability. Of course, this tool can also be used to conduct CSRF attacks.
note
Includes many defense software, such as firewall anti-theft chain module, also based on the refer field, by identifying whether the source of the refer field is in this site, if not, it is not allowed to download resources
