1. What is CSRF
CSRF (Cross-site request forgery) cross-site request forgery: The attacker induces the victim to enter a third-party website, and in the third-party website, sends a cross-site request to the attacked website. Use the registration credentials that the victim has obtained on the attacked website to bypass the user verification in the background and achieve the purpose of impersonating a user to perform an operation on the attacked website.
A typical CSRF attack has the following process:
- The victim logged into a.com and kept the login credentials (Cookie).
- The attacker lured the victim to visit b.com.
- b.com sent a request to a.com: a.com/act=xx. The browser will carry a.com cookies by default.
- After a.com receives the request, it verifies the request and confirms that it is the victim's credentials, mistakenly thinking that it was the request sent by the victim.
- a.com executed act=xx in the name of the victim.
- When the attack is complete, the attacker pretends to be the victim without the victim's knowledge, and lets a.com perform its own defined operations.
Two, several common types of attacks
1. GET type CSRF
The use of GET type CSRF is very simple, only one HTTP request is required, and it is generally used like this:
After the victim visits the page containing this img, the browser will automatically send an HTTP request to http://bank.example/withdraw?account=xiaoming&amount=10000&for=hacker. bank.example will receive a cross-domain request containing the victim's login information.
2. POST type CSRF
This type of CSRF usually uses an automatic submission form, such as:
<form action="http://bank.example/withdraw" method=POST>
<input type="hidden" name="account" value="xiaoming" />
<input type="hidden" name="amount" value="10000" />
<input type="hidden" name="for" value="hacker" />
</form>
<script> document.forms[0].submit(); </script>
After visiting this page, the form will be automatically submitted, which is equivalent to simulating the user to complete a POST operation.
POST-type attacks are usually a bit stricter than GET requirements, but they are still not complicated. Any personal website, blog, or website uploaded by hackers may be the source of the attack. The back-end interface cannot rely on security only allowing POST.
3. Link type CSRF
Link-type CSRF is not common. Compared with the other two situations where users are recruited when they open the page, this requires the user to click on the link to trigger. This type usually embeds malicious links in pictures posted in forums, or induces users to be recruited in the form of advertisements. Attackers usually use exaggerated words to trick users into clicking, such as:
<a href="http://test.com/csrf/withdraw.php?amount=1000&for=hacker" taget="_blank">
重磅消息!!
<a/>
Since the user logged in to the trusted website A before and saved the login status, as long as the user actively visits the above PHP page, the attack is successful.
Three, the characteristics of CSRF
- Attacks are generally launched on third-party websites rather than the website being attacked. The attacked website cannot prevent the attack from occurring.
- The attack uses the victim's login credentials on the attacked website to impersonate the victim to submit operations; instead of directly stealing data.
- During the whole process, the attacker could not obtain the victim's login credentials, only "fraudulent use".
- Cross-site requests can be made in various ways: image URL, hyperlink, CORS (cross-domain resource sharing), form submission, etc. Some request methods can be directly embedded in third-party forums and articles, which are difficult to track.
CSRF is usually cross-domain, because external domains are usually easier to control by attackers. But if there are easy-to-use functions in this domain, such as forums and comment areas that can post pictures and links, the attack can be carried out directly under this domain, and this kind of attack is even more dangerous.