Table of contents
1. Introduction to CSRF Vulnerabilities
1. Principle of CSRF vulnerability
2. Types of CSRF vulnerabilities
3. Vulnerability identification
7. The difference between CSRF and XSS
1. Introduction to CSRF Vulnerabilities
1. Principle of CSRF vulnerability
CSRF (cross site request forgery) refers to cross-site request forgery, which refers to using the victim's identity authentication information (cookie, session, etc.) In the case of a victim, send a request to the server (corresponding to the identity authentication information) to complete illegal operations (such as transferring money, changing encryption, etc.).
2. Types of CSRF vulnerabilities
● GET type● POST typeFor example, construct a form form in a page, hide the page in an invisible iframe window, and then useJavaScript automatically submits the form, and the entire process is invisible to the user. When the user visits the page, the form automaticallyAutomatic submission, which is equivalent to simulating the user to complete a POST operation
3. Vulnerability identification
1. Mark the additions, deletions and modifications of the target website, and observe its logic to determine whether the request can be forged
– for example, when modifying the administrator account, there is no need to verify the old password, which makes the request easy to be forged;
– for example, for sensitive information The modification does not use secure token verification, which makes the request easy to be forged;
2. Confirm the validity period of the certificate (this problem will increase the probability of CSRF being exploited) -
although the browser is exited or closed, the cookie is still valid, or the session is not Expires in time, making CSRF attacks easier
4. Vulnerability attack
Generally phishing via CSRF
The attack flow is
1) The victim logs in to a system A to obtain a cookie
2) The attacker lures the victim to visit B
3) B sends a request to A
4) System A thinks that the request is from the victim and executes the request
attack complete
5. Harm of CSRF vulnerability
- CSRF vulnerabilities can allow victims to post to forums, subscribe to mailing lists, shop online or trade stocks, or change usernames or passwords without their knowledge. For all web applications protected by firewalls , CSRF attacks can bypass firewalls and attack web applications.
- The CSRF vulnerability can also be used in combination with XSS and other vulnerabilities, which further increases the harm of the vulnerability.
- Forging HTTP requests for unauthorized operations: tampering and stealing important user data on the target website. Perform operations that are harmful to the user's reputation or assets without permission, such as: disseminating bad information, making consumption, etc. Attacking the website administrator by using social engineering or other methods will jeopardize the security of the website itself.
- Spread CSRF worms.
6. CSRF vulnerability defense
Common anti-CSRF measures
to increase token verification (common practice):
1. Add token parameters for key operations. The token value must be random and different each time;
about secure session management (to avoid session being used):
1. Do not use The client saves sensitive information (such as identity authentication information);
2, the test is directly closed, and the session expiration mechanism is used when exiting;
3, the session expiration mechanism is set, such as no operation within 15 minutes, the automatic login will time out;
access control security management :
1. Re-authentication is required when modifying sensitive information. For example, when modifying an account, it is necessary to determine the old password;
2. Use post instead of get to modify sensitive information;
3. Restrict through the referer in the http header Add a verification code to the original page
:
it is generally used for login (anti-brute force cracking), and can also be used in other important information operation forms (need to consider availability)
7. The difference between CSRF and XSS
CSRF uses the user's authority to complete the attack, the attacker does not have the user's authority, and XSS directly steals the user's authority, and then carries out the damage.