Q
CSRF vulnerability principle?
A
When the web application performs sensitive operations, such as changing the account password, adding an account, transferring money, etc., the web application does not verify the form token or the referer value in the HTTP request header, thus causing malicious attackers to use the identity (cookie) of ordinary users to complete the attack Behavior.
Victim A logs in to the website, attacker B constructs a valid link to induce victim A to visit, and the request will be executed as normal business while the website is online. (such as changing passwords, transferring money to a certain user, etc. Of course, this kind of simple EXP is basically invisible now, just use the shooting range to verify it to understand the principle)Q
CSRF vulnerability type?
A
GET type
POST type
For example, construct a page in a page and hide it in an invisible iframe window, and then use JavaScript to automatically submit the form. During the whole process, it is invisible to the user. When the user visits the page, the form will be automatically submitted, which is equivalent to simulating the user to complete a POST operation
Q
CSRF vulnerability hazards?
A
Stealing another user's or administrator's account
Access to personal privacy or confidential information
Combination punches with other loopholes
For example, after obtaining the administrator account, we use the XSS vulnerability to mount a horse on a certain page, and ordinary users will download the Trojan program after accessing it, and then combine it with tools such as MSF or CS to getshell. For another example, if you restore the administrator password, the real administrator will also be affected by the web page when logging in. Combining tools can further take down the administrator's page and hide it in an invisible iframe window, and then use JavaScript to automatically Submitting the form is invisible to the user throughout the entire process. When the user visits the page, the form will be automatically submitted, which is equivalent to simulating the user to complete a POST operation
Q
CSRF vulnerability hazards?
A
Stealing another user's or administrator's account
Access to personal privacy or confidential information
Combination punches with other loopholes
For example, after obtaining the administrator account, we use the XSS vulnerability to mount a horse on a certain page, and ordinary users will download the Trojan program after accessing it, and then combine it with tools such as MSF or CS to getshell. For another example, if you restore the administrator password, the real administrator will also be affected by web page Trojans when logging in. Combining tools can further take down the administrator's CSRF vulnerability prevention measures?
A
Verification code verification
Captcha is considered to be the most concise and effective defense against CSRF attacks.
The process of CSRF attack is often to construct a network request without the user's knowledge. The verification code, on the other hand, forces the user to interact with the application in order to complete the final request. Therefore, under normal circumstances, authenticating users when performing sensitive operations can effectively curb CSRF attacks.
But the verification code is not a panacea. In many cases, due to user experience considerations, websites cannot add verification codes to all operations. Therefore, the verification code can only be used as an auxiliary means of defending against CSRF, but not as the main solution.
Add token to request address and verify
The reason why the CSRF attack can be successful is that the hacker can completely forge the user's request, and all the user authentication information in the request exists in the cookie, so the hacker can directly use the user's own cookie without knowing the authentication information to pass security verification. host permissions.
Q host authority.
Q a form form, put this