Table of contents
1. CSRF
1 Introduction
1.1 Official introduction
about these points
What is CSRF
The full name of CSRF is Cross-site request forgery (Cross-site request forgery). It is a network attack method. In the CSRF attack scenario, the attacker will forge a request (this request is usually a link), and then deceive the target user to click. Once the user clicks on this request, the entire attack is complete. Also known as one-click attack or session riding.
CSRF attack principle
CSRF attacks use the website's trust in the user's web browser to hijack the user's currently logged-in web application to perform operations that are not the user's intention. The essence is to use the user's authority to complete the attack, so the success of the attack requires the user to have obtained the authority through verification and trigger the request provided by the attacker.
Judgment of CSRF
Judging whether a website has a CSRF vulnerability is actually judging whether its operation (addition, deletion, modification) on key information (such as passwords and other sensitive information) is easy to be forged.
Prevention of CSRF
If a website wants to prevent CSRF attacks, it needs to implement corresponding security measures for sensitive information operations to prevent these operations from being forged, resulting in CSRF. For example:
-- Add a secure token to the operation of sensitive information;
-- Add a secure verification code
to the operation of sensitive information; password etc.
Two, break through
1.CSRF(get)
Let's look at the prompt, there is a user name and password.
Log in to this page
Click to modify the information and change the gender to girl
It is found that the top url has not changed.
Look at the bp packet capture.
It can be seen from the packet capture that when modifying user information, there is no unpredictable authentication information. Well, it should be exploitable here.
In the state of allen login ( in fact, this link does not contain the user name, it does not matter who logs in, as long as someone is logged in, the information of the logged in user will be changed to those provided by the url), try to change it The link above, such as changing the phone number. Enter the payload in the browser address bar:
http://127.0.0.1/pikachu/vul/csrf/csrfget/csrf_get_edit.php?sex=girl&phonenum=17867676677&add=nba+76&email=allen%40pikachu.com&submit=submit Enter Payload in url, and the modification is successful.
If the victim's login status or cookie/session has not expired at this time, the information will be modified.
We can use short links to generate URLs, generate short links, and use them.
The gender is successfully changed to boy, and the attack is successful
2.CSRF(post)
The error is reported because the php version is too high. Open the php file and add an l after MYSQL.
bp packet capture
Post type, the URL no longer displays the modification parameters, so the above method (that is, forging the request through the URL) can no longer be used to modify, but the packet capture can know the tags and names in this page, which is convenient for later use when constructing the form.
The post type is more troublesome to use than the get type. The attacker needs to write an html file that exploits this vulnerability, put it on his own server, and send a link to the user to request the html file.
Construct csrf.html with modified information
<html>
<script> <!-- 这个script是用来自动提交表单的 -->
window.onload = function() {
document.getElementById("submit").click();
}
</script>
<body>
<form action="http://127.0.0.1/pikachu/vul/csrf/csrfpost/csrf_post_edit.php" method="POST">
<input type="hidden" name="sex" value="girl" />
<input type="hidden" name="phonenum" value="123456789" />
<input type="hidden" name="add" value="usa" />
<input type="hidden" name="email" value="[email protected]" />
<input type="hidden" name="submit" value="submit" />
<input id="submit" type="submit" value="Submit request" style="display:none"/>
<!-- style设置为display:none起到隐藏submit按钮的作用 -->
</form>
</body>
</html>
Put it in the pikachu directory
deployed on the skin
Open a new URL, visit http://127.0.0.1/pikachu/csrf.html
If 404 appears, it should be due to the following reasons. If the csrf_post.php file detects that the user has not logged in, it will jump to csrf_get_login.php in the same folder (csrfpost), but in fact there is no such file in the csrfpost folder, so it will Returns 404 not found.
Open csrfpost.php, change header("location:csrf_get_login.php"); to header("location:csrf_post_login.php");
Enter http://127.0.0.1/pikachu/csrf.html, the attack is successful.
3.CSRF---Token
We modify the information and use bp to capture the packet and find the token value.
Send to Repeater
Delete the token and find that it has not been modified successfully.
After one capture, there is no regularity between tokens.
Google browser bp capture packet
Put the token captured in Google Chrome into the Firefox browser package, and found that it still cannot be modified.
However, we still have a way. Here we can use bp's plug-in CSRF Token Tracker to bypass token verification.
Open the plug-in of CSRF token, enter the host ip for Host, enter token for name, and enter the value of token for Value.
This is before the bp token plugin is turned on, the modification will not take effect.
When the plug-in is turned on, it will randomly generate the token value corresponding to t.
The attack was successful! ! !
Although the value of the token cannot be deleted, and there is no rule at all, the token value modified from the Google browser is still unavailable to the Firefox browser, but we can still use some bypass methods to attack. Validation still has some issues.
source code
When modifying user information, the server will compare the token field in the url and the token field in the session, and only modify the user information if they are the same.
After modifying the user information, a new token will be generated with the set_token() function, returned to the html form and hidden, so that the next time the user modifies the information, it will enter the url.
The set_token() function is shown in the figure below. Before generating a new token, the old token will be destroyed first to avoid token reuse
