Detailed explanation of CSRF attack principle

Mobile 2023-12-17 20:47:37 views: null

CSRF concept:

CSRF definition: Cross-site request forgery (English: Cross-site request forgery) is a malicious use of a website, also known as one-click attack or session riding, usually abbreviated as CSRF or An attack method that performs unintended operations on the currently logged-in web application. CSRF Cross-Site Request Forgery (Cross-Site Request Forgery) is as harmful as XSS attacks.

You can understand it this way: the attacker has stolen your identity and sent a malicious request in your name. This request is completely legal to the server, but it completes an operation expected by the attacker, such as in your name. Send emails, send messages, steal your account, add system administrators, and even purchase goods, transfer virtual currency, etc.

Simply put, the attacker uses some technical means to deceive the user's browser to visit a website that he has authenticated and perform some operations (such as sending emails, sending messages, and even property operations such as transferring money and purchasing goods). Since the browser has been authenticated, the visited website will regard it as a real user operation and execute it. This exploits a vulnerability in user authentication on the web: simple authentication can only guarantee that the request comes from a user's browser, but cannot guarantee that the request itself was made voluntarily by the user.

CSRF status: It is a method of network attack and one of the major security risks of the Internet. NYTimes.com (New York Times), Metafilter, YouTube, Gmail and Baidu HI have all been affected by such attacks.

Comparing XSS: Compared with cross-site scripting (XSS), XSS takes advantage of the user's trust in the specified website, while CSRF takes advantage of the website's trust in the user's web browser.

As follows: Web A is a website with a CSRF vulnerability, Web B is a malicious website built by an attacker, and User C is a legitimate user of the Web A website.

If you don’t understand the CSRF principle above, you can look at this principle again:

First understand the concepts of first-party and third-party cookies

Cookie is a small piece of data stored in the browser by a domain server. It can only be accessed by this domain. Whoever sets it can access it.
First-party Cookie: For example, when visiting the website www.a.com, this website sets a cookie, and this cookie can only be read by web pages under the domain www.a.com. .

Third-party cookies: For example, when visiting the website www.a.com, a picture from the website www.b.com is used in the webpage. When the browser requests the picture from www.b.com, www.b.com sets A cookie, then this cookie can only be accessed by the domain www.b.com, but cannot be accessed by the domain www.a.com, because for us, we are actually setting it when visiting the website www.a.com A cookie under the domain www.b.com is obtained, so it is called a third-party cookie.

CSRF principle:

  • 1. User C opens the browser, visits trusted website A, enters the username and password to request to log in to website A;
  • 2. After the user information is verified, website A generates cookie information and returns it to the browser. At this time, the user successfully logs in to website A and can send requests to website A normally;
  • 3. Before the user exits website A, he opens a TAB page in the same browser to visit website B;
  • 4. After website B receives the user request, it returns some offensive code and sends a request to access third-party site A;
  • 5. After receiving these offensive codes, the browser carries the cookie information according to the request of website B without the user's knowledge, and sends a request to website A. Website A does not know that the request is actually initiated by B, so it will process the request with C's permissions based on user C's cookie information, causing the malicious code from website B to be executed.

In short: By visiting a malicious URL, the malicious URL returns js and automatically executes access to the URL you logged in before. Because you are already logged in, cookies will be carried when you visit again, because the server only recognizes whether there are cookies and cannot distinguish whether they are cookies or not. Users have normal access, so they will deceive the server and cause harm.

CSRF attack defense

The focus of CSRF attack defense is to use cookie values ​​that can only be read by the first party and cannot read third-party cookie values.

Defense method:
A simple and feasible way to prevent CSRF attacks is to add a cookie again on the client web page to save a random number, and when the user visits, read this first The value of the cookie, hash the cookie value and send it to the server. The server receives the hash value from the user, and at the same time takes out the cookie value previously set on the user side, uses the same algorithm to hash the cookie value, and compares the two hash values. , the same is legal. (If the user visits a virus website and wants to bring this cookie to visit, at this time, because the virus website cannot obtain the value of the third-party cookie, he cannot hash the random number, so it will be verified by the server. filtered out)

How session works

CSRF is more dangerous than XSS. To deeply understand the attack characteristics of CSRF, we need to understand how the website session works.

I think everyone is familiar with session. Whether you have developed a website using .net or PHP, you must have used the session object. However, how does session work? If you are not sure, please read below.

Let me ask a little question first: If I disable cookies in my browser, do you think the session can still work normally?

The answer is no. I will give a simple example here to help you understand session.

For example, I bought a golf club membership card, and the club gave me a membership card with a card number. What rights I can enjoy (for example, I have a senior membership card that allows me to play 19 holes and pay for drinks, while a junior membership card can only swing at the driving range) and my personal information are stored in the golf club's database. Every time I go to the golf club, I only need to show this premium membership card, and the club will know who I am and serve me.

Here our premium membership card number = sessionid saved in the cookie; and my premium membership card rights and personal information are the session objects on the server side.

We know that http requests are stateless, which means that each http request is independent and has nothing to do with previous operations, but each http request will send all cookies in this domain to the server as part of the http request header. Therefore, the server finds the member information in the session object based on the sessionid stored in the cookie in the request.

Of course, there are various ways to save sessions, which can be saved in files or in memory. Considering the distributed horizontal expansion, we still recommend saving it in a third-party media, such as redis or mongodb.

Once we understand the working mechanism of session, CSRF will be easy to understand. A CSRF attack is equivalent to malicious user A copying my premium membership card. One day, malicious user A can also use this fake premium membership card to play 19 holes at the golf club and enjoy delicious drinks, and I will be able to enjoy delicious drinks at the end of the month. Will receive golf club bill!

After understanding the mechanism of CSRF, I believe the dangers are self-evident to everyone. I can forge the identity of a user and send spam messages to his friends. The hyperlinks of these spam messages may contain Trojan horse programs or some deceptive information (such as (borrowing money, etc.), if the spam messages sent by CSRF also contain worm links, those friends who have received these harmful messages will also become the spread of harmful information if they open the link in the private message, so tens of thousands of Users had their data stolen and Trojans planted. The application of the entire website may crash in an instant, users will complain, users will be lost, and the company's reputation will plummet or even face bankruptcy. Once on MSN, a 19-year-old American named Samy exploited the CSS background vulnerability to successfully infect more than 1 million users with his worm within a few hours. Although the worm did not destroy the entire application, it only added a signature to each user's signature. The sentence "Samy is my idol" is added at the end. However, once these vulnerabilities are exploited by malicious users, the consequences will be disastrous. The same thing also happened on Sina Weibo.

Example:
The main purpose of CSRF attacks is to allow users to attack a system they have logged into without knowing it, similar to phishing. If the user is currently logged into an email or bbs, and at the same time is using another site that is already controlled by you, let's call it a phishing website. This website may attract you because of a certain picture. If you click it, a js click event may be triggered to construct a bbs posting request and go to your bbs to post. Since the current status of your browser has It is the login status, so the session login cookie information will be the same as the normal request. It is a natural use of the current login status to allow users to help you post or do other things without knowing it.

The principle and process of CSRF attack are as follows:

  • User C opens the browser, visits trusted website A, enters the username and password to request to log in to website A;
  • After the user information is verified, website A generates cookie information and returns it to the browser. At this time, the user successfully logs in to website A and can send requests to website A normally;
  • Before the user exits website A, he opens a TAB page in the same browser to visit website B;
  • After website B receives the user's request, it returns some offensive code and sends a request to access third-party site A;
  • After receiving these offensive codes, the browser carries the cookie information according to the request of website B without the user's knowledge, and sends a request to website A. Website A does not know that the request is actually initiated by B, so it will process the request with C's permissions based on user C's cookie information, causing the malicious code from website B to be executed.

Therefore, to be attacked by CSRF, two conditions must be met at the same time:

  • Log in to trusted website A and generate cookies locally.
  • Access dangerous website B without logging out of A.

Guess you like

Origin blog.csdn.net/qq_32907491/article/details/132939181
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com