Turn the following two articles illustrate the concepts and some of the following two solutions:
-
CSRF - Cross-Site Request Forgery - CSRF
-
CORS - Cross Origin Resourse-Sharing - Cross-Origin Resource Sharing
A, CSRF
From the following article you may know why you want to set csrf_token, and why some sites put csrf_token into the header or url.
1.CSRF vulnerability Profile
CSRF (Cross-Site Request Forgery, cross-site request forgery) is a network attack, the attacks can be forged in the name of the victim requests to the attacked sites in the case of the victim's knowledge, so in the case of unauthorized under performing operations under the protection of rights, with great dangers. Specifically, it can be understood CSRF attacks: the attacker stole your identity, to your name send malicious requests to the server for this request is perfectly legitimate, but the attacker complete a desired action, such as in your name to send e-mail, messaging, steal your account, add a system administrator, and even the purchase of goods, such as virtual currency transfers.
CSRF attacks are not well known, in fact, there are many sites CSRF vulnerabilities. As early as 2000, CSRF this attack has been made by foreign security personnel, but in the country until 2006, began to be concerned about. In 2008, a number of large domestic and international community and interactive website has burst CSRF vulnerabilities, such as: Baidu HI, NYTimes.com (New York Times), Metafilter (a large BLOG site) and YouTube. But now many sites on the Internet are still unprepared for this, so called CSRF security industry as a "sleeping giant", the extent of the consequent threat "reputation" can be seen.
2.CSRF attack Principles and Practice
2.1 CSRF Attacks
CSRF attacks principle is simple, as shown in FIG. Web A website which is the presence of CSRF vulnerabilities, Web B for attackers to build malicious Web site, User C is a legitimate user Web A site.
Figure 1 CSRF Attacks
-
1. User C opens a browser, visit trusted sites A, enter your user name and password requests visit the website A;
-
2. After the user information is verified, Site A Cookie information is generated and returned to the browser, then the user site A successful login, can normally send a request to the site A;
-
3. Before the user does not exit the site A, in the same browser, open a TAB page visit B;
-
4. Site B receives the user request, return some of the code attack, and issues a request requires access to third-party site A;
-
5. Upon receiving the browser attacks of the code, according to a request of the site B, carrying Cookie information without the user's knowledge, a request to the site A. A website does not know that the request is actually initiated by the B, so Cookie information based on user permissions C to C of the request is processed, resulting in the malicious code from the site B is executed.
2.2 CSRF attack classification
CSRF vulnerability generally of two types of outer and slave.
CSRF type outside the station is outside the traditional sense of vulnerability submit data on the nature of the problem. Some programmers will normally consider to leave a message or comment form watermarked to prevent SPAM problem (here, SPAM can be simply understood as spam, comment spam or malicious links with offsite response), but sometimes in order to improve the user experience may not do some of the operations of any restrictions, so an attacker can predict in advance the parameters and set the request, writing scripts forged documents requested in Web pages outside the station where, or with automatic form submission used together to achieve GET , POST request, and when the user clicks on the link to access the session state outside the station in a Web page, the client will be forced to initiate a request.
CSRF station in the type of vulnerability is due to a certain extent programmer REQUEST class variables caused by abuse. In some sensitive outer operations (e.g., change passwords, add users, etc.), it would have required the user to submit the request to pass parameters to initiate POST program from the form, but due to the use _REQUEST variables, in addition to supporting the program received POST request parameters are passed support to receive a GET request parameters passed, which would create the conditions for the use CSRF attack the attacker. General attacker as long as the predicted request parameter on the station a message or post a picture link, the victim viewed this page would be forced to initiate these requests.
2.3 CSRF vulnerability detection
CSRF flaw detection is a relatively tedious work, the easiest way is to fetch a packet normal request, removing Referer field resubmit, if the submission is also effective, it may determine the presence of substantially CSRF vulnerabilities.
With the deepening of the CSRF vulnerability research, emerging some special tools for testing against CSRF vulnerabilities such as CSRFTester, CSRF Request Builder and so on.
To CSRFTester tool as an example, the test principle CSRF vulnerability detection tool is as follows: When using CSRFTester test, you first need to grab all the information we visited links in a browser, and all the forms, etc., and by modifying the corresponding in CSRFTester forms and other information, resubmit, which is equivalent to a forged client requests. If the test is successful after the modification request is accepted web server, then there is a CSRF vulnerability, of course, this section tools can also be used for CSRF attacks.
Examples of CSRF attacks
Below Axous 1.1.1 CSRF Add Admin Vulnerability (CVE vulnerability Number: CVE-2012-2629) for example, describes a CSRF attack specific implementation process.
Axous is an online store application software. Axous 1.1.1 and earlier a CSRF vulnerability exists in the implementation, remote attacker by constructing a specially crafted Web page could entice the software administrator access, attacker who successfully exploited this vulnerability could add the system administrator. Exploit this vulnerability mainly includes the following three processes:
-
An attacker constructs a malicious Web page. Before the attack, the attacker would need to construct a normal add an administrator essentially the same page, assign values to the necessary parameter entries in the malicious Web page, and the URL to access the normal user action to add an administrator of the page , the core code shown in Figure 2;
-
Attackers use social engineering to lure a malicious Web page Axous system administrator access to their structure;
-
Execution of malicious code. When the system administrator to visit a malicious Web page, malicious code is executed in a legal system administrator privileges in the case without the knowledge of the administrator, the attacker forged administrator account added successfully.
Figure 2 CSRF attack the core code to add administrator
2.4 CSRF vulnerabilities defense
CSRF vulnerabilities can be the main defense from three levels, namely the defense side of the defense service, the client's defense and security equipment.
2.4.1 The service side of the defense
The industry's server-side defense CSRF attacks There are three main strategies: Verify HTTP Referer field, add the token in the request and verify the address, the HTTP headers and custom properties verification. Below these three strategies are briefly introduced.
(1) Verify field HTTP Referer
According to the HTTP protocol, there is a field called Referer HTTP header, it records the source address of the HTTP request. Under normal circumstances, limited access to a secure page request must come from the same website. For example, a bank transfer is accessed by the user http: //bank.test/test page = 10 & userID = 101 & money = 10000 page is completed, the user must be logged in bank test, then transfer to a trigger event page by clicking on the button?.. When a user submits a request, Referer value of the transfer request is the URL of the page where it will transfer button (in this case, usually in the bank. Address beginning with test domain). And if an attacker to implement CSRF attack on the bank's website, he can only own request construction site, when a user sends a request to the bank through the attacker's Web site, Referer of the request is pointing to the attacker's site. Therefore, to defense CSRF attack, the bank site requires only a transfer request verification for each Referer its value, if based bank. Test at the beginning of the domain name, then the request is a request from their own bank site, is legitimate. If the site Referer other words, there may be a CSRF attack, the request is denied.
(2) adding the address in the request token and authentication
CSRF attacks have been able to succeed because the attacker can fake the user's request, the request for all user authentication information exists in the Cookie, so an attacker can use directly in the user's own Cookie without knowing the authentication information to pass security validation. It can be seen, the key against attacks CSRF wherein: the information into the attacker can not forge in the request, and the information is not present in the Cookie. For this reason, system developers may be added in the HTTP request as a parameter token a randomly generated, and the establishment of an interceptor server side to authenticate the token, if the request is not token or token not correct, it is thought to be CSRF attacks reject the request.
(3) in the HTTP header and validate custom properties
Custom properties and methods are also verified using the token, and the former method is different, where the token is not disposed as a parameter in the HTTP request, the HTTP header but put it in the custom properties, in. XMLHttpRequest by this class, the class can be a one-time request to all the HTTP header plus csrftoken property, and into which the token value. This resolved before in a way to join in the request token inconvenience the same time, through this class requested address will not be recorded into the address bar of the browser, do not worry token leak to other sites through Referer.
2.4.2 client's defense
For ordinary users, are learning and have knowledge of network security to protect against cyber attacks is unrealistic. However, if the user develop good online habits, it is possible to largely reduce the harm CSRF attacks. For example, Internet users, Do not click on web forums, chat rooms, instant messaging or e-mail link or picture that appears; timely exit logged in account is not used for a long time, especially system administrators, should be out in click on the system case unknown links and pictures. In addition, users also need to be installed on a computer connected to the Internet right security software and update the software vendors release signature database to keep track of the latest security software in real-time attack.
2.4.3 security defense equipment
As the discovery of vulnerabilities to patch release will take some time, but a significant proportion of manufacturers vulnerabilities reaction is not positive, coupled with insufficient attention to parts of the system administrator for system patches, which gave attackers an opportunity. In view of the above circumstances, the user can strengthen defenses against CSRF vulnerabilities using third-party professional security equipment.
CSRF attacks is the essence of the attacker forged legal status, access to the system. If you can identify the false identity of visitors, it will also be able to identify CSRF attacks. The study found that some manufacturers of security products can Referer HTTP header field content to be checked quickly and accurately identify CSRF attacks based on the hardware level. Figure 3 shows a simplified diagram of this defensive approach. At present the company's H3C IPS products using special technology, support for CSRF exploits some common system to detect and block.
3 Safety equipment traditional way of defense
Second, the cross-domain resource sharing (CORS) Security Analysis
(Transfer from http://netsecurity.51cto.com/art/201311/419179.htm)
1. Background
Lift the browser's same-origin policy, we are familiar with. The client can not read and write scripts for different domains of each other's resources. But in practice there are some scenes require cross-domain read and write, so there have been some hack way to cross-domain. For example, in the same region to make a proxy, JSON-P and so on. But these methods are flawed, not perfect cross-domain read and write. So in XMLHttpRequest v2 standard, proposed CORS (Cross Origin Resourse-Sharing) model, trying to provide safe and convenient cross-domain resources to read and write. The current mainstream browsers support CORS.
2. Technical principles
CORS defines two cross-domain requests, simple and non-cross-domain request simple cross-domain request. When a simple cross-domain cross-domain request transmitting request comprising: request method HEAD, GET, POST; If the Content-Type; request header only four fields, Accept, Accept-Language, Content -Language, Last-Event-ID , its value can only application / x-www-form- urlencoded, multipart / form-data, text / plain. Speaking more awkward, simple meaning is to set up a white list, it is a simple request to meet this condition. Other non-compliance are non-simple request.
Has this classification is because the browser processing mechanism for simple requests and non-simple request is not the same. When we need to send a cross-domain request, the browser will first examine this request and, if it is consistent with a simple cross-domain requests described above, the browser sends the request immediately. After examination revealed that if the browser is a non-simple request, such as header containing X-Forwarded-For field. This time the browser does not send the request immediately, but there is a preflight, with server authentication process. The browser first sends a preflight request method options. The following figure is an example. If pre-screening by sending this request, otherwise this would not refuse to send cross-domain requests.
The following detailed analysis to achieve cross-domain security control request. Look at the simple request of the non-pre-screening process. The browser sends a request to a method of options. With the following fields:
Origin: also with a regular HTTP, CORS in the rear end exclusively as Origin information for comparison, to indicate the source domain.
Access-Control-Request-Method: The method of the next request, for example, PUT, DELETE, etc.
Access-Control-Request-Headers: Custom head, the head is provided with all setRequestHeader methods will include comma-separated form in the head
Then if the server is configured with cors, will return to the field to deal with the specific meaning of the fields in the returned results are interpreted together.
Access-Control-Allow-Origin:
Access-Control-Allow-Methods:
Access-Control-Allow-Headers:
然后浏览器再根据服务器的返回值判断是否发送非简单请求。简单请求前面讲过是直接发送,只是多加一个origin字段表明跨域请求的来源。然后服务器处理完请求之后,会再返回结果中加上如下控制字段:
Access-Control-Allow-Origin: 允许跨域访问的域,可以是一个域的列表,也可以是通配符"*"。这里要注意Origin规则只对域名有效,并不会对子目录有效。即http://foo.example/subdir/ 是无效的。但是不同子域名需要分开设置,这里的规则可以参照同源策略
Access-Control-Allow-Credentials: 是否允许请求带有验证信息,这部分将会在下面详细解释
Access-Control-Expose-Headers: 允许脚本访问的返回头,请求成功后,脚本可以在XMLHttpRequest中访问这些头的信息(貌似webkit没有实现这个)
Access-Control-Max-Age: 缓存此次请求的秒数。在这个时间范围内,所有同类型的请求都将不再发送预检请求而是直接使用此次返回的头作为判断依据,非常有用,大幅优化请求次数
Access-Control-Allow-Methods: 允许使用的请求方法,以逗号隔开
Access-Control-Allow-Headers: 允许自定义的头部,以逗号隔开,大小写不敏感
然后浏览器通过返回结果的这些控制字段来决定是将结果开放给客户端脚本读取还是屏蔽掉。如果服务器没有配置cors,返回结果没有控制字段,浏览器会屏蔽脚本对返回信息的读取。
3.安全隐患
大家注意这个流程。服务器接收到跨域请求的时候,并没有先验证,而是先处理了请求。所以从某种程度上来说。在支持cors的浏览器上实现跨域的写资源,打破了传统同源策略下不能跨域读写资源。
再一个就是如果程序猿偷懒将Access-Control-Allow-Origin设置为允许来自所有域的跨域请求。那么cors的安全机制几乎就无效了。不过先别高兴的太早。其实这里在设计的时候有一个很好的限制。xmlhttprequest发送的请求需要使用“withCredentials”来带上cookie,如果一个目标域设置成了允许任意域的跨域请求,这个请求又带着cookie的话,这个请求是不合法的。(就是如果需要实现带cookie的跨域请求,需要明确的配置允许来源的域,使用任意域的配置是不合法的)浏览器会屏蔽掉返回的结果。javascript就没法获取返回的数据了。这是cors模型最后一道防线。假如没有这个限制的话,那么javascript就可以获取返回数据中的csrf token,以及各种敏感数据。这个限制极大的降低了cors的风险。
4.攻击模型
从思路上讲,有两种类型的攻击方式。一种是在攻击者自己控制的网页上嵌入跨域请求,用户访问链接,执行了跨域请求,从而攻击目标,比如访问了内网敏感资源。还有一种是正常的网页被嵌入了到攻击者控制页面的跨域请求,从而劫持用户的会话。
5.攻击场景
先看第一种思路的攻击场景:
-
1,复杂csrf。传统的csrf都是利用html标签和表单来发送请求。没有办法实现一些复杂步骤的csrf,比如模拟购物,先加购物车,结算,填写信息,等等。比如上传文件。具体可以参考利用csrf上传文件
-
2,访问内网敏感资源。这个在一定的条件下是可以实现的。比如内网的服务器配置了
Access-Control-Allow-Origin: * 允许任何来自任意域的跨域请求
用户访问恶意网页的时候,执行了到内网服务器192.168.1.123/password.txt的请求,脚本在接收到服务器返回之后,将内容发送到攻击者的服务器上。
第二种思路的场景:
1, an interactive xss. Inside Reference methods of attack in HTML5 brings mentioned shell of the future tools. By CORS, bypassing anti session hijacking methods, such as HTTP-Only restricted Cookie, binding the IP address and session ID, user session hijacking.
2, program ape when writing ajax request, lax restrictions on the target domain. Somewhat similar to the url jump. facebook there have been such a case. javascript ajax request performed by a parameter in the url. This parameter is achieved by controlling the injection attacks.
