Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about the case analysis of CSRF vulnerabilities, which may not be well understood by many people. in order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

CSRF vulnerability

CSRF (Cross-site request forgery) cross-site request forgery, also known as One Click Attack or Session Riding, is usually abbreviated to CSRF or XSRF, which is a malicious exploitation of a website. Although it sounds like cross-site scripting (XSS), it is very different from XSS, where XSS leverages trusted users within the site, while CSRF leverages trusted sites by masquerading requests from trusted users. Compared with XSS attacks, CSRF attacks tend to be less popular (so there are relatively few resources to prevent them) and difficult to prevent, so they are considered to be more dangerous than XSS.

Brief introduction of vulnerabilities

Cross-site request attack, to put it simply, the attacker uses some technical means to deceive the user's browser to visit a website he has authenticated and perform some operations (such as sending e-mail, sending messages, or even property operations: transferring money, buying goods, etc.). Because the browser has been authenticated, the website visited will be considered to be a real user action. This exploits a loophole in user authentication in web: simple authentication can only guarantee that the request is sent from a user's browser, but not that the request itself is made voluntarily.

Principle and process of CSRF attack:

1. User C opens a browser, visits trusted website A, and enters a user name and password to request login to website A.

two。 After the user information has been authenticated, site A generates Cookie information and returns it to the browser. When the user logs in to site A successfully, the user can send a request to site A normally.

3. Before the user exits site A, open a TAB page in the same browser to visit site B

4. After receiving the user's request, site B returns some attack code and sends out a request to visit third-party site A.

5. After receiving these offensive codes, according to the request of website B, the browser carries Cookie information without the user's knowledge and sends a request to website A. Site A does not know that the request was actually initiated by B, so it will process the request with the authority of user C according to the Cookie information of user C, resulting in the execution of malicious code from site B.

CSRF attack instance

The victim Bob had a deposit with the bank, and by sending a request http://bank.example/withdraw?account=bob&amount=1000000&for=bob2 to the bank's website, Bob could transfer 1000000 of the deposit to the bob2 account. Typically, after the request is sent to the website, the server first verifies that the request is from a legitimate session and that the session user Bob has successfully logged in.

The hacker Mallory, who also has an account with the bank, knows that the URL above can transfer money. Mallory can send a request to the bank itself: http://bank.example/withdraw?account=bob&amount=1000000&for=Mallory. But this request comes from Mallory, not Bob, and it cannot pass security authentication, so the request will not work.

At this time, Mallory thought of using the attack method of CSRF, he first made a website by himself, put the following code in the website: src= "http://bank.example/withdraw?account=bob&amount=1000000&for=Mallory", and lured Bob to visit his website through advertisements. When Bob visits the website, the above url will be sent from Bob's browser to the bank, and the request will be sent to the bank server along with the cookie in the Bob browser. In most cases, the request will fail because it requires authentication information for Bob. However, if Bob happens to have not expired the session between his browser and the bank's website shortly after visiting his bank, the browser's cookie contains Bob authentication information. At this point, a tragedy occurs, the url request will be answered, and the money will be transferred from the Bob account to the Mallory account, which Bob did not know at the time. Later, Bob found that there was less money in his account, and even if he went to the bank to check the log, he could only find that there was indeed a legitimate request from himself to transfer the money, without any sign of attack. And Mallory can get the money and get away with it.

CSRF vulnerability detection

1. Detecting CSRF vulnerabilities is a tedious task. The easiest way is to grab a normally requested packet, remove the Referer field and resubmit it. If the submission is still valid, you can basically determine that there is a CSRF vulnerability.

two。 With the in-depth study of CSRF vulnerabilities, some special tools for CSRF vulnerability detection, such as CSRFTester,CSRF Request Builder and so on, continue to emerge.

Vulnerability hazard

Modify user information

Perform malicious actions

Defend against CSRF attacks

At present, there are three main strategies to defend against CSRF attacks:

1. Verify the HTTP Referer field

two。 Add token to the request address and verify

3. Customize the properties in the HTTP header and verify them.

The difference between CSRF and XSS: the biggest difference is that CSRF does not steal the user's Cookie, but directly uses the browser's Cookie to let the user perform an action.

CSRF Mining skills

Vulnerability condition

1. The murdered user has completed identity authentication.

two。 The submission of new requests does not require re-authentication or confirmation mechanism

3. The attacker must understand the parameter construction of the Web APP request

4. Instructions to lure users to trigger an attack (social worker)

Various function points

Password modification office

Give the thumbs-up

Transfer

Write off

Delete

After reading the above, do you have any further understanding of the case analysis of CSRF vulnerabilities? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.