Shulou(Shulou.com)06/01 Report--

This article mainly talks about "what's the difference between CSRF and SSRF". Interested friends might as well take a look. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn "what's the difference between CSRF and SSRF?"

A brief introduction to the difference between CSRF and SSRF

Soon after entering the network security industry, it can be said that I have little knowledge of Web vulnerabilities. Coincidentally, the company conducted an assessment in the afternoon, and it was quite an experience of getting ducks on the shelves. There is a question like this:

"Please briefly describe the differences between CSRF, SSRF and session replay"

To tell you the truth, I have come into contact with a lot of the above three kinds of loopholes, but when I was asked, it was as if I had fallen into an ice cave for three or nine days.

After the examination, I quickly looked up the relevant materials and found that the knowledge was much more profound than I thought. Then roll up your sleeves and learn, put what you have learned into practice, integrate what you have learned, and finish this article. Not to mention session replay, I summarize the concepts and differences between CSRF and SSRF.

CSRF:

CSRF, whose real name is Cross-site requestforgery, means cross-site request forgery.

Speaking of CSRF, I have to mention XSS. CSRF seems to have a "secret" to XSS cross-site scripting attacks, but it is actually a case of two different dimensions. From the point of view of the name, the XSS attack is a cross-site scripting attack, and the CSRF attack is a request forgery, that is, the CSRF attack is not written by the user, but it is handled by a malicious third-party attacker and disguised as a "personal experience" of a trusted user.

Most of the websites we can see are recorded, identified and authorized by cookie and other methods. Therefore, in order to forge the normal operation of users, the best way is to let users initiate dangerous requests that they do not know through XSS or link guidance, so that malicious attacks can take advantage of to obtain user cookie and other information to achieve the purpose of identity camouflage. I don't know if you understand that XSS is one of the many ways to implement CSRF, but it's not the only one.

The web vulnerability mining we usually do is to verify the CSRF vulnerability in the user's password modification interface, because this is one of the places that can best reflect the harm of this vulnerability. As mentioned earlier, XSS can guide users to click on malicious links to change their passwords without the user's knowledge.

Image source: Baidu encyclopedia CSRF entry

SSRF:

SSRF, that is, Server Side RequestForgery--- server-side request forgery. Literally, unlike CSRF, it is a forgery of a request made by the server rather than a submission from the user. Don't get me wrong, as a trusted user, it is certainly impossible for the server to do anything to damage the user's information. It is a security vulnerability constructed by an attacker and requested by the server. Because it is initiated by the server, it can request an internal system connected to it but isolated from the external network. Because the server provides the function of obtaining data from other server applications (such as sharing and other functions) and does not filter and restrict the target address, it gives attackers the opportunity to swoop in. For example, get the text content of the web page from the specified URL address, load the pictures at the specified address, download, and so on. SSRF uses flawed web applications as proxies to attack remote and local servers.

Let's take an example: how to query your own public network IP? The simplest is probably to enter "IP" into the Baidu search box to query.

In the picture, 111.113.room.83, this is my original IP. If I load this page with another server, such as using a translated browser plug-in to translate the current page: you can see that my IP has become 61.135.217.12, and the address has been changed. This is the SSRF vulnerability. The result in the figure is not that the translation plug-in translates the web page content directly, but that the page is loaded with the plug-in's server. Although the server was not malicious, there was a deviation in the information we received.

Generally speaking, CSRF is that the server does not strictly control the data submitted by the user, so that an attacker can use the user's Cookie information to fake the user request and send it to the server. On the other hand, SSRF means that the server has too much trust in the controllable URL address provided by the user and has not been strictly tested, so that attackers can use this as a springboard to attack the intranet or other servers.

At this point, I believe you have a deeper understanding of "what's the difference between CSRF and SSRF". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.