Shulou(Shulou.com)05/31 Report--

This article shows you how to analyze the attack, defense and mining of CSRF. The content is concise and easy to understand, which can definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

0x01 attacks

Normal user: userA

Web site with CSRF vulnerabilities: siteA

Malicious user: userB

Malicious cyber warfare: siteB

1. Let's talk about cookie first.

Usually the protocol we use to visit the website is HTTP/HTTPS, which is a stateless protocol, user A, user B, user C … .. Visit a url at the same time, and the website cannot confirm who visited it. The above statement is vague, to take an obvious example: user An adds an item to the shopping cart, user B also adds an item to the shopping cart, if you simply use this stateless protocol, then the problem arises. How to distinguish user A's shopping cart from user B's shopping cart?

Earlier, Cookie was used to solve this problem, but because Cookie storage is easy to use on the client side, it has since evolved into the Session+Cookie approach. If user A visits the shopping website, then the shopping website assigns user An an identification session_id=userA; user B visits the shopping website, and similarly, the shopping website assigns user B an identification session_id=userB. After the session_id is stored in the browser's Cookie, users An and B will attach this logo to the HTTP request header every time they visit the website, so the shopping website can distinguish each user's shopping cart by this logo.

two。 Highlight

When a browser visits a website, it will actively add the Cookie of the target site (this is a feature of the browser).

3. An example

Because the website server identifies each user through session_id, the session_id is stored in the Cookie of the browser, and when the browser visits the target website, it will bring the Cookie of the target website. So here comes the problem: user A visits the shopping site, gets his own session_id through his user name and password, and stores it in Cookie. So if at this point, user B constructs a link that adds an item to the shopping cart and pays for it, and sends the link to user A. After user A clicks on the link, the browser automatically takes user A's Cookie stored in the browser to request access to the URL. As a result, user A buys a commodity without initiative. This is a simple CSRF (Cross Site Request Forgery, cross-site request forgery) attack

4. Reasons for the success of the attack

The reasons for the success of this attack are as follows:

The Cookie used to identify user A still exists when the link is clicked

When the browser accesses the URL, it automatically brings the Cookie of the target site.

The server trusts Cookie too much and does not do secondary verification.

In short: the CSRF attack is that malicious user B does an operation by impersonating the identity of normal user An and does not get the Cookie of normal user A. At this point, it is less harmful than XSS, because malicious user B can directly obtain the Cookie of normal user A through XSS and log on to the website through Cookie on his computer.

0x02 defense article

So how to defend?

1. Individual:

Don't click on links when visiting important websites

When you exit the website, clear the Cookie

two。 Website developers:

From the above description, it can be concluded that the key point to solve the problem is to add another verification after the server verifies the cookie. No matter what the verification method is, it can meet a requirement:

The browser directly accesses the URL constructed by the malicious attacker B will not automatically carry the value of this authentication method.

The general idea is:

1) CAPTCHA / password:

Normal user An accesses the URL directly through the browser. After the jump, it returns a response of entering the CAPTCHA / password, but the malicious attacker cannot get this value only through CSRF, so it can prevent CSRF attacks.

In the application of major banks and payment functions, we are usually required to enter a password or fingerprint when we transfer money or make payment.

2) dual Cookie:

① normal user An accesses the website with a user name and password and gets a cookie stored in the browser.

② if a user visits more sensitive features in the site (such as adding goods to a shopping cart), the server will store a copy of the cookie value previously assigned to user An in the form form on the page when it returns the response.

When ③ normal user A visits the website normally, the cookie value in the form form is the same as in Cookie; but if normal user An accesses the site through a URL constructed by a malicious attacker, there is a cookie value in Cookie that identifies user A, but there is no or no correct cookie value in the form or request parameters. Therefore, the server determines whether a CSRF attack has been received by comparing the cookie value in the form form or request parameters with the cookie value in Cookie.

3) csrftoken:

The principle is the same as double cookie, except that the cookie value in the form form or request parameter is no longer a cookie value that identifies the user, but a value obtained by passing a series of information such as the user identity cookie value, timestamp, validity period, and so on through a function.

For example, django:

0x03 mining section

In theory, where a form or GET request is submitted, there is a high probability that there is a csrf vulnerability where there is no user for secondary authentication or where there is no csrftoken (other sites may not be called csrftoken).

The above content is how to analyze the attack, defense and mining of CSRF. Have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.