Shulou(Shulou.com)05/31 Report--

How to use HTTP request rewriting to achieve JSON CSRF, in view of this problem, this article introduces the corresponding analysis and solution in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible method.

The following describes the process of the author discovering a JSON type cross-site request forgery vulnerability (Cross-Site Request Forgery,CSRF) in a vulnerability test project.

Generally speaking, the JSON CSRF vulnerability mainly lies in the authentication mechanism of the Web application itself. Simply speaking, this vulnerability exists, and its HTTP request must meet the following three conditions:

1. The authentication mechanism of Web application is based on Cookie form (the authentication mechanism of Cookie form itself has the risk of CSRF attack)

2. There is no specific token protection for users in the HTTP request of Web application.

3. HTTP requests of Web applications are not protected by homology policy.

If the above three conditions are met, then AJAX request forgery can be implemented from other sources in the same way that JSON requests are created. Note that this is only the main condition for implementing JSON CSRF, but sometimes it is possible to achieve JSON CSRF even if the second or third condition is not met.

The JSON CSRF loophole I recently discovered

When I test the Web application, I deliberately analyze the authentication mechanism, and if it is based on authentication in the form of Cookie, then I will directly test for CSRF vulnerabilities. The situation here is a little different from the above three main conditions. Here, only the first condition is satisfied, while the second and third conditions are not satisfied. Because in the Web application HTTP request here, different token values are specified in the headers of 'XMIMATHART AuthorThenen' for different users, and the Origin header is also verified. The following is the PUT request of the Web application:

Usually, I've learned some request testing methods from Twitter, so I'll try it here:

1. Change the request method to GET, and add some content as request parameters.

2. Delete the original user-specific Token and some verification header information in the request

3. Validate the test request with different Token of the same length.

Luckily, the second method is effective. After deleting the header of Token's' XMaiAuthAuthAuthToken'in the request, the backend of the Web application can respond normally:

So far, although there is a Token header verification vulnerability in Web applications, we are still unable to take advantage of it deeply because the request is in PUT mode and the Web backend also verifies Origin. If the Web backend accepts other Origin headers, then at least the PUT method can be used to forge the AJAX request in the form of JSON. What should I do?

Next, I changed the PUT request method to POST and deleted the Origin header from it, and then the following error occurred:

Does the Web backend not allow POST methods? But it doesn't matter. You can test it with another rewriting method. Let's add _ method=PUT after the POST method to try:

I can't believe it works! So at this point, the implementation conditions of CSRF are basically established, and the following POC code can be created for in-depth testing:

This is the answer to the question about how to use HTTP request rewrite to implement JSON CSRF. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.