How to analyze and protect CSRF from the Angle of Code 01/19 Update SLTechnology News&Howtos

How to analyze and protect CSRF from the Angle of Code

2025-01-19 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >

Shulou(Shulou.com)06/01 Report--

This article is about how to analyze and protect CSRF from the point of view of code. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

In the usual test, csrf is also relatively easy to find, mainly to see whether it tests the timeliness of an operation (this expression may not be very accurate). The general protection method is to add token to check and deal with its failure in time.

Grab the package when adding.

Use the tools included in burp to convert to CSRF utilization code.

At this point, let's take a look at the current content.

Then, we need to construct a link, and then find a way to get the victim to click on it, and then perform our scheduled operation, which I will open directly locally.

After that, we found that there was an extra line on the index page, which was exactly the content after our scheduled operation.

Here we briefly supplement the code used in the previous operation.

Add.php

Action.php

Simple repair

If you fix it, as I said at the beginning, you usually add a token, and then check each operation to see if it is done by the user.

First of all, to sort out the repair process, we need to add a parameter to generate the token value in add.php, set it to session value, and send the token value to action.php, and then determine whether the sent TKen value is the same as the token value in session. If the same, the later operation is allowed, otherwise an error will be prompted, and then the token must be invalidated.

Add.php

Action.php

Then take a look at the effect at this time.

The packet transmitted at this time is

At this point, the goal of simple repair is achieved.

The above is how to analyze and protect CSRF from the perspective of code. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.