CSRF 漏洞相关

1 定义与原理

CSRF - Cross-site request forgery

1.1 cookie 相关

Data packets for user login:

Responsive packets:

After submitting the username and password to log in, the class's Set -Cookie field is carried in the data packet returned by the server, which is the value of the cookie set for the currently logged in user.

After receiving the values of these cookies, the browser will store the value of the set-cookie field in the browser.

By modifying the cookie requesting the packet as the administrator's cookie, you can log in to the website backend without entering your password.

The value of the cookie in the data packet is taken out from the local storage by the browser and automatically filled into the data packet. If the attacker controls the user's browser and steals the cookie, the browser will automatically fill the cookie. The target website will mistakenly believe that the data packet was sent by the administrator and will perform related operations with the administrator's permissions.

1.2 CSRF

Prerequisite: The value of the cookie in the data packet is taken out from the local storage by the browser and automatically filled into the data packet.

Under certain attack conditions, an attacker uses the identity of the attacked person to initiate a request to the server, and the server can parse and return the result normally.

Principle: Generally speaking, an attacker sends the request from the user's browser to the website that the user has authenticated and visited, causing the target website to receive and mistakenly think it is the user's real operation and execute commands.

Conditions occur:

The attacker is logged in at Site A

You must open the link provided by the hacker in the same browser as website A

Background authentication is not strict (for example, no other authentication is available except cookies)

2 防御

2.1 HTTP Referer 限制

A site can limit the value of its Referer field for some sensitive operations, such as when transferring money by a site:

http://bank.example/withdraw?account=bobam=1000000for=Mallory

The transfer operation must be performed on the page of this site after the user logs in, because the Referer field can be restricted to only this site.

2.2 Token

The reason why CSRF is successful is that the site relies on cookies to identify the user's identity, so attackers can directly use the user's cookies to pass security verification without knowing the user's password.

Add a randomly generated HTTP Token in the HTTP request in the form of parameters. The server will verify the token after receiving the user request. If there is no token or the token is incorrect, it will be considered an attack and will be discarded directly.

GET request: http://url?csrftoken=tokenvalue

POST request: input type='hidden' name='csrftoken' value='tokenvalue'/

information

For example, an attacker can publish the address of his or her server on the website. When an ordinary user clicks on the address, the site will add a token behind the address, which will cause the token to be leaked.

Therefore, it is necessary to distinguish between the internal link and the external link of the site. Only add tokens in the internal link, and no tokens are added for the external link.