`
leonzhx
  • 浏览: 791758 次
  • 性别: Icon_minigender_1
  • 来自: 上海
社区版块
存档分类
最新评论

Zz Cross-Site Request Forgery Guide: Learn All About CSRF Attacks and CSRF Prote

阅读更多

Cross-Site Request Forgery Guide: Learn All About CSRF Attacks and CSRF Protection

Cross-Site Request Forgery Attacks

Cross-Site Request Forgery (CSRF) is an attack outlined in the OWASP Top 10 whereby a malicious website will send a request to a web application that a user is already authenticated against from a different website. This way an attacker can access functionality in a target web application via the victim's already authenticated browser. Targets include web applications like social media, in browser email clients, online banking, and web interfaces for network devices.

Key Concepts of Cross-Site Request Forgery

  • Malicious requests are sent from a site that a user visits to another site that the attacker believes the victim is validated against.
  • The malicious requests are routed to the target site via the victim’s browser, which is authenticated against the target site.
  • The vulnerability lies in the affected web application, not the victim’s browser or the site hosting the CSRF.

 

Executing a CSRF Attack

In a Cross Site Request Forgery attack, the attacker is exploiting how the target web application manages authentication. For CSRF to be exploited the victim must be authenticated against (logged in) to the target site. For instance let’s say examplebank.com has online banking that is vulnerable to CSRF. If I visit a page containing a CSRF attack on examplebank.com but am not currently logged in, nothing happens. If I am logged in however, the requests in the attack will be executed as if they were actions that I had intended to do.

Let’s look at how the attack described above would work in a bit more detail. First let’s assume that I’m logged in to my account on examplebank.com which allows for standard online banking features, including transferring funds to another account.

Now let’s say I happen to visit somemalicioussite.com. It just so happens that this site is trying to attack people who bank with examplebank.com and have setup a CSRF attack on their site. The attack will transfer $1500.00 to their account, which is account number 123456789. Somewhere on somemalicioussite.com attackers have added this line of code:

<iframe src="http://examplebank.com/app/transferFunds?amount=1500&destinationAccount=123456789" >

Upon loading that iframe, my browser will send that request to examplebank.com which my browser has already logged in as me. The request will be processed and send $1500.00 to account 123456789.

 

Another Example of Cross-Site Request Forgery

I just bought a new home wireless router. Like most wifi routers it’s configured through a web interface. The router was shipped to me with an internal IP address of 192.168.1.1. I’m having trouble configuring the router though, and fortunately the folks over at somemalicioussite.com have published a guide that shows me exactly what buttons to click in the router interface to get everything set up securely. The attackers have also set up a proxy server at 123.45.67.89 that will log all traffic that goes through it and look for things like passwords and session tokens.

As I clicked through the configuration guide I missed the 1x1 pixel image that failed to load:

<img src=”http://192.168.1.1/admin/config/outsideInterface?nexthop=123.45.67.89” alt=”pwned” height=”1” width=”1”/>

The attackers knew that when I was reading their tutorial I would be logged in to the router interface. So they had the CSRF attack setup in the tutorial. With that request my router would be reconfigured so that my traffic will be routed to their proxy server where they can do all manner of bad things with it.

Preventing Cross-Site Request Forgery (CSRF) Vulnerabilities

The most common method to prevent Cross-Site Request Forgery (CSRF) attacks is to append unpredictable challenge tokens to each request and associate them with the user’s session. Such tokens should at a minimum be unique per user session, but can also be unique per request. By including a challenge token with each request, the developer can ensure that the request is valid and not coming from another source other than the user.

Finding and Remediating Cross-Site Request Forgery (CSRF) Vulnerabilities

 

The easiest way to check whether an application is vulnerable is to see if each link and form contains an unpredictable token for each user. Without such an unpredictable token, attackers can forge malicious requests. Focus on the links and forms that invoke state-changing functions, since those are the most important CSRF targets.   

分享到:
评论

相关推荐

    CSRF(英语:Cross-site request forgery)浅析.md

    CSRF(英语:Cross-site request forgery)浅析.md

    Exploit-DMA-Radius-Manager-4.4.0---Cross-Site-Request-Forgery-CSRF-:DMA Radius Manager 4.4.0-跨站请求伪造(CSRF)

    【标题】"Exploit-DMA-Radius-Manager-4.4.0---Cross-Site-Request-Forgery-CSRF-"揭示了一个针对DMA Radius Manager 4.4.0版本的安全漏洞,该漏洞涉及到跨站请求伪造(CSRF)攻击。这是一种网络安全威胁,允许攻击...

    ring-anti-forgery:环中间件以防止CSRF攻击

    在Web应用程序开发中,跨站请求伪造(CSRF,Cross-Site Request Forgery)是一种常见且危险的安全威胁。它允许恶意用户在受害者(已登录用户)的浏览器中执行非预期的操作。Ring-Anti-Forgery是Clojure Web开发框架...

    axios0.27.2(axios.min.js)

    axios0.27.2(axios.min.js)

    SSRF(Server Side Request Forgery,SSRF)漏洞.pdf

    服务端请求伪造(SSRF)漏洞是一种攻击者利用服务器应用程序的漏洞,向服务器发送虚假请求的一种技术。这种攻击可以让攻击者操纵服务器应用程序,使得服务器向攻击者指定的任意资源发起请求。攻击者通常通过 SSRF ...

    CSRF-Request-Builder-master_request.builder_CSRFtester_kitchenvw

    CSRF(Cross-Site Request Forgery,跨站请求伪造)是一种常见的网络安全漏洞,攻击者通过诱导用户执行非预期的操作来操纵他们已登录的Web应用程序。`CSRF-Request-Builder`是一个专门针对此威胁的测试工具,其核心...

    CSRF防御.docx

    CSRF(Cross-site request forgery),中文名称:跨站请求伪造,也被称为:one click attacksession riding,缩写为:CSRFXSRF。 二.CSRF可以做什么? 你这可以这么理解CSRF攻击:攻击者盗用了你的身份,以你的...

    开源项目-gorilla-csrf.zip

    开源项目-gorilla-csrf.zip,gorilla/csrf provides Cross Site Request Forgery (CSRF) prevention middleware for Go web applications & services

    [课堂课件讲解]Java微服务实践-Spring Boot 安全.pptx

    1. CSRF 跨站请求伪造(Cross-site request forgery):一种攻击方法,攻击者可以挟制用户在当前已登录的 Web 应用程序上执行非本意的操作。 2. CSRF Token 服务端为客户端生成令牌,该令牌将用于请求合法性校验,...

    Python库 | django_request_token-0.14.1-py3-none-any.whl

    在Web应用中,请求令牌通常用于防止跨站请求伪造(Cross-Site Request Forgery,CSRF)攻击。CSRF攻击是一种恶意用户利用受害者的身份执行非期望操作的攻击方式,例如在受害者不知情的情况下进行转账或修改设置。 `...

    CSRF的脚本,可以做测试使用.zip

    CSRF(Cross-Site Request Forgery,跨站请求伪造)是一种常见的网络安全漏洞,攻击者利用这种漏洞,诱使用户在不知情的情况下执行非预期的操作。这个压缩包文件包含的是一些用于测试和学习CSRF攻击的脚本。下面将...

    ajax开发的java留言程序

    - CSRF(Cross-site request forgery)防护:使用令牌机制确保请求来自合法源。 - 数据保护:敏感信息加密存储,避免SQL注入。 6. **用户界面**: - 动态加载:使用Ajax获取新留言,动态插入到页面中,无需刷新...

    面试题前端

    - CSRF(Cross-site request forgery):防止伪造请求攻击。 - HTTPS:使用SSL/TLS加密,保证数据传输安全。 10. 测试与调试: - 单元测试:针对单一功能进行测试。 - E2E测试:模拟真实用户行为,测试整个应用...

    信息安全技术:CSRF的类型.pptx

    【标题】:“信息安全技术:CSRF的类型.pptx” 涉及的主题是网络安全中的CSRF(Cross-Site Request Forgery,跨站请求伪造)攻击,这是一种常见的Web应用程序安全问题。CSRF攻击利用用户的已登录状态,通过伪装成...

    网络安全面试练习试题资源

    ** - 答案: - CSRF(Cross-Site Request Forgery)是一种攻击方式,利用用户在其他网站的已认证状态来执行非预期的操作。防范方法包括使用 CSRF Token 和检查 Referer 头。3. **解释 TCP 三次握手和四次挥手的过程...

    Mastering.Modern.Web.Penetration.Testing

    Chapter 4: Cross-Site Request Forgery Chapter 5: Exploiting SQL Injection Chapter 6: File Upload Vulnerabilities Chapter 7: Metasploit and Web Chapter 8: XML Attacks Chapter 9: Emerging Attack Vectors...

    hucart-含有CSRF漏洞的源码.zip

    CSRF(Cross-Site Request Forgery,跨站请求伪造)是一种常见的网络安全问题,它允许攻击者在用户已登录的情况下,诱导用户浏览器执行非本意的操作。在这个案例中,"hucart-含有CSRF漏洞的源码.zip" 提供了一个实际...

    java与jsp面试试题

    - CSRF(Cross-Site Request Forgery):防止伪造请求攻击,使用令牌验证。 - XSS(Cross-Site Scripting):防止恶意脚本注入,使用HTML编码或Content Security Policy。 - SQL注入:避免直接拼接SQL,使用预...

Global site tag (gtag.js) - Google Analytics