This is the 21st day of my participation in Gwen Challenge

preface

Interviewer: Tell me about frequent attacks on your website and how to protect against them

Me: Such as XSS attacks, SQL injection and CSRF.

Interviewer: Ok, tell me more about CSRF.

Me: 💥💥…

What is a CSRF

Cross-site request forgery Cross-site Request Forgery, also known as one-click attack or session riding, usually abbreviated as CSRF or XSRF, Is a method of hijacking a user to perform unintended actions on a currently logged Web application. For example, the attacker induces the victim to enter a third party website, where he or she sends a cross-site request to the attacked website. Using the victim in the attacked website has obtained the registration certificate, bypassing the background user authentication, to impersonate the user to perform a certain operation on the attacked website.

CSRF attack flow

The picture below is from the big talk about CSRF attack mode, thank you!

As you can see from the figure above, to complete a CSRF attack, the victim must complete two steps in sequence:

  • 1. Log in to trusted website A and generate cookies locally.
  • 2. Visit dangerous website B without logging out of A.

Looking at this, you might say, “If I don’t meet one of these two criteria, I won’t be attacked by CSRF.” Yes, it does, but you can’t guarantee that the following won’t happen:

  • 1. You can’t guarantee that once you log in to one site, you won’t open another TAB page and visit another site.
  • 2. You cannot guarantee that your local Cookie will expire immediately after you close your browser and that your last session has ended. (Actually, closing the browser doesn’t end a session, but most people mistakenly think closing the browser is equivalent to logging out/ending the session……)
  • 3. The alleged attack site in the image above may be a trusted and frequently visited site with other vulnerabilities.

Common TYPES of CSRF attacks

  • CSRF of the GET type

CSRF utilization of the GET type is very simple and requires only one HTTP request. It is typically utilized as follows:

 <img src="http://bank.example/withdraw? amount=10000&for=hacker" > 
Copy the code

After the victim to visit the page containing the img, the browser will automatically to http://bank.example/withdraw? Account =xiaoming&amount=10000&for=hacker Sends an HTTP request. Bank.example will receive a cross-domain request containing the victim’s login information.

  • CSRF of the POST type

This type of CSRF is typically exploited using an auto-submitted form, such as:

 <form action="http://bank.example/withdraw" method=POST>
    <input type="hidden" name="account" value="xiaoming" />
    <input type="hidden" name="amount" value="10000" />
    <input type="hidden" name="for" value="hacker" />
</form>
<script> document.forms[0].submit(); </script> 
Copy the code

When you visit the page, the form is automatically submitted, simulating a POST operation.

Post-type attacks are generally a little more stringent than GET, but still not complex. Any personal website, blog, website uploaded by hackers may be the source of attacks, back-end interface can not rely on the security of POST only above.

  • CSRF of link type

Link-type CSRFS are uncommon and require the user to click a link to trigger them, compared to the other two cases where the user opens the page and is caught. This type usually involves embedding malicious links in the pictures published in the forum, or inducing users to be lured in the form of advertisements. Attackers usually trick users into clicking with exaggerated words, such as:

  <a href="http://test.com/csrf/withdraw.php?amount=1000&for=hacker" taget="_blank">Big news!!<a/>
Copy the code

The characteristics of CSRF

  • Attacks are generally launched on third party sites, not the site being attacked. The attacked site cannot prevent the attack from happening.
  • Attack using the victim’s login credentials in the attacked website, posing as the victim to submit operations; Instead of stealing data directly.
  • The attacker can not obtain the login credentials of the victim during the whole process, just “fake”.
  • Cross-site requests can be made in a variety of ways: image urls, hyperlinks, CORS, Form submissions, and more. Part of the request can be directly embedded in third-party forums, articles, difficult to track.

CSRF is typically cross-domain because outdomains are usually more easily controlled by attackers. However, if there are easily exploited functions in the local domain, such as forums and comment areas for Posting pictures and links, the attack can be carried out directly in the local domain, and this attack is more dangerous.

CSRF is different from XSS

  • CSRF is generally implemented by XSS, and is often referred to as XSRF (CSRF can also be implemented by direct command line requests, etc.).
  • Essentially, XSS is a code injection problem and CSRF is an HTTP problem. XSS is content that is not filtered causing the browser to execute the attacker’s input as code. CSRF is because the browser automatically carries cookies when sending HTTP requests, and most websites’ sessions are stored in cookies (Token authentication can be avoided).

defense

  • Captcha: Forces the user to interact with the application before completing the final request. This method can contain CSRF well, but the user experience is poor.
  • Referer check: Request source restriction. This method has the lowest cost, but is not 100% effective because the server does not always get the Referer, and there is a risk that older browsers will forge the Referer.
  • Token: The CSRF defense mechanism for token authentication is recognized as the most appropriate solution. However, this method is also empty if the site also has XSS vulnerabilities.