To study the profile
Through this document, we can learn and understand what CSRF vulnerability is, how CSRF vulnerability is generated, how to use it in actual scenarios, as well as some common plug-ins and tools used in Web security testing and skills. In this paper, the utilization process of CSRF vulnerability in two scenarios is reproduced:
(1) CSRF vulnerability generated during password change and utilization
(2) CSRF vulnerability and utilization generated in the background management adding process
The paper recently briefly listed the current common methods and measures to avoid CSRF vulnerability.
1. Basic concepts of CSRF
Cross-site Request Forgery (CSRF) refers to the use of logged in users to induce them to visit or log in to a malicious link or page already constructed, and then complete illegal operations in the name of the user without the user’s knowledge. Also known as “One Click Attack” or Session Riding, often abbreviated to CSRF or XSRF, this Attack is a malicious attempt to exploit a website. Compared to XSS attacks, CSRF attacks tend to be less popular (and therefore have relatively few resources to defend against them) and harder to defend against, so they are considered more dangerous than XSS attacks.
2. CSRF learning and understanding
In fact, the implementation of a CSRF vulnerability attack needs to be composed of “three parts”.
(1) There is a vulnerability of the foreground or background data modification or new request without background verification;
(2) malicious links or pages that disguise data manipulation requests;
(3) Induce users to actively access or log in malicious links, triggering illegal operations;
2.1 Part I: Existence of vulnerabilities
Keywords: Cross-site Request Vulnerability (CSR:Cross Site Request)
If CSRF attack is required to succeed, the target site or system must have an operation that can modify or add data, and the operation is submitted to the background without any parameters for identification or verification. As long as the background receives the request, it will immediately deliver data modification or new operations;
For the existence of the above vulnerabilities, there are more scenarios such as the modification of user passwords, the modification of shopping addresses or the addition of background management accounts.
2.2 Part II: Camouflage of vulnerability exploitation
Key words: F: Forgery
CSRF vulnerabilities exist, if need to really be used, also to the modified or new data operation request of camouflage, a malicious attacker at this time as long as in disguise “data modified or new request is sent to be the attacker, or induced by means of a social worker is an attacker under the effect of cookies and click on the links to this request, The CSRF vulnerability can be triggered, and the data information of the current user can be successfully modified or added, for example, the password of the current user is changed, or the current user is the background administrator, and a new background administrator is created after the vulnerability is triggered.
2.3 Part 3: User’s unintentional actions
Key words: unintended operation
The current user in the case of unwitting, the hacker malicious construction of the page or in the link, that is, in the case of unintended completion of the hacker wants to complete the “illegal operation”, the realization of the current user’s personal information malicious operation.
2.4 CSRF vulnerability understanding summary
Summary: Construct a malicious link or HTML page
The purpose of the CSRF vulnerability is to create a “malicious link” or “HTML page” using an existing vulnerability and then trick the user into clicking to trigger the vulnerability.
To make it more clear, there is a vulnerability (CSRF) in the detected target site. The attacker uses this vulnerability to disguise a link or HTML page, and induces the attacker to click the disguised request in the case of login (i.e. the current cookie is valid). Subsequently, the user completes the modification or addition of the current user data without the user’s knowledge, and the modified information may be the user’s password, key information or the new background administrator.
3. CSRF scene reenactment
What I have said above is the understanding of basic concepts. Next, I will take you to have a look at the places where CSRF vulnerability is easy to appear in practice, and how we find this vulnerability step by step and how to use it. Please hold your breath and follow me.
Note: This document mainly brings you two scenarios to use analysis and learning.
3.1 Password Change CSRF Vulnerability scenario reappears
The CSRF vulnerability is particularly prone to occur in the modification of user information and data, among which the most frequent changes in some mall website platforms include the modification of user password, mailing address and account transfer, etc. Here we take the modification of user password as an example. Take a look at the process of CSRF vulnerability and how to construct malicious links and HTML pages.
For your own practice, this DVWA platform as a demonstration environment, to learn with you the beginning and end of CSRF user password change vulnerability.
3.1.1 DVWA vulnerability environment construction
As for the construction of DVWA vulnerability platform, there is not too much explanation here. For specific content, you can take part in online articles and refer to the construction. Relevant reference links are provided here.
Reference link: Reference link
After the DVWA environment is ready, we can directly enter the user name and password to log in to the platform for rehearsal. (Default password: admin/passowrd)
3.1.2 CSRF Vulnerability Password change process
Here I use the CSRF vulnerability in DVWA’s Low level of password modification, take you to see what the vulnerability is like, first let’s take a look at the existence of CSRF vulnerability environment, password modification process is what.
(1) Go to the password change page
We directly log in to DVWA platform, set the current drill level security= Low, and click CSRF to enter the operation interface for password modification.
(2) Change the password of user admin
After coming to the user name and password modification interface, we found that the current modification page operation is very simple, directly enter the new password, do two times to confirm the input and submit, without any other restrictions and requirements;
(3) Confirm login after changing the password
After changing the user name and password, I directly logged out of the platform and re-logged in to verify whether the user password was successfully changed. (After I remove the type of “password” in the passowrd field of the form, it can be seen that the plaintext of the current user name and password is 123. Click Submit and login successfully, indicating that the password has been changed successfully.)
3.1.3 CSRF vulnerability discovery and analysis
Next, we use professional packet capture tools to analyze the data request and submission process in the password change process and the specific actions we have done.
3.1.3.1 BurpSuite Packet Capture Analysis
(1) Prepare tools
The firefox browser,
• Proxy plug-in FoxyProxy
• burpsuite toolkit
Burpsuite is a package capture tool for web security personnel. Burpsuite is a package capture tool for web security personnel.
(2) FoxyProxy proxy plug-in configuration
Here is a simple talk about foxyProxy plug-in configuration, we directly go to the Firefox plug-in extension to search, download and install, configuration is relatively simple. Just right click on the FoxyProxy icon in the menu bar and select “Options” – select “Enable proxy for all URLs” – select “Default proxy” – click “Edit selected Items” – add “IP address” and “Port” for the proxy.
In the future, you only need to select the configuration option each time you use the proxy. It is recommended to use the configuration option.
(3) BurpSuite package capture details
OK, without further ado, the tools are ready, let’s get down to business.
First, we enable the proxy configuration, open the BurpSuite packet capture tool, and enable the interception mode to formally capture packets.
Through burpSuite’s packet capture analysis, we can find that during the whole password change process, the request packet carries only two key parameters:
Three pairs of password changes Key :value Values: password_new, password_conf, and Change
The cookie values of the current user are PHPSESSID and Security
In addition, the whole password change request packet does not have any other content that can prove or verify the client request. That is, because there is no other verification, it provides an opportunity for hackers to follow up “cross-site request forgery”, which is also the main reason for the vulnerability.
3.1.3.2 Tamper Data Packet Capture Analysis
In addition to using BurpSuite, I can also use other tools to capture and analyze the content of web requests. Here is a simple analysis tool for capturing and modifying the content of Web requests using tamper Data.
(1) Prepare tools
The firefox browser
Tamper Data extension
(2) Tamper Data package modification plug-in installation
Tamper Data package capture and update tool is also one of the Firefox extensions, so we just need to search the extension to download and install.
(3) Tamper data packet capture analysis
3.1.4 CSRF vulnerability utilization
3.1.4.1 Malicious link forgery
Target site for mining CSRF vulnerabilities existing password change, how we use it is the key, the simplest method is to use burpsuite caught after extracting the password modification operations GET request URL, and then through the corresponding processing, combined with social work method to lure others to click on the link, and modify the account password information of others, For details, see the following table.
(1) Truncate the request packet and extract the URL request
URL extraction value: URL extraction value
(2) URL link camouflage
After mentioning the URL request with CSRF vulnerability, we can shorten the URL directly. After simple camouflage processing, we can induce the attacked object to click to trigger the vulnerability exploitation by combining with social workers’ methods.
3.1.4.2 Malicious HTML form forgery
Forging an HTML page is more advanced, more professional, and more successful than simply disguising a link. Here is a brief description of the HTML forgery process, and the details of each step will be posted later.
• Step 1: Extract the URL request for password change;
• Step 2: Forge a form representation based on the format of the URL request;
• Step 3: Trick the attacker into clicking on a malicious HTML link;
(1) Retrieve the URL request for password change
You can use the packet capture tool BurpSuite to capture the data packets of password change operations and analyze the request content of the data packets.
(2) Forged form form
After analyzing the content of the request to change the password data, we can manually construct a simple HTML form page to prepare for CSRF attacks.
(3) Induce the attacked to click on malicious HTML links
We put the constructed HTML form page on a network, and then sent it to the attacked by way of social workers to induce him to visit the malicious page and start “account password modification operation”.
3.1.5 CSRF Password Change Vulnerability Summary
Summary of CSRF password modification vulnerability: Through the above analysis and learning, we can find the existence of vulnerability in this scenario, which is relatively easy to find. The other feature is that “the modification of user password is not restricted by any conditions and verification mechanism”.
3.2 The CSRF vulnerability added by the background administrator reappears
When we do penetration testing, we also often carry out “black box testing” of CMS system, that is, we build the CMS system of target system by ourselves, and then carry out all functional security tests of foreground and background locally to dig out possible loopholes. Where we for “background accounts to add system administrator” an operation, CSRF vulnerabilities of mining is very necessary, if I can dig out of this hole, we can construct the malicious page HTML form in the face of a goal “CMS” attack, in a real target system for us to add a background administrator, Take down its backstage management authority, open the door for further infiltration. The next vulnerability reoccurrence, to a niche CMS system into the CSRF to add background management account vulnerability reoccurrence.
3.2.1 Environment Preparations
Prepare the PHPStudy Web container environment
Burpsuite package capture tool
Lvyecms system download
3.2.2 PhpStudy Web container environment
Phpstudy web container environment setup, here do not do too much description, because it is really simple, you can directly download the default installation to use.
Download address:
3.2.3 BurpSuite Package capture Tool
The use of the BurpSuite package capture tool and proxy plug-in is covered in section 3.1 above and will not be repeated here. However, burpSuite is a very powerful tool and I strongly recommend that you have it. I will also show you how to use BurpSuite to construct a CSRF POC form with one click. I have just learned this, and I will share it with you when THE demo is replayed.
3.2.4 LvyECMS environment construction
3.2.4.1 Decompress the source package
Once the PHPStudy Web container environment is ready, we simply unpack the lvyecms source package and rename it (lvyecms), then copy the unpack package to the WWW folder in the phpStudy home directory.
3.2.4.2 Setting the Site Domain Name
For subsequent access to the test environment, I simply set “Site domain name Settings”, the specific Settings are as follows.
Select “other options menu” – “site domain name management” – add “site domain name” www.lvye.com- set up “site directory” E\phpstudy\ WWW \lvyecms, then click Add, finally save the Settings to restart the service.
3.2.4.3 Configuring hosts host resolution files
I went directly to the directory “C:\Windows\System32\drivers\etc” to find the hosts file and added a parse record to the file
127.0.0.1 www.lvye.com and save. (Note that the modification can be successful only when the file is opened with administrator permission.)
3.2.5 Background Management Added process tests
(1) Go to the page for adding a Background administrator
(2) Add background administrator test
(3) Check whether the administrator is added
3.2.6 CSRF vulnerability discovery and analysis
Through the above three simple operations, we can complete the authorization of a background administrator account, and no abnormality is found. Next, we will use BurpSuite to capture packets and analyze whether there is no valid authentication operation other than cookies for users in the process of adding administrative accounts.
(1) Configure firefox proxy Settings for security vulnerabilities.
(1) Configure the Firefox proxy
For details about how to use foxyProxy plug-in in Firefox, see section 3.1.
(2) Enable BurpSuite packet proxy truncation
(3) Request packet capture analysis
Through packet capture analysis, it can be seen that during the process of adding the background super administrator, the request sent only contains two types of key information:
Contains the cookie value of the current user
Add parameters related to administrator information.
Except for the above two information, there is no other information to verify the current user’s identity. Therefore, the operation of adding an administrator may have CSRF vulnerability.
(4) Directly construct the CSRF malicious link of get type
The construction method is relatively simple, we directly truncate the data in BurpSuite by right clicking the mouse, select “”, then right clicking the mouse” Copy URL “to obtain a complete GET type” add management action “URL request;
After verification, it is found that the CSRF malicious link constructed by GET type cannot add an administrator. Therefore, it can be inferred that the index. PHP script may limit the data request type and only accept the data submitted by POST type.
(5) Construct the HTML page of post type
I have just learned a way to directly construct the CSRF form POC using BurpSuite. Right click on the packet truncation page and choose “Engagement Tools” – “Generate CSRF PoC” to get a FORM PoC of CSRF.
(6) Construct CSRF HTML form validation
Then we copied the obtained form content to a csrF.html document for saving, and published the csrF.html to the site (here I directly put the POC house lvye.com site in the main directory), and then tried to induce the administrator to visit the malicious page through the way of social workers, triggering the operation of adding management. (Of course, we are just showing you how to use the process and how the actual social work content is. Please open your imagination.) The specific vulnerability utilization process is basically shown as follows.
4. CSRF vulnerability protection
In fact, CSRF vulnerability protection is now relatively mature, the main idea of protection is to add effective authentication measures for the current user’s identity in the process of background data modification, rather than just cookie recognition. The following protection measures are briefly listed here.
(1) Source verification
Use the referer source in the HTTP request header to verify the identity of the client source. This method was widely used earlier, but it is still easy to be bypassed, so it is not recommended here.
(2) Verify user token
Add effective tokens random verification mechanism based on current user identity. That is, add random token verification value based on current user when submitting data manipulation request at the back end. This verification method is widely used today.
(3) Verify the current user password
When modifying key information, it requires the current user to input its own password to verify the authenticity of the current user identity and prevent unauthorized malicious operations.
(4) Add authentication mechanism
Before submitting the request data, you need to fill in the verification code information to enhance the effective authentication of the user source and prevent malicious and unauthorized operations. This article was transferred from safety class