跳转至

Cross-Site Request Forgery(跨站请求伪造)

题介绍

需要利用跨站请求伪造,让管理员访问一个URL地址

功能实现

点击页面提交数据 

POST /lessons/ed4182af119d97728b2afca6da7cdbe270a9e9dd714065f0f775cd40dc296bc7 HTTP/1.1


messageForAdmin=https%3A%2F%2Fip%2Froot%2FgrantComplete%2FcsrfLesson%3FuserId%3D598717876&csrfToken=66329888183457720076675536392112351575

对应后端实现代码 /src/main/java/servlets/module/lesson/CsrfLesson.java

String falseId = (String) ses.getAttribute("falseId");
log.debug("falseId = " + falseId);
String messageForAdmin = request.getParameter("messageForAdmin").toLowerCase();
log.debug("User Submitted - " + messageForAdmin);

String htmlOutput = new String();
boolean validLessonAttack = FindXSS.findCsrfAttackUrl(messageForAdmin, "/root/grantComplete/csrflesson", "userId", falseId); //核心验证操作 

if(validLessonAttack)

// FindXSS.findCsrfAttackUrl

public static boolean findCsrfAttackUrl (String theUrl, String csrfAttackPath, String userIdParameterName, String userIdParameterValue ) 
    {
        boolean validAttack = false;
        try
        {
            URL theAttack = new URL(theUrl);
            log.debug("csrfAttackPath: " + csrfAttackPath);
            log.debug("theAttack Host: " + theAttack.getHost());
            log.debug("theAttack Port: " + theAttack.getPort());
            log.debug("theAttack Path: " + theAttack.getPath());
            log.debug("theAttack Query: " + theAttack.getQuery());
            boolean validPath = theAttack.getPath().toLowerCase().endsWith(csrfAttackPath.toLowerCase());  // 判断提交的URL是否正确
            if(!validPath)
                log.debug("Invalid Solution: Bad Path submitted. Expected:" + csrfAttackPath.toLowerCase());
            else
            {
                boolean validQuery = theAttack.getQuery().toLowerCase().equalsIgnoreCase((userIdParameterName + "=" + userIdParameterValue).toLowerCase()); // 判断参数是否正确
                if(!validQuery)
                    log.debug("Invalid Solution: Bad Query. Expected: " + (userIdParameterName + "=" + userIdParameterValue).toLowerCase());
                else
                {
                    validAttack = true;
                }
            }
        }
        catch(MalformedURLException e)
        {
            log.debug("Invalid URL Submitted: " + e.toString());
            validAttack = false;
        }
        catch(Exception e)
        {
            log.error("FindCSRF Failed: " + e.toString());
            validAttack = false;
        }
        return validAttack;
    }

解题步骤

这个只是一个模拟csrf操作,因此直接输入题目要求的 url地址即可

总结

CSRF是一类比较常见的安全漏洞,核心点是借用受害者的cookie,达到绕过系统权限校验
具体危害取决漏洞页面实现的功能,如修改管理员密码功能

常见的解决方案:
- 校验请求的refer 是否是本域
- 每个请求添加随机token

Back to top