CSRF: don't underestimate my damage and ability to attack-vulnerability warning-the black bar safety net

ID MYHACK58:62200819132
Type myhack58
Reporter 佚名
Modified 2008-05-24T00:00:00


Author: iceskysl Source: IceskYsl@1sters!

CSRF, this attack way, although proposed a long time in the 2 0 0 6 time of year there, but this sleepy attack the giants until recently only gradually into our line of sight, what is CSRF what is that harm in the end how much? Common use is the How to, today as“security-related | Security”category of the first article, I according to their own understanding to tell you, do not underestimate the CSRF dangers and attack capability.

First, what is CSRF First look at the CSRF in the original description, as follows:

> Cross Site Reference Forgery works by including malicious code or a link in a page that accesses a web application that the user is believed to have authenticated. If the session for that web application has not timed out, an attacker may execute unauthorized commands.

Second, the CSRF case Description and analysis Naturally, here to get a Rails application to an example to illustrate these issues, we know Rails2 before the session on the server side-file or DB or cache, but in a cookie to save the sessionid; by Rails2, there is a way to put the session to put in the cookie-based client. Of course these two are each justified, each have advantages and disadvantages, not we this time say range. We continue to say, when we to a domain sends a request, if this shop there is the domain name of the cookie, the browser will automatically put the cookie that comes with. This would have been no problem, also we in order to solve the stateless http recording solution, but a question arises, if there is one to the other the domain of the request, the Browse area at load time, cookies to bring, what will be the problem? We take a simple but also a very common example to illustrate this problem. ----------Case---------- 1, Bob on your own computer just finished viewing your own Bank A account balances, and then compare the bored and ran to a public BBS on the irrigation, and when he saw an article“Bank A internal photo”posts, very interested to open this post wants to look their own trusted Bank A internal picture of what is looks like, as everyone knows, this is actually an attacker carefully designed Scam. 2, in this post, does have a couple of pictures, looks really like a Bank A photo, but one picture didn't show up, Bob thought it was their network speed is too slow, resulting in this picture did not load in, didn't care. Just for those not satisfied with the photo and shook her head, off the post. 3, a few days later, Bob suddenly found himself on the Bank A account on less 1 0 0 0 meta, what the hell is wrong with you?

Analysis: Why is the money less? We analytically look at this case, to remember it properly when Bob said there was a picture didn't show it, Yes, we take a look at this picture of the address,was surprised to find that: this is a what address? Clever you soon will be able to understand, this address is the evil, it seems, he meant to open this address, to the attacker turn 1 0 0 0 Yuan. How is this possible? You are definitely anxious, How Can I just give a person transfer 1 0 0 $ 0 yet, and I don't know! However, Note, This is in fact entirely possible. Remember the time Bob just see the full and the account information, based on the Bank of A cookie is not expired, when there is the above link appears in the src of the time note that . the src is meant to be src, the browser try to follow the local cookie to load the above URL, and the Bank A to verify the source of the request the cookie is possible, so such things will quietly happen. -----------Case end---------

ok, see?, this is CSRF, in a word to him the next Definition is: borrow your cookie you don't know when quietly done something you're not willing to do. Evil date there is a more awsome, this contains the URL of the image or link does not necessarily need to be placed in Bank A of server, the opposite can be in any one place, such as a blog, public BBS, or some group sending of Mail, etc., so many occasions, these are likely to the presence of traps. Look at a picture of it, its explanation of exactly what the CSRF attack works. !

Third, the CSRF prevention Looks scary, Well, Yes, indeed horror, realized that the terror was a good thing, this will cause you then to see how to improve and prevent similar vulnerabilities appear. Overall, the prevention of CSRF mainly from 2 aspects, namely: 1, the proper use of GET,POST and Cookie; 2, in the non-GET request using the Security token; and

In General, we know that the browser sends a request with GET or POST, but there is also a comparison commonly used is a Cookie, as for the rest of the HTTP Protocol request method, you can google, generally in accordance with the W3C specification: 1, GET used in a view, list, show Time; 2, POST is commonly used in order to change a resource's attributes, or do some other things;

ok, here we get Rails in accordance with the previously enumerated 2 kinds of preventive measures Do illustrate, first of all, we can be on the Rails of the control of the controller, will be some method(action)limited(verify to only use POST or GET, for example: Ruby code

verify :method => :post, :only => [ :transfer ], :redirect_to => { :action => :list }

Well, well, do so under the limit later, the front of the case method becomes ineffective, because here we define a transfer must use POST to submit a request when a GET request comes and will not be responding. Everything will be fine? NO! Because POST requests can also be constructed automatically after the transmission, how to implement, look below it and you will certainly be surprised. XML/HTML code

<a . href="http://www.1sters.com/" >try me</a>

Yes, this is a living example of(. the href is meant to be the href), using the link's href or img src can be, think again an Attacher to put up a picture, and then wrote a onmouseover method, the implementation of the period of JS, as follows, or use AJAX. XML/HTML code

<img . src="http://www.harmless.com/img" width="4 0 0" height="4 0 0" />

So, the defining of the POST after also not very insurance, what to do? No hurry, we still have the second step, to the non-GET request to set the security token, how to achieve, in Rails2 after the very simple is also the default, we just need to in the environment. rb add the following code: Ruby code

config. action_controller. session = { :session_key => '_csrf_session', :secret => 'ae4b43dda38ff78bb50898b2935da76d1e224061ab72a9399d34cea4c6178eee6dae815fff920a20642f27abda83b793da4e9b6cf20c4838805e80abf53e318a' }

Then in the application controller contains the following security token settings: Ruby code

protect_from_forgery :secret => '053cef294a333f72c3584311799c69d2'

ok, basically safe, if you then POST a request in the past, but the security token and the session is calculated from the secret and server secret match is not on, then it returns a ActionController::InvalidAuthenticityToken error, to prevent this class of defects appears. Security, maybe you want to say, that if I can crack out protect_from_forgery, not into OK?, according to the theory, but the actual crack is basically impossible, because someone has calculated that to brute force the string needs about 2 of the 1 1 th time, the follow-up I will then write an article in detail, not repeat them here.

Fourth, the summary In General, CSRF rise has just begun, on the network there will certainly be a craze, the Railser are sure to note their own the safety program, CSRF than you can think of more threats, don't underestimate it.