Question

CSRFs are common and easy to exploit. To look for them, start by discovering state-changing requests that aren’t shielded by CSRF protections. Here’s a three-step process for doing so. Remember that because browsers like Chrome offer automatic CSRF protection, you need to test with another browser, such as Firefox.

CSRF 攻击常见且易受攻击。要查找它们，首先要发现没有经过 CSRF 保护的状态更改请求。以下是三个步骤的过程。请记住，由于像 Chrome 这样的浏览器提供自动 CSRF 保护，因此您需要使用其他浏览器（例如 Firefox）进行测试。

Step 1: Spot State-Changing Actions

Actions that alter the users’ data are called state-changing actions . For example, sending tweets and modifying user settings are both state-changing. The first step of spotting CSRFs is to log in to your target site and browse through it in search of any activity that alters data.

改变用户数据的操作称为状态更改操作。例如，发送推文和修改用户设置都是状态更改操作。发现 CSRF 的第一步是登录到目标网站并浏览其中寻找任何更改数据的活动。

For example, let’s say you’re testing email.example.com , a subdomain of example.com that handles email. Go through all the app’s functionalities, clicking all the links. Intercept the generated requests with a proxy like Burp and write down their URL endpoints.

例如，假设您正在测试 email.example.com，这是处理电子邮件的 example.com 子域。浏览所有应用程序的功能，点击所有链接。使用 Burp 等代理拦截生成的请求，并记录其 URL 端点。

Record these endpoints one by one, in a list like the following, so you can revisit and test them later:

请把这些端点逐个记录在下面的列表中，方便以后回顾和测试：

State-changing requests on email.example.com

在 email.example.com 上的状态更改请求

• Change password: email.example.com/password_change

  POST request

  "POST 请求"

  Request parameters: new_password

  请求参数：新密码

• Send email: email.example.com/send_email

  POST request

  `POST 请求`

  Request parameters: draft_id , recipient_id

  请求参数：draft_id，接收者 id

• Delete email: email.example.com/delete_email

  POST request

  发布请求

  Request parameters: email_id

  请求参数：电子邮件 ID

Step 2: Look for a Lack of CSRF Protections

Now visit these endpoints to test them for CSRFs. First, open up Burp Suite and start intercepting all the requests to your target site in the Proxy tab. Toggle the Intercept button until it reads Intercept is on ( Figure 9-3 ).

现在访问这些端点以测试是否存在 CSRF。首先，在代理选项卡中打开 Burp Suite 并开始拦截所有指向目标站点的请求。切换到截获按钮并将其调整为“截获已开启”(见图 9-3)。

Figure 9-3 : Set to Intercept is on to capture your browser’s traffic. Click the Forward button to forward the current request to the server.

图 9-3：开启截取功能以捕获浏览器流量。点击前进按钮将当前请求发送至服务器。

Let Burp run in the background to record other traffic related to your target site while you’re actively hunting for CSRFs. Keep clicking the Forward button until you encounter the request associated with the state-changing action. For example, let’s say you’re testing whether the password-change function you discovered is vulnerable to CSRFs. You’ve intercepted the request in your Burp proxy:

在你积极寻找 CSRF 时，让 Burp 在后台运行以记录与目标站点相关的其他流量。不断点击“前进”按钮，直到你遇到与状态改变操作相关的请求。例如，假设你正在测试你发现的密码更改功能是否容易受到 CSRF 的攻击。你已经在你的 Burp 代理拦截了请求。

POST /password_change
Host: email.example.com
Cookie: session_cookie=YOUR_SESSION_COOKIE

(POST request body)
new_password=abc123

In the intercepted request, look for signs of CSRF protection mechanisms. Use the search bar at the bottom of the window to look for the string "csrf" or "state" . CSRF tokens can come in many forms besides POST body parameters; they sometimes show up in request headers, cookies, and URL parameters as well. For example, they might show up like the cookie here:

在拦截请求中，寻找 CSRF 保护机制的迹象。使用窗口底部的搜索栏搜索字符串“csrf”或“state”。除了 POST 主体参数外，CSRF 令牌还可以采用许多形式；它们有时也会出现在请求头、cookie 和 URL 参数中。例如，在此处可能会像 cookie 一样显示：

POST /password_change
Host: email.example.com
Cookie: session_cookie=YOUR_SESSION_COOKIE;     csrf_token=871caef0757a4ac9691aceb9aad8b65b 

(POST request body)
new_password=abc123

But even if you find a CSRF protection present on the endpoint, you could try a variety of protection-bypass techniques. I’ll talk about them later in the chapter.

即使您在端点上发现了 CSRF 保护，您仍可以尝试各种保护绕过技术。我将在本章稍后讨论它们。

Step 3: Confirm the Vulnerability

After you’ve found a potentially vulnerable endpoint, you’ll need to confirm the vulnerability. You can do this by crafting a malicious HTML form that imitates the request sent by the legitimate site.

在找到潜在易受攻击的端点后，您需要确认这种脆弱性。您可以通过构建恶意 HTML 表单来模仿合法站点发送的请求来实现这一点。

Craft an HTML page like this in your text editor. Make sure to save it with an .html extension! This way, your computer will open the file with a browser by default:

使用文本编辑器制作一个像这样的 HTML 页面。确保将其保存为.html 扩展名！这样，您的计算机将默认使用浏览器打开文件：

<html>
  <form method="POST" action="https://email.example.com/password_change" id="csrf-form"> 1
    <input type="text" name="new_password" value="abc123"> 2
    <input type="submit" value="Submit"> 3
  </form>
  <script>document.getElementById("csrf-form").submit();</script> 4
</html>

The <form> tag specifies that you’re defining an HTML form. An HTML form’s method attribute specifies the HTML method of the request generated by the form, and the action attribute specifies where the request will be sent to 1 . The form generates a POST request to the endpoint https://email.example.com/password_change . Next are two input tags. The first one defines a POST parameter with the name new_password and the value abc123 2 . The second one specifies a Submit button 3 . Finally, the <script> tag at the bottom of the page contains JavaScript code that submits the form automatically 4 .

<form>标签指定了 HTML 表单的定义。HTML 表单的 method 属性指定了表单生成的请求的 HTML 方法，而 action 属性指定了请求将发送到的位置 1。该表单生成一个 POST 请求到端点 https://email.example.com/password_change。接下来是两个输入标签。第一个定义了一个名为 new_password 和值为 abc123 的 POST 参数 2。第二个指定一个提交按钮 3。最后，在页面底部的<script>标签包含自动提交表单的 JavaScript 代码 4。

Open the HTML page in the browser that is signed into your target site. This form will generate a request like this:

打开已登入目标站点的浏览器中的 HTML 页面。此表单将生成以下请求：

POST /password_change
Host: email.example.com
Cookie: session_cookie=YOUR_SESSION_COOKIE

(POST request body)
new_password=abc123

Check if your password on email.example.com has been changed to abc123 . In other words, check if the target server has accepted the request generated by your HTML page. The goal is to prove that a foreign site can carry out state-changing actions on a user’s behalf.

检查您在 email.example.com 上的密码是否被更改为 abc123。换句话说，检查目标服务器是否接受了您的 HTML 页面生成的请求。目标是证明外部网站可以代表用户执行状态更改操作。

Finally, some websites might be missing CSRF tokens but still protect against CSRF attacks by checking if the referer header of the request matches a legitimate URL. Checking the referer header protects against CSRF, because these headers help servers filter out requests that have originated from foreign sites. Confirming a CSRF vulnerability like this can help you rule out endpoints that have referer-based CSRF protection.

一些网站可能缺少 CSRF 令牌，但仍通过检查请求的引用来源头（referer header）是否匹配合法的 URL 来防止 CSRF 攻击。检查引用来源头可以防止 CSRF 攻击，因为这些头信息帮助服务器筛选出源于外部网站的请求。确认这样的 CSRF 漏洞可以帮助您排除具有基于引用来源头的 CSRF 保护的节点。

However, it’s important for developers to remember that referer headers can be manipulated by attackers and aren’t a foolproof mitigation solution. Developers should implement a combination of CSRF tokens and SameSite session cookies for the best protection.

然而，开发人员需要记住，引用头可以被攻击者操纵，且不是绝对可靠的缓解解决方案。开发人员应该实现 CSRF 令牌和 SameSite 会话 cookie 的组合，以获得最佳保护。