CSRF漏洞挖掘与审计教学文档<\/h1>

一、漏洞概述<\/h2>
CSRF（Cross-Site Request Forgery，跨站请求伪造）是一种常见的Web安全漏洞，攻击者可以利用该漏洞在用户不知情的情况下，以用户的身份执行未经授权的操作。<\/p>

漏洞危害<\/h3>

在修改他人密码的场景中尤为严重<\/li>
攻击者可以完全控制目标用户账户<\/li>

可能导致数据泄露、权限提升等严重后果<\/li> <\/ul>

二、漏洞原理<\/h2>

核心机制<\/h3>

Web应用依赖用户身份验证（通常通过会话信息如Cookie）<\/li>
用户登录后，浏览器会保存会话信息<\/li>
用户访问其他页面时，浏览器自动携带这些会话信息<\/li>

服务器通过验证会话信息判断用户身份<\/li> <\/ol>

攻击流程<\/h3>

攻击者构造恶意请求<\/li>
诱使用户在已登录目标网站的情况下访问恶意页面<\/li>
浏览器自动携带用户的会话信息向目标网站发起请求<\/li>
服务器误认为是用户本人发起的合法请求<\/li>

执行未经授权的操作（如修改密码）<\/li> <\/ol>

三、漏洞复现<\/h2>

环境准备<\/h3>

开发环境：idea2024、jdk1.8、tomcat+maven<\/li>
目标系统：超市管理系统<\/li>

测试工具：Burp Suite<\/li> <\/ul>

复现步骤<\/h3>

定位漏洞点：修改密码功能<\/p> <\/li>

分析请求流程：<\/p>

第一个请求包：验证旧密码（oldpassword<\/code>参数）<\/li>
第二个请求包：实际修改密码请求<\/li> <\/ul> <\/li>


关键请求包分析：<\/p>
<\/li>
<\/ol>
POST<\/span> \/smbms\/jsp\/user.do HTTP<\/span>\/<\/span>1.1<\/span>
<\/span><\/span>Host:<\/span> 192.168.32.142:8080<\/span>
<\/span><\/span>Content-Type:<\/span> application\/x-www-form-urlencoded<\/span>
<\/span><\/span>Cookie:<\/span> JSESSIONID=386FCEF330712CC65F793089E7377DC0<\/span>
<\/span><\/span>
<\/span><\/span>method=savepwd&oldpassword=123456789&newpassword=12345678%2B&rnewpassword=12345678%2B
<\/span><\/span><\/code><\/pre>
使用Burp Suite生成CSRF PoC<\/li>
在另一个浏览器中登录其他账户测试PoC<\/li>
验证密码是否被修改<\/li>
<\/ol>
四、代码审计分析<\/h2>
1. Web.xml配置分析<\/h3>
<servlet><\/span>
<\/span><\/span>    <servlet-name><\/span>UserServlet<\/servlet-name><\/span>
<\/span><\/span>    <servlet-class><\/span>org.example.servlet.user.UserServlet<\/servlet-class><\/span>
<\/span><\/span><\/servlet><\/span>
<\/span><\/span><servlet-mapping><\/span>
<\/span><\/span>    <servlet-name><\/span>UserServlet<\/servlet-name><\/span>
<\/span><\/span>    <url-pattern><\/span>\/jsp\/user.do<\/url-pattern><\/span>
<\/span><\/span><\/servlet-mapping><\/span>
<\/span><\/span><\/code><\/pre>2. 关键代码分析<\/h3>
修改密码功能（updatePwd方法）<\/h4>
public<\/span> void<\/span> updatePwd<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse resp){<\/span>
<\/span><\/span>    \/\/ 从session中获取用户id
<\/span><\/span><\/span><\/span>    Object attribute =<\/span> req.<\/span>getSession<\/span>().<\/span>getAttribute<\/span>(<\/span>Constansts.<\/span>USER_SESSION<\/span>);<\/span>
<\/span><\/span>    String newpassword =<\/span> req.<\/span>getParameter<\/span>(<\/span>"newpassword"<\/span>);<\/span>
<\/span><\/span>    boolean<\/span> flag =<\/span> false<\/span>;<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span>(<\/span>attribute !=<\/span>null<\/span> &&<\/span> !<\/span>StringUtils.<\/span>isNullOrEmpty<\/span>(<\/span>newpassword)){<\/span>
<\/span><\/span>        UserService userService =<\/span> new<\/span> UserServiceImpl();<\/span>
<\/span><\/span>        flag =<\/span> userService.<\/span>updatePwd<\/span>(((<\/span>User)<\/span>attribute).<\/span>getId<\/span>(),<\/span>newpassword);<\/span>
<\/span><\/span>        
<\/span><\/span>        if<\/span>(<\/span>flag){<\/span>
<\/span><\/span>            req.<\/span>setAttribute<\/span>(<\/span>"message"<\/span>,<\/span>"修改密码成功!请重新登录!"<\/span>);<\/span>
<\/span><\/span>            req.<\/span>getSession<\/span>().<\/span>removeAttribute<\/span>(<\/span>Constansts.<\/span>USER_SESSION<\/span>);<\/span>
<\/span><\/span>        }<\/span>else<\/span> {<\/span>
<\/span><\/span>            req.<\/span>setAttribute<\/span>(<\/span>"message"<\/span>,<\/span>"修改密码失败!"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>else<\/span>{<\/span>
<\/span><\/span>        req.<\/span>setAttribute<\/span>(<\/span>"message"<\/span>,<\/span>"新密码有问题!"<\/span>);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        req.<\/span>getRequestDispatcher<\/span>(<\/span>"pwdmodify.jsp"<\/span>).<\/span>forward<\/span>(<\/span>req,<\/span> resp);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>ServletException e)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞点：<\/strong><\/p>

虽然前端传递了oldpassword<\/code>参数，但后端代码中完全没有使用和校验<\/li>
没有CSRF Token等防护机制<\/li>
仅依赖session验证用户身份<\/li>
<\/ul>
旧密码验证功能（pwdModify方法）<\/h4>
public<\/span> void<\/span> pwdModify<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse resp){<\/span>
<\/span><\/span>    Object attribute =<\/span> req.<\/span>getSession<\/span>().<\/span>getAttribute<\/span>(<\/span>Constansts.<\/span>USER_SESSION<\/span>);<\/span>
<\/span><\/span>    String oldpassword =<\/span> req.<\/span>getParameter<\/span>(<\/span>"oldpassword"<\/span>);<\/span>
<\/span><\/span>    Map<<\/span>String,<\/span>String><\/span> ressltMap =<\/span> new<\/span> HashMap<<\/span>String,<\/span>String>();<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span>(<\/span>attribute ==<\/span> null<\/span>){<\/span>
<\/span><\/span>        ressltMap.<\/span>put<\/span>(<\/span>"result"<\/span>,<\/span>"sessionor"<\/span>);<\/span>
<\/span><\/span>    }<\/span> else<\/span> if<\/span> (<\/span>StringUtils.<\/span>isNullOrEmpty<\/span>(<\/span>oldpassword))<\/span> {<\/span>
<\/span><\/span>        ressltMap.<\/span>put<\/span>(<\/span>"result"<\/span>,<\/span>"error"<\/span>);<\/span>
<\/span><\/span>    }<\/span>else<\/span> {<\/span>
<\/span><\/span>        String userPassword =<\/span> ((<\/span>User)<\/span>attribute).<\/span>getUserPassword<\/span>();<\/span>
<\/span><\/span>        if<\/span>(<\/span>userPassword.<\/span>equals<\/span>(<\/span>oldpassword)){<\/span>
<\/span><\/span>            ressltMap.<\/span>put<\/span>(<\/span>"result"<\/span>,<\/span>"true"<\/span>);<\/span>
<\/span><\/span>        }<\/span>else<\/span>{<\/span>
<\/span><\/span>            ressltMap.<\/span>put<\/span>(<\/span>"result"<\/span>,<\/span>"false"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    try<\/span> {<\/span>
<\/span><\/span>        resp.<\/span>setContentType<\/span>(<\/span>"application\/json"<\/span>);<\/span>
<\/span><\/span>        PrintWriter writer =<\/span> resp.<\/span>getWriter<\/span>();<\/span>
<\/span><\/span>        writer.<\/span>write<\/span>(<\/span>JSONArray.<\/span>toJSONString<\/span>(<\/span>ressltMap));<\/span>
<\/span><\/span>        writer.<\/span>flush<\/span>();<\/span>
<\/span><\/span>        writer.<\/span>close<\/span>();<\/span>
<\/span><\/span>    }<\/span> catch<\/span> (<\/span>IOException e)<\/span> {<\/span>
<\/span><\/span>        throw<\/span> new<\/span> RuntimeException(<\/span>e);<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞点：<\/strong><\/p>

验证结果仅通过前端AJAX处理<\/li>
攻击者可拦截响应包修改result<\/code>值为true<\/code>绕过验证<\/li>
后端验证与修改密码操作分离，没有关联性<\/li>
<\/ul>
3. 前端实现分析（pwdmodify.jsp）<\/h3>
<form id="userForm" name="userForm" method="post" action="${pageContext.request.contextPath }\/jsp\/user.do">
    <input type="hidden" name="method" value="savepwd">
    <div class="">
        <label for="oldPassword">旧密码:<\/label>
        <input type="password" name="oldpassword" id="oldpassword" value="">
    <\/div>
    <div>
        <label for="newPassword">新密码:<\/label>
        <input type="password" name="newpassword" id="newpassword" value="">
    <\/div>
    <div>
        <label for="reNewPassword">确认新密码:<\/label>
        <input type="password" name="rnewpassword" id="rnewpassword" value="">
    <\/div>
    <div class="providerAddBtn">
        <input type="button" name="save" id="save" value="保存" class="input-button">
    <\/div>
<\/form>
<\/code><\/pre>
AJAX验证代码：<\/strong><\/p>
oldpassword<\/span>.on<\/span>("blur"<\/span>,function<\/span>(){
<\/span><\/span>    $<\/span>.ajax<\/span>({
<\/span><\/span>        type<\/span>:<\/span>"GET"<\/span>,
<\/span><\/span>        url<\/span>:<\/span>path<\/span>+<\/span>"\/jsp\/user.do"<\/span>,
<\/span><\/span>        data<\/span>:<\/span>{method<\/span>:<\/span>"pwdmodify"<\/span>,oldpassword<\/span>:<\/span>oldpassword<\/span>.val<\/span>()},
<\/span><\/span>        dataType<\/span>:<\/span>"json"<\/span>,
<\/span><\/span>        success<\/span>:<\/span>function<\/span>(data<\/span>){
<\/span><\/span>            if<\/span>(data<\/span>.result<\/span> ==<\/span> "true"<\/span>){
<\/span><\/span>                validateTip<\/span>(oldpassword<\/span>.next<\/span>(),{"color"<\/span>:<\/span>"green"<\/span>},imgYes<\/span>,true<\/span>);
<\/span><\/span>            }else<\/span> if<\/span>(data<\/span>.result<\/span> ==<\/span> "false"<\/span>){
<\/span><\/span>                validateTip<\/span>(oldpassword<\/span>.next<\/span>(),{"color"<\/span>:<\/span>"red"<\/span>},imgNo<\/span> +<\/span> " 原密码输入不正确"<\/span>,false<\/span>);
<\/span><\/span>            }else<\/span> if<\/span>(data<\/span>.result<\/span> ==<\/span> "sessionerror"<\/span>){
<\/span><\/span>                validateTip<\/span>(oldpassword<\/span>.next<\/span>(),{"color"<\/span>:<\/span>"red"<\/span>},imgNo<\/span> +<\/span> " 当前用户session过期,请重新登录"<\/span>,false<\/span>);
<\/span><\/span>            }else<\/span> if<\/span>(data<\/span>.result<\/span> ==<\/span> "error"<\/span>){
<\/span><\/span>                validateTip<\/span>(oldpassword<\/span>.next<\/span>(),{"color"<\/span>:<\/span>"red"<\/span>},imgNo<\/span> +<\/span> " 请输入旧密码"<\/span>,false<\/span>);
<\/span><\/span>            }
<\/span><\/span>        },
<\/span><\/span>        error<\/span>:<\/span>function<\/span>(data<\/span>){
<\/span><\/span>            validateTip<\/span>(oldpassword<\/span>.next<\/span>(),{"color"<\/span>:<\/span>"red"<\/span>},imgNo<\/span> +<\/span> " 请求错误"<\/span>,false<\/span>)
<\/span><\/span>        }
<\/span><\/span>    });
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>五、漏洞利用分析<\/h2>
1. 直接利用方式<\/h3>

构造恶意HTML表单，诱导用户点击<\/li>
绕过旧密码验证：

直接发送修改密码请求（method=savepwd<\/code>）<\/li>
拦截验证响应，修改result<\/code>为true<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
2. 利用难点<\/h3>

需要用户已登录系统<\/li>
需要诱使用户访问恶意页面<\/li>
<\/ul>
3. 利用效果<\/h3>

成功修改用户密码<\/li>
用户被强制退出登录（session被清除）<\/li>
<\/ul>
六、修复建议<\/h2>
1. 添加CSRF Token<\/h3>

在表单中添加随机生成的Token<\/li>
服务器端验证Token有效性<\/li>
<\/ul>
\/\/ 生成Token
<\/span><\/span><\/span><\/span>String csrfToken =<\/span> UUID.<\/span>randomUUID<\/span>().<\/span>toString<\/span>();<\/span>
<\/span><\/span>session.<\/span>setAttribute<\/span>(<\/span>"csrfToken"<\/span>,<\/span> csrfToken);<\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 在表单中添加
<\/span><\/span><\/span><\/span><<\/span>input type=<\/span>"hidden"<\/span> name=<\/span>"csrfToken"<\/span> value=<\/span>"${csrfToken}"<\/span>><\/span>
<\/span><\/span>
<\/span><\/span>\/\/ 服务器端验证
<\/span><\/span><\/span><\/span>if<\/span>(!<\/span>request.<\/span>getParameter<\/span>(<\/span>"csrfToken"<\/span>).<\/span>equals<\/span>(<\/span>session.<\/span>getAttribute<\/span>(<\/span>"csrfToken"<\/span>))){<\/span>
<\/span><\/span>    \/\/ 验证失败处理
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. 加强旧密码验证<\/h3>

将旧密码验证与修改操作合并<\/li>
在修改密码方法中验证旧密码<\/li>
<\/ul>
public<\/span> void<\/span> updatePwd<\/span>(<\/span>HttpServletRequest req,<\/span> HttpServletResponse resp){<\/span>
<\/span><\/span>    Object attribute =<\/span> req.<\/span>getSession<\/span>().<\/span>getAttribute<\/span>(<\/span>Constansts.<\/span>USER_SESSION<\/span>);<\/span>
<\/span><\/span>    String oldpassword =<\/span> req.<\/span>getParameter<\/span>(<\/span>"oldpassword"<\/span>);<\/span>
<\/span><\/span>    String newpassword =<\/span> req.<\/span>getParameter<\/span>(<\/span>"newpassword"<\/span>);<\/span>
<\/span><\/span>    
<\/span><\/span>    if<\/span>(<\/span>attribute ==<\/span> null<\/span>){<\/span>
<\/span><\/span>        \/\/ 处理未登录情况
<\/span><\/span><\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    User user =<\/span> (<\/span>User)<\/span>attribute;<\/span>
<\/span><\/span>    if<\/span>(!<\/span>user.<\/span>getUserPassword<\/span>().<\/span>equals<\/span>(<\/span>oldpassword)){<\/span>
<\/span><\/span>        \/\/ 旧密码不匹配
<\/span><\/span><\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>    
<\/span><\/span>    \/\/ 继续修改密码逻辑
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 使用SameSite Cookie属性<\/h3>
<session-config><\/span>
<\/span><\/span>    <cookie-config><\/span>
<\/span><\/span>        <http-only><\/span>true<\/http-only><\/span>
<\/span><\/span>        <secure><\/span>true<\/secure><\/span>
<\/span><\/span>        <same-site><\/span>strict<\/same-site><\/span>
<\/span><\/span>    <\/cookie-config><\/span>
<\/span><\/span>    <session-timeout><\/span>30<\/session-timeout><\/span>
<\/span><\/span><\/session-config><\/span>
<\/span><\/span><\/code><\/pre>4. 验证HTTP Referer头<\/h3>
String referer =<\/span> request.<\/span>getHeader<\/span>(<\/span>"Referer"<\/span>);<\/span>
<\/span><\/span>if<\/span>(<\/span>referer ==<\/span> null<\/span> ||<\/span> !<\/span>referer.<\/span>startsWith<\/span>(<\/span>"https:\/\/yourdomain.com"<\/span>)){<\/span>
<\/span><\/span>    \/\/ 非法请求
<\/span><\/span><\/span><\/span>    return<\/span>;<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>5. 关键操作使用POST请求<\/h3>

避免使用GET请求进行状态修改操作<\/li>
<\/ul>
七、经验总结<\/h2>


常见误区<\/strong>：认为有旧密码验证就能防御CSRF<\/p>

实际：如果验证与操作分离，仍可能被绕过<\/li>
<\/ul>
<\/li>

审计要点<\/strong>：<\/p>

检查关键操作是否有CSRF防护机制<\/li>
验证前端验证是否可被绕过<\/li>
检查操作是否与验证相关联<\/li>
<\/ul>
<\/li>

开发建议<\/strong>：<\/p>

关键操作必须添加CSRF Token<\/li>
前后端验证要紧密结合<\/li>
遵循"不信任用户输入"原则<\/li>
<\/ul>
<\/li>

测试方法<\/strong>：<\/p>

使用Burp Suite生成CSRF PoC测试<\/li>
尝试绕过前端验证<\/li>
检查是否依赖单一验证机制<\/li>
<\/ul>
<\/li>
<\/ol>
安全箴言<\/strong>：漏洞虐我千百遍，我待漏洞如初恋。保持学习心态，持续提升安全意识和技能。<\/p>

CSRF漏洞挖掘与审计教学文档<\/h1>

一、漏洞概述<\/h2> CSRF（Cross-Site Request Forgery，跨站请求伪造）是一种常见的Web安全漏洞，攻击者可以利用该漏洞在用户不知情的情况下，以用户的身份执行未经授权的操作。<\/p>

二、漏洞原理<\/h2>

三、漏洞复现<\/h2>

四、代码审计分析<\/h2>

2. 关键代码分析<\/h3>

五、漏洞利用分析<\/h2>

六、修复建议<\/h2>

一、漏洞概述<\/h2>
CSRF（Cross-Site Request Forgery，跨站请求伪造）是一种常见的Web安全漏洞，攻击者可以利用该漏洞在用户不知情的情况下，以用户的身份执行未经授权的操作。<\/p>