前提是可以获取到cookie,建议FIREFOX中添加cookie edit、hackbar等插件。
通常找到有状态改变的web应用入口点,通过伪造请求,改变目标网站内容。
一般浏览器通过设置SameSite=Strict或者SameSite=lax
When the SameSite flag on a cookie is set to Strict, the client’s browser won’t send the cookie during cross-site requests
Another possible setting for the SameSite flag is Lax, which tells the client’s browser to send a cookie only in requests that cause top-level navigation (when users actively click a link and navigate to the site). This setting ensures that users still have access to the resources on your site if the crosssite request is intentional.For example, if you navigate to Facebook from
a third-party site, your Facebook logins will be sent. But if a third-party site initiates a POST request to Facebook or tries to embed the contents of Facebook within an iframe, cookies won’t be sent
如果再结合CSS攻击,则可疑把CSRF链接写入到CSS攻击脚本中:
如:<script>location.href=CSRF的get请求URL</script>
寻找CSRFs
步骤1:定位状态更改操作
发现CSRFs的第一步是登录到目标站点并浏览,以搜索任何改变数据的活动。
第2步:寻找是否缺少CSRF保护:利用Burpsuite拦截观察,是否samesite、cookie-token
第3步:确认漏洞
在发现潜在易受攻击的端点后,需要确认该漏洞。你可以制作一个恶意的HTML表单,模仿合法网站发送的请求
<html>
<form method="POST" action="https://email.example.com/password_change" id="csrf-form">
<input type="text" name="new_password" value="abc123">
<input type="submit" value="Submit">
</form>
<script>document.getElementById("csrf-form").submit();</script>
</html>