问题
After pentration testing, developer mitigates the CSRF vulnerability by using only referrer header. The application have other vulnerability like XSS. Is it possible to exploit CSRF with the help of XSS? if yes how?
回答1:
Short story: Its very difficult to design effective CSRF protection when XSS is present.
Mitigation of CSRF via referrer header is generally considered a weak defense - there are situations where these are stripped (by the browsers or proxies) and you would need to fail these to be safe. For more information see: Is checking the referrer enough to protect against a CSRF attack?
An XSS allows you to send a query within the same domain, which allows much more control of the request (including setting the referrer header). So that could be used to bypass this mechanism. However, an XSS can quite often also be used to bypass other mechanisms (such as CSRF tokens).
回答2:
Yes it is if it has same-domain XSS vulnerability.
In the page that has XSS vulnerability, execute js code like:
var xhr = new XMLHttpRequest();
xhr.open("POST", "/deletepost", true);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify({
id: 1
}));
Or something like (with jQuery):
$.post("/deletepost", { id:1 } ,function(data){});
And the request should be sent with referrer header of the domain of the site. Hence CSRF vulnerability exists.
回答3:
To avoid the CSRF Attack you have to use Antiforgery token in your code, below is the sample code .
{Vulnerable code of CSRF:}
<h2>You have won 5k!</h2>
<form action="http:/example_Test.com/Test_Admin/account" method="post">
<input type="hidden" name="Test_Transaction" value="withdraw" />
<input type="hidden" name="Test_Amount" value="500000" />
<input type="submit_btn" value="Test_Submit"/>
{Secure Code of CSRF:}
<h2>You have won 5k!</h2>
<form action="http:/example_Test.com/Test_Admin" method="post">
<input name="__RequestVerificationToken" type="hidden" value=" Token value is unique"/>
<input type="submit_btn" value="Test_Submit" />
</form>
Note: You can use "same-origin policies" in web-config file to avoid CSRF.
Same origin policies : Throughout the request domain name should be same.
First request page can access the second or third page but only if both are having same domain.If domain is different, request got discarded.
- X-Frame-Options: "SAMEORIGIN"
For cross site scripting(XSS), Developer use HTTPOnly flag, X-XSS Protection Response Header in webconfig file or use proper input validation.
- cookie.setHttpOnly(true);
- myCookie.HttpOnly = true;
HTTPOnly: Cookie value can not be accessed or display in client side.
来源:https://stackoverflow.com/questions/45719442/is-it-possible-to-have-csrf-if-developer-mitigates-by-referrer-header