Hacking Book | Free Online Hacking Learning


scanner -- create a full-automatic detection tool for csrf vulnerabilities

Posted by herskovits at 2020-02-27

1. Introduction and harmfulness of CSRF vulnerability

Figure 1-1 attack process of CSRF vulnerability CSRF (Cross Site Request Forgery) is usually abbreviated as CSRF or xsrf. CSRF enables hackers to impersonate the identity of legitimate users, and enables legitimate users to trigger dangerous operations such as financial payment and microblogging without knowledge, which can directly lead to worms and cause great harm. Since 2007, CSRF vulnerabilities have been in the forefront of the top ten web security vulnerabilities in OWASP statistics for several years. The specific utilization process is shown in Figure 1-1. The attack works by including links or scripts in pages that are accessed by authorized users. Take a simple example. For example, user a wrote an article C in his blog site, user B posted a picture in his reply, and wrote a link to delete article C in the URL of the map. When a saw the picture, article C was deleted unconsciously. This is the CSRF attack.

2. Existing CSRF detection technology in the industry

2.1 existing technical solutions in the industry. At present, there is no mature and effective tool for CSRF detection in the industry. The only well-known detection tool is OWASP (open web application security Project). This tool only supports the simple capture of the form information submitted by the page, and then the user manually modifies the data to determine whether there is a CSRF vulnerability. It is inefficient and can not meet the needs of massive CGI vulnerability detection on the Internet. However, other scanners can only semi-automatic find, but the false positives are very high. For example, the famous awvs has a relatively simple logic for CSRF scanning, resulting in a high false positives rate. Therefore, the industry has been lack of an automatic and high accuracy CSRF detection tool.

2.2 disadvantages of existing technologies in the industry: 1) it does not support automatic CSRF vulnerability detection; 2) it has a high false alarm rate.

3. Innovative CSRF detection technology. Aiming at a large number of recently reported CSRF vulnerabilities, in order to quickly solve the current problems, Tencent security team has developed a full-automatic detection tool CSRF vulnerability, csrfscanner, which mainly detects the existing vulnerabilities in the basic database. The core of the danger of CSRF is to use other's cookies to perform sensitive operations. The key point of the scanner's detection logic is to distinguish between the two situations with and without cookies. The detection steps of csrfscanner are as follows: 1) access the page without cooie to get the form form1. 2) visit the page with cookie to get form2. 3) judge whether form1 and form2 are the same form. If not, go to step 4. This is because you want to take out forms that can make use of cookies. 4) judge whether there are token, g'uk and other words in form2. If not, go to step 5. Otherwise, it indicates that the CGI pointed to has a great possibility of CSRF defense. In order to reduce the false alarm rate, it should be filtered out. 5) judge whether the blacklist words such as search and login exist in form2. If they do not exist, go to step 6. Otherwise, it means that the CGI pointed to has great possibility of not being sensitive. In order to reduce the false alarm rate, it should be filtered out. 6) judge whether there are whitelist words such as save, modify and submit in form2. If there are whitelist words, it means that CGI pointed to by form2 is quite sensitive. Therefore, CSRF vulnerability is detected in CGI pointed to.


Csrfscanner is mainly developed with C + +, and qtwebkit library is used to parse as many forms as possible in the returned HTML content, that is, the forms generated dynamically by JS can also be displayed. The following is a screenshot of the vulnerability detected by csrfscanner and its utilization. This is a CSRF vulnerability in the company's microblog business, which can cause hackers to arbitrarily create micro activities and cause worms:

4. Automatic detection of effect CSRF vulnerability is always a technical difficulty in the industry, and there is no good solution so far, so it has always been an uncovered vulnerability type in our scanner. And the number of CSRF vulnerabilities has been in the top three on TSRC. Figure 4-1 shows the vulnerability on TSRC in July, with 65 CSRF taking the first place.  

Since csrfscanner went online on July 20, thousands of CGI and hundreds of domain names have been found to have vulnerabilities, with a false positive rate of less than 20%. Among them, discuz, Weibo, mailbox and other important businesses, there is only one digit CSRF vulnerability in TSRC every month, which is obviously convergent compared with dozens of external reports in July.

5. At present, Tencent security team has designed a new CSRF vulnerability detection scheme to further improve the detection ability of csrfscanner. Simply put, the scheme uses WebKit kernel to hook sensitive requests, and detects whether there is a token in the request to determine whether there is a CSRF vulnerability, which is being scheduled to complete. The enhancement points of the scheme are mainly in 1) covering the CSRF vulnerability detection outside the form, providing a wider detection width 2) higher precision detection 3) through each sensitive request of hook, it can accurately locate the cause of vulnerability Finally, I would like to thank all the security bulls in the industry for their feedback on the loopholes in TSRC. Each loophole has spurred Tencent's security vulnerability detection team to keep moving forward, making our vulnerability detection system at the forefront of the industry.