Loophole principle :csrf The full name is cross site request forgery , Is a malicious use of the site , Although it sounds like xss It's like , But there is a big difference between them .csrf Using trusted websites by forging requests from trusted users .

such as :

One has csrf Loopholes A Website , Website B It's a malicious website constructed by an attacker , When the user does not exit A Website , Or users log in A Website cookie No expired , Just open the site in the same browser B, The attacker can take advantage of the user's identity to carry out the operation that can only be carried out by the user .

Concrete example :https://www.jianshu.com/p/4eed0faaf0ca

Exploit : After bag grabbing , Get rid of Referer Field , If go once , Is still valid , So basically you can be sure that the website has csrf There's a leak

Normal jump

Here we change the password to qwer

Successful entry

csrf More articles about vulnerabilities

  1. DedeCMS flink_add Getshell Loophole Administrators CSRF Loophole

    DedeCMS flink_add Getshell Loophole Administrators CSRF Loophole 1. Exploit because tpl.php Medium $action,$content,$filename Variable not initialized , So you can manipulate these variables ...

  2. Talking about CSRF Loophole

    Preface : After reading teacher Xiaodi's CSRF Explanation of loopholes . It doesn't feel right Learn from Baidu by yourself . This is the conclusion .   song :   Text : CSRF And xss He Xiang , But the two are totally different . xss attack ( Cross-site scripting attacks ) Storage type XSS ...

  3. CSRF Vulnerability testing

    CSRF brief introduction : CSRF Chinese name : Cross-site request forgery , The English translation is :Cross-site request forgery,CSRF Attack is attacker( The attacker ) utilize victim( The victim ) Authentication information that has not yet expired ...

  4. from Java The angle of repair CSRF Loophole

    Vulnerability mining , To tell you the truth, the biggest loophole is CSRF There's a leak , Submit CSRF Many times , Bypass CSRF Defences attack many times .CSRF Vulnerability is a very easy problem to cause , Today I'm from Java From the perspective of security, this security vulnerability repair plan . ...

  5. phpMyAdmin 4.7.x CSRF Exploit

    author :Ambulong phpMyAdmin It's a famous MySQL/MariaDB Online management tools ,phpMyAdmin Team in 4.7.7 A serious... Was fixed in the version CSRF Loophole (PMASA-2017-9), attack ...

  6. CSRF Detailed explanation of vulnerability principle and defense method

    Cross-site request forgery : An attacker can hijack some requests made by other users , Using the user's identity for malicious operation . for example : request http://x.com/del.php?id=1 It's a deletion ID by 1 Account number , But only administrators can operate , If you attack ...

  7. 【 Code audit 】YzmCMS_PHP_v3.6 CSRF Vulnerability analysis

      0x00 Environmental preparation YzmCMS Official website :http://www.yzmcms.com/ Program source download :http://pan.baidu.com/s/1pKA4u99 Test website home page : 0x01 The code analysis ...

  8. In terms of code Csrf Vulnerability and defense

    start :  I don't say much nonsense , Go straight to the subject . 0x01 CSRF Introduce :CSRF(Cross-site request forgery) Cross-site request forgery , Also known as “One Click Attack” perhaps Session ...

  9. PHP Code audit notes --CSRF Loophole

    0x01 Preface CSRF(Cross-site request forgery) Cross-site request forgery . The attacker stole your identity , Send malicious requests to third party websites in your name , This request is completely legal for the server , But it's done ...

Random recommendation

  1. The use of animation —View Animation

    View Animation The following four animation effects are defined : The zoom (scale). Displacement (translation). rotate (rotation). transparent (alpha)   Zoom animation : ScaleAnimation( ...

  2. utilize FlashPaper stay web The page shows PDF file ( Compatible with all browsers )

    In response to the needs of the project PDF Embedded into a web page to display , There are a lot of ways , For example, use <embed/> Element put in PDF file , But the effect is not ideal , Browser compatibility is not ideal , stay ie9/8( Other versions were not tested ) The display will prompt you to download pdf file ...

  3. Java String Class Example--reference

    reference:http://examples.javacodegeeks.com/core-java/lang/string/java-string-class-example/ 1. Intr ...

  4. About android stay Service Pop up in Dialog Dialog box

    Create a good AlertDialog After the type object , want dialog.getWindow().setType(WindowManager.LayoutParams.TYPE_SYSTEM_ALERT); At the same time ...

  5. fopen Medium mode(20161115)

    mode mode Parameter specifies the type of access required to the stream . It can be the following : fopen() in mode List of possible values for mode explain 'r' Read only open , Point the file pointer to the file header . 'r+' Read write mode on , take ...

  6. MVC In order to get Json data

    @{ ViewBag.Title = "json The sample project "; } @Scripts.Render("~/bundles/jquery") <h2>j ...

  7. php How and linux To communicate

    FastCGI principle FastCGI It's a tool for Http Server Interface for communication with dynamic scripting languages , Most popular Http Server All support FastCGI, Include Apache.Nginx and lighttpd etc. . ...

  8. UVaLive 4064 Magnetic Train Tracks ( Polar ordering )

    The question : Given n Three points are not collinear , Then ask how many acute angles or right triangles you can make . Analysis : You can turn it around , Find how many obtuse triangles there are , And then subtract... From the total , Asking directly will definitely time out , But you can enumerate every point , The vertex with that point as the obtuse angle , And then again ...

  9. Mysql for Linux Installation and configuration —— Source code installation

    1. install -- Suppose there's already mysql-5.5.10.tar.gz as well as cmake-2.8.4.tar.gz Two source code compressed files 1) Install first cmake(mysql5.5 Later, through cmake Compiled )   # ta ...

  10. 《LINUX Kernel design and implementation 》 Third week reading notes —— Chapter one and two

    <Linux Kernel design and implementation > Reading notes -- Chapter one and two 20135301 Zhang Xin Estimate study time : common 2 Hours read :1.5 Code :0 Homework :0 Blog :0.5 Actual study time : common 2.5 Hours read :2.0 generation ...