All geek questions in one place

How to prevent cross fake request using image url?

From ha.ckers.org/xss.html :

IMG Built-in commands - this works when a web page where it (for example, a whiteboard) password protection and password protection works with other commands in the same area. This can be used to delete users, add users (if the user who visits the page is an administrator), send credentials elsewhere, etc. This is one of the less used but more convenient XSS vectors:

<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">

or

Redirects 302 / a.jpg http://victimsite.com/admin.asp&deleteuser

I allow users to post images to the forum. How can this be protected from?

I use Java Struts, but any generic answers are welcome.

+3
source share
5 answers

If you follow the rules of the HTTP specification , such an attack will not harm. Section 9.1.1 Safe Methods states:

[...] The GET and HEAD methods MUST NOT have the value of taking action other than searching. These methods should be considered "safe." This allows user agents to present other methods, such as POST, PUT, and DELETE, in a special way, so that the user becomes aware that a possible unsafe action is being requested.

, , GET; , . , , .

, , , POST. , , , /.

+5

- HTTP- GET, URL-. , <img>.

, (URL-, GET )

"" URL-, HTTP GET ( POST) , . (<img> HTTP POST)

+3

- , , . , URI.

+2

<img> - XSRF GET. , GET, <img>, , . , , , , .

html . , . , IMG , , URL- , , ! XSRF, . <img> xsrf .

+2

, , , , , , .

, XSRF, ; XSRF, , . <img> :

<img src="http://my-bank-website.com/withdraw_money.php?amount=100000&account=mandy-the-hacker" />

, , , , 100 000 mandy-the-hacker, , , -bank-website.com. XSRF.

The only way to prevent this is to force users to upload images, rather than providing URLs for them. However, an attacker can still provide a link to the XSRF vulnerability, so removing the URL submission feature doesn't really help; you don’t harm another site by allowing tags <img>, they will harm yourself without using user-specific tokens in forms .

0
source

Source: https://habr.com/ru/post/1730775/

More articles:


All Articles