One-click attack nima?

3 years ago

source link: https://dev.to/wahidd/one-click-attack-nima-1jm4
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.

One-click attack nima?

XSRF/CSRF (one-click attack) hujumlar deb bir zararli saytdan turib boshqa saytga hujum qilinishga aytiladi.

Quyidagi holatga nazar tashlang:

siz https://halol-bank.uz saytiga login qilganingizda u sayt sizga id_token ya'ni kalit beradi.
Login*dan keyin sizni **https://halol-bank.uz* har bir so'rovingizga brauzer yuqoridagi kalitni qo'shib yuboradi. Bu har bir tugma bosga parolni qayta-qayta teravermaslik uchun kerak.
siz endi https://parazit.uz nomli zararli saytga kirdingiz va u yerda Sovg'ani yutib ol 🥳🎉 degan tugmani ko'rib uni bosasiz
bu tugma ortida quyidagicha kod yashiringan

<h1>Sovg'ani yutib ol 🥳🎉</h1>
<form action="https://halol-bank.uz/api/account" method="post">
    <input type="hidden" name="Transaction" value="PulYechish" />
    <input type="hidden" name="Qiymat" value="1000000" />
    <input type="submit" value="Tugmani bosing!" />
</form>

Enter fullscreen mode

Exit fullscreen mode

yuqoridagi kodga e'tibor bering. Zararlangan vebsayt halol-bank ga so'rov jo'natmoqchi.
esingizda bo'lsa siz login qilganingizdan keyin kalit berilgandi. Ushbu yuqoridagi tugma bosilganda so'rov halol-bankga boradi, shuning uchun kalit qo'shib jo'natiladi
qarabsizki kalitni ko'rgan bank bu parazit saytni siz deb o'ylaydi va 1000000 miqdordagi pulni hisobingizdan yechib oladi

Yuqorida tushinish One-click attackni tushintirish uchun sodda/uydirma misollardan foydalanildi.

Bunda hujumlarni oldini olish uchun ASPNET Coreda AntiForgeryTokenlardan foydalaniladi. Ular haqida batafsil keyingi postda.

Recommend

www.tuicool.com 6 years ago
Cache

One-click debugging for HTTP(S)

Debug deeper with HTTP View Intercept HTTP(S) with one click, explore & examine traffic up close, and discover exactly what your code is sending. HTTP View

medium.flatstack.com 4 years ago
Cache

One Click Deployment for android developers

dev.to 4 years ago
Cache

How to use JQuery? What is it? Written By Nima Owji

Intro Hello, My name is Nima Owji. I am a 14 years old programmer. Today, I want to talk about JQuery! What is JQury? jQuery is a JavaScript library. You can use it on your websites. How to add JQuery to our pr...

blog.arkency.com 4 years ago
Cache

One simple trick to make Event Sourcing click

One simple trick to make Event Sourcing clickHi, weʼre arkency 👋 Event Sourcing is like having two methods when previously there was one. There — I’ve said it. But it isn’t...

hackernoon.com 3 years ago
Cache

It's Zero-click! Pegasus Attack Don't Need Human Action

@maxiiJaydev JoshiLerner | Infosec | OSINT

www.eclipsecon.org 2 years ago
Cache

Helidon Nima - Loom based microservices framework

Helidon Nima - Loom based microservices framework For quite a long time we...

www.wired.com 2 years ago
Cache

TikTok Users Were Vulnerable to a Single-Click Attack

TikTok Users Were Vulnerable to a Single-Click AttackMicrosoft disclosed the flaw in the Android app’s deep link verification process, which has since been fixed....

www.bbc.com 2 years ago
Cache

Suspect Nima Momeni held over Cash App founder's death

Suspect Nima Momeni held over Cash App founder's deathPublished4 days ago

www.washingtonpost.com 2 years ago
Cache

Who is Nima Momeni, accused of fatally stabbing Cash App founder Bob Lee? - The...

Who is Nima Momeni, accused of fatally stabbing Cash App founder Bob Lee?AdvertisementClose

www.businessinsider.com 2 years ago
Cache

Bob Lee Killing Suspect Nima Momeni Under Watch in Jail

Home ...

Recommend

About Joyk