{"id":1196,"date":"2011-01-23T19:49:11","date_gmt":"2011-01-23T19:49:11","guid":{"rendered":"http:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/"},"modified":"2011-01-23T19:49:11","modified_gmt":"2011-01-23T19:49:11","slug":"csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov","status":"publish","type":"post","link":"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/","title":{"rendered":"CSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov"},"content":{"rendered":"

\u00davod do CSRF<\/span><\/p>\n

Unik\u00e1tny (n\u00e1hodn\u00fd) \u010d\u00edseln\u00fd alebo alfanumerick\u00fd token predstavuje be\u017en\u00fa ochranu s\u00fa\u010dasn\u00fdch aplik\u00e1ci\u00ed vo\u010di CSRF \u00fatokom<\/a>. Citliv\u00e9 POST formul\u00e1re zvykn\u00fa by\u0165 chr\u00e1nen\u00e9 unik\u00e1tnym tokenom, ktor\u00fd je obvykle posielan\u00fd aplik\u00e1ciou v „hidden field“, teda skrytom poli formul\u00e1ra. Citliv\u00e9 GET \u017eiadosti zase pou\u017e\u00edvaj\u00fa v URL \u010fal\u0161\u00ed parameter – napr\u00edklad „csrftoken“. V oboch pr\u00edpadoch sa aplik\u00e1cia chr\u00e1ni pred nelegit\u00edmnymi \u017eiados\u0165ami, ktor\u00e9 neprich\u00e1dzaj\u00fa od koncov\u00e9ho pou\u017e\u00edvate\u013ea, ale boli mu nejak\u00fdm sp\u00f4sobom vn\u00faten\u00e9 (napr\u00edklad cez XSS zranite\u013enosti, soci\u00e1lne in\u017einierstvo at\u010f). Pri CSRF \u00fatokoch \u00fato\u010dn\u00edk obvykle (pok\u00fdm nem\u00e1 kompletn\u00fa kontrolu nad koncov\u00fdm pou\u017e\u00edvate\u013eom) nedok\u00e1\u017ee odhadn\u00fa\u0165 ak\u00e9ko\u013evek jedine\u010dn\u00e9 (n\u00e1hodn\u00e9) hodnoty GET\/POST \u017eiadost\u00ed, ktor\u00e9 aplik\u00e1cia sp\u00e4tne overuje (a na z\u00e1klade toho sa rozhodne, \u010di dan\u00fa \u017eiados\u0165 poklad\u00e1 za legit\u00edmnu alebo nie), podobne nedok\u00e1\u017ee jednoducho z\u00edska\u0165 odpove\u010f na svoju podvrhnut\u00fa GET\/POST \u017eiados\u0165 a teda ani zisti\u0165, \u010di sa dan\u00e1 \u017eiados\u0165 \u00faspe\u0161ne vykonala alebo nie (dok\u00e1\u017ee to ale zisti\u0165 nepriamo, ak napr\u00edklad dan\u00e1 podvrhnut\u00e1 POST \u017eiados\u0165 pou\u017e\u00edvate\u013eovi zmenila heslo).<\/span><\/p>\n

Hne\u010f na za\u010diatok je d\u00f4le\u017eit\u00e9 zd\u00f4razni\u0165, \u017ee ak\u00e9ko\u013evek citliv\u00e9 \u00fadaje by sa nikdy nemali zasiela\u0165 v GET \u017eiadostiach (vi\u010f odpor\u00fa\u010danie z testovacej pr\u00edru\u010dky OWASP – Testing for Exposed Session Variables<\/a>) a to preto, lebo obsah GET \u017eiadost\u00ed (a teda citliv\u00fdch inform\u00e1cii ako napr\u00edklad „session ID“ alebo „CSRF token“) je \u0161tandardne cacheovan\u00fd vo v\u0161etk\u00fdch prehliada\u010doch, ukladan\u00fd \u010dastokr\u00e1t v proxy a firewall logoch a v neposlednom rade aj v logoch samotn\u00e9ho webov\u00e9ho servera. Preto je najlep\u0161ie na citliv\u00e9 oper\u00e1cie pou\u017e\u00edva\u0165 v\u00fdhradne POST \u017eiadosti.<\/strong><\/span><\/p>\n

Ve\u013ea v\u00fdvoj\u00e1rov riziko CSRF \u00fatokov v\u00e1\u017ene podce\u0148uje a ako ochranu \u010dasto pou\u017e\u00edvaj\u00fa s\u00edce n\u00e1hodne, ale len troj, \u0161tvor, v lep\u0161om pr\u00edpade p\u00e4\u0165cifern\u00e9 \u010d\u00edselne tokeny. V\u0161ak vysk\u00fa\u0161a\u0165 zasla\u0165 100000, \u010di nebodaj mili\u00f3n GET\/POST \u017eiadost\u00ed je n\u00e1ro\u010dn\u00e9 ako na Internetov\u00fa linku, \u00fato\u010dn\u00edkov\u00e9 zdroje, tak na \u010das, ktor\u00fd mus\u00ed by\u0165 dostato\u010dne kr\u00e1tky na to, aby \u00fato\u010dn\u00edk zastihol prihl\u00e1sen\u00e9ho pou\u017e\u00edvate\u013ea (ktor\u00fd sa v relat\u00edvne kr\u00e1tkom \u010dase m\u00f4\u017ee odhl\u00e1si\u0165 a t\u00fdm p\u00e1dom znemo\u017en\u00ed CSRF \u00fatok). \u00dato\u010dn\u00edk toti\u017e mus\u00ed postupne zasiela\u0165 v\u0161etky GET\/POST s ka\u017ed\u00fdm mo\u017en\u00fdm CSRF tokenom, aby mal istotu, \u017ee sa aspo\u0148 jeden (ten spr\u00e1vny) ur\u010dite vykon\u00e1. Rozumn\u00e1 aplik\u00e1cia m\u00f4\u017ee ale detekova\u0165 \u017eiadosti s neplatn\u00fdm CSRF tokenom a \u00fato\u010dn\u00edka hne\u010f na za\u010diatku zablokova\u0165.<\/span><\/p>\n

Uk\u00e1\u017eeme si ve\u013emi zauj\u00edmav\u00fa a elegantn\u00fa „offline“ techniku, kedy \u00fato\u010dn\u00edk nemus\u00ed svojej obeti vn\u00fati\u0165 vykonanie mili\u00f3na GET\/POST \u017eiadost\u00ed, ktor\u00e9 trvaj\u00fa extr\u00e9mne dlho – t\u00fdm p\u00e1dom sa m\u00f4\u017ee jednoducho vyhn\u00fa\u0165 zasielaniu neplatn\u00fdch CSRF tokenov a zablokovaniu zo strany aplik\u00e1cie. S\u00fa\u010dasne pop\u00ed\u0161eme viacer\u00e9 sp\u00f4soby ako je mo\u017en\u00e9 vnucova\u0165 vlastn\u00e9 GET\/POST \u017eiadosti, ktor\u00e9 sa vykonaj\u00fa v kontexte samotn\u00e9ho legit\u00edmneho pou\u017e\u00edvate\u013ea (prehliada\u010d pou\u017eije na vykonanie podvrhnut\u00fdch \u017eiadosti svoje u\u017e existuj\u00face „cookies“).<\/span><\/p>\n

Prelomenie CSRF tokenov pou\u017eit\u00edm CSS history hacku<\/p>\n

Na to, aby uveden\u00e1 technika (pou\u017eitie CSS history hacku) fungovala, musia by\u0165 splnen\u00e9 nasleduj\u00face podmienky:<\/span><\/p>\n

1. Aplik\u00e1cia mus\u00ed dan\u00fd CSRF token posla\u0165\u00a0minim\u00e1lne raz v GET \u017eiadosti<\/strong>, aby sa zacachoval do prehliada\u010da (toto sa d\u00e1 jednoducho odhali\u0165 \u013eubovo\u013en\u00fdm „fault injection“ proxy n\u00e1strojom, pr\u00edpadne pluginom do Firefoxu akoLiveHTTPHeaders<\/a> alebo TamperData<\/a>). Ve\u013ea aplik\u00e1ci\u00ed uveden\u00fa GET \u017eiados\u0165 zasiela rovno po tom ako sa pou\u017e\u00edvate\u013e \u00faspe\u0161ne prihl\u00e1si do aplik\u00e1cie.<\/p>\n

2. Koncov\u00fd prehliada\u010d pou\u017e\u00edvate\u013ea mus\u00ed by\u0165 zranite\u013en\u00fd na CSS history hack (v s\u00fa\u010dasnej dobe je uveden\u00e1 vlastnos\u0165 opraven\u00e1 len vo Firefox 4.x, v\u0161etky ostatn\u00e9 verzie Firefoxu s\u00fa zranite\u013en\u00e9 na tento druh \u00fatoku). S\u00fa\u010dasne nesmie pou\u017e\u00edva\u0165 \u0161peci\u00e1lne n\u00e1stroje, ktor\u00e9 znemo\u017e\u0148uj\u00fa ukladanie hist\u00f3rie (ako\u00a0SafeHistory plugin<\/a>).<\/p>\n

Prv\u00e1 vzorov\u00e1 implement\u00e1cia tohto \u00fatoku bola pop\u00edsana tu – Hacking CSRF Tokens usng CSS History Hack<\/a>.<\/p>\n

CSS history hack predstavuje sp\u00f4sob ako vo v\u0161etk\u00fdch s\u00fa\u010dasn\u00fdch prehliada\u010doch odhali\u0165 postupn\u00fdm enumerovan\u00edm, ktor\u00e9 presne URL (GET \u017eiadosti) boli v minulosti dan\u00fdm prehliada\u010dom nav\u0161t\u00edven\u00e9 – URL str\u00e1nka, ktor\u00fa ste v minulosti u\u017e nav\u0161t\u00edvili m\u00e1 in\u00fa farbu ako str\u00e1nka, ktor\u00e1 nav\u0161t\u00edven\u00e1 e\u0161te nebola (t.j. m\u00e1 nastaven\u00fd „a:visited“ \u0161t\u00fdl v danom URL). CSS history hack prv\u00fdkrat pop\u00edsal Jeremiah Grossman<\/a>.<\/p>\n

Samotn\u00fd „offline“ \u00fatok enumerovan\u00edm v\u0161etk\u00fdch mo\u017en\u00fdch CSRF tokenov v prehliada\u010di je v porovnan\u00ed s „online“ vytv\u00e1ran\u00edm \u017eiadost\u00ed ve\u013emi \u00a0r\u00fdchly – preh\u013eadanie 10000 kombin\u00e1ci\u00ed (teda mo\u017enos\u0165 odhali\u0165 ak\u00fdko\u013evek 4-\u010d\u00edseln\u00fd CSRF token) na mojom nieko\u013ekoro\u010dnom PC trvalo 3.5 sekundy (!), preh\u013eadanie 100 000 kombin\u00e1ci\u00ed 40 sek\u00fand, preh\u013eadanie mili\u00f3na (!) kombin\u00e1ci\u00ed CSRF tokenov zhruba 6 min\u00fat.<\/p>\n

Je nutn\u00e9 poznamena\u0165, \u017ee ak pou\u017e\u00edvate\u013e behom poslednej doby bol v aplik\u00e1ci\u00ed prihl\u00e1sen\u00fd viackr\u00e1t, tak bud\u00fa odhalen\u00e9 v\u0161etky CSRF tokeny, ktor\u00e9 behom tohto \u010dasu boli pou\u017eit\u00e9 (vr\u00e1tane toho aktu\u00e1lneho).<\/p>\n

CSRF \u00fatok s odhalen\u00fdmi tokenmi<\/span>
\nSamotn\u00fd CSRF \u00fatok je mo\u017en\u00e9 realizova\u0165 viacer\u00fdmi sp\u00f4sobmi:<\/span><\/p>\n

1. Vyu\u017eit\u00edm HTML elementov – <img><\/em>, <iframe><\/em> apod, na vn\u00fatenie vykonania \u013eubovo\u013enej GET \u017eiadost\u00ed, pr\u00edpadne pou\u017eit\u00edm „submitu“ klasick\u00fdch formul\u00e1rov <form<\/em>> na vykonanie \u013eubovo\u013enej POST \u017eiadosti.<\/p>\n

2. Pou\u017eit\u00edm AJAXu, kedy \u013eubovo\u013en\u00fd GET a POST je mo\u017en\u00e9 vykona\u0165 pomocou jednoduchej \u00a0funkcie:<\/p>\n

function postAJAX(url, query, handler)<\/strong>\r\n{\r\n    var status = false;\r\n    var contentType = \"application\/x-www-form-urlencoded; charset=UTF-8\";\r\n    \/\/ Native XMLHttpRequest object\r\n    if (window.XMLHttpRequest) {\r\n        request = new XMLHttpRequest();\r\n        request.onreadystatechange = handler;\r\n        request.open(\"POST\", url, true);\r\n      \/\/  request.setRequestHeader(\"Content-Type\", contentType);\r\n        request.setRequestHeader(\"Content-length\", query.length);\r\n        request.setRequestHeader(\"Connection\",\"keep-alive\");\r\n        request.setRequestHeader(\"Referer\",url);\r\n        request.send(query);\r\n        status = true;\r\n    \/\/ ActiveX XMLHttpRequest object\r\n    } else if (window.ActiveXObject) {\r\n        request = new ActiveXObject(\"Microsoft.XMLHTTP\");\r\n        if (request) {\r\n            request.onreadystatechange = handler;\r\n            request.open(\"POST\", url, true);\r\n      \/\/     request.setRequestHeader(\"Content-Type\", contentType);\r\n            request.setRequestHeader(\"Content-length\", query.length);\r\n            request.setRequestHeader(\"Connection\",\"keep-alive\");\r\n            request.setRequestHeader(\"Referer\",url);\r\n            request.send(query);\r\n            status = true;\r\n        }\r\n}\r\n    return status;\r\n}<\/code><\/pre>\n
<\/div>\n
V pr\u00edpade vytvorenia POST \u017eiadosti cez AJAX, som si v\u0161imol dva probl\u00e9my, ktor\u00e9 zrejme s\u00favisia s bezpe\u010dnos\u0165ou FF (na testovanie som pou\u017e\u00edval Firefox 3.6.13):<\/div>\n
<\/div>\n
1. Ak dan\u00e1 POST \u017eiados\u0165 mala zadefinovan\u00fd \u013eubovo\u013en\u00fd „Content-Type“, tak prehliada\u010d dan\u00fa \u017eiados\u0165 identifikoval ako HTTP met\u00f3du OPTIONS a t\u00fdm p\u00e1dom POST parametre boli vynechan\u00e9. Po zakomentovan\u00ed nastavovania „Content-Type“ sa tento probl\u00e9m vyrie\u0161il.<\/div>\n
<\/div>\n
2. M\u00f4j prehliada\u010d aj napriek tomu, \u017ee dan\u00e1 POST \u017eiados\u0165 bola v SOP kontexte aplik\u00e1cie, ktor\u00e1 bola paralelne otvoren\u00e1 v inom okne prehliada\u010da, jej nepreposielal pr\u00edslu\u0161ne u\u017e existuj\u00face „cookies“, \u010do je samozrejme nevyhnutn\u00e9 pri CSRF \u00fatokoch (zrejme ide o bezpe\u010dnostn\u00e9 opatrenie na strane prehliada\u010da).<\/div>\n
Toto bol d\u00f4vod, pre\u010do som upustil od posielania POST \u017eiadost\u00ed cez AJAX a pou\u017eil som klasick\u00e9 HTML formul\u00e1re. Vyu\u017eil som javascript kni\u017enicu jquery 1.4.4<\/a>\u00a0a realizoval zasielanie POST \u017eiadost\u00ed \u010disto cez HTML formul\u00e1r:<\/div>\n
\n
function postToUrl(url, params, newWindow)<\/code><\/div>\n
{<\/code><\/div>\n
\u00a0\u00a0 \u00a0var form = $('<form>');<\/code><\/div>\n
\u00a0\u00a0 \u00a0form.attr('action', url);<\/code><\/div>\n
\u00a0\u00a0 \u00a0form.attr('method', 'POST');<\/code><\/div>\n
\u00a0\u00a0 \u00a0if(newWindow){ form.attr('target', '_blank'); }<\/code><\/div>\n
<\/div>\n
\u00a0\u00a0 \u00a0var addParam = function(paramName, paramValue){<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0var input = $('<input type=\"hidden\">');<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0input.attr({ 'id': \u00a0 \u00a0 paramName,<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 'name': \u00a0 paramName,<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 'value': \u00a0paramValue });<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0form.append(input);<\/code><\/div>\n
\u00a0\u00a0 \u00a0};<\/code><\/div>\n
<\/div>\n
\u00a0\u00a0 \u00a0\/\/ Params is an Array.<\/code><\/div>\n
\u00a0\u00a0 \u00a0if(params instanceof Array){<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0for(var i=0; i<params.length; i++){<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0addParam(i, params[i]);<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0}<\/code><\/div>\n
\u00a0\u00a0 \u00a0}<\/code><\/div>\n
<\/div>\n
\u00a0\u00a0 \u00a0\/\/ Params is an Associative array or Object.<\/code><\/div>\n
\u00a0\u00a0 \u00a0if(params instanceof Object){<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0for(var key in params){<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0addParam(key, params[key]);<\/code><\/div>\n
\u00a0\u00a0 \u00a0 \u00a0 \u00a0}<\/code><\/div>\n
\u00a0\u00a0 \u00a0}<\/code><\/div>\n
<\/div>\n
\u00a0\u00a0 \u00a0\/\/ Submit the form, then remove it from the page<\/code><\/div>\n
\u00a0\u00a0 \u00a0form.appendTo(document.body);<\/code><\/div>\n
\u00a0\u00a0 \u00a0form.submit();<\/code><\/div>\n
\u00a0\u00a0 \u00a0form.remove();<\/code><\/div>\n
}<\/code><\/div>\n
<\/div>\n
M\u00f4j funk\u010dn\u00fd „proof-of-concept exploit“, ktor\u00fd pre ka\u017ed\u00fd odhalen\u00fd CSRF token z hist\u00f3rie prehliada\u010da vol\u00e1 funkciu\u00a0<\/span>postToUrl()<\/em><\/span>\u00a0je mo\u017en\u00e9 stiahnu\u0165 tu<\/a>.<\/span><\/div>\n
<\/div>\n
<\/a>Aktualiz\u00e1cia 28.1.2011<\/strong> – Marek Labo\u0161 vytvoril optimalizovanu verziu uveden\u00e9ho exploitu, ktor\u00e1 je r\u00e1dovo o polovicu r\u00fdchlej\u0161ia – k dispoz\u00edcii na stiahnutie tu<\/a>.<\/div>\n<\/div>\n
 <\/p>\n
\u010co s t\u00fdm?<\/p>\n
1. Na strane aplik\u00e1cie je nevyhnutn\u00e9 pou\u017e\u00edva\u0165 dostato\u010dn\u00e9 siln\u00e9 a unik\u00e1tne CSRF tokeny \u00a0nespolieha\u0165 sa na \u013eahko uh\u00e1dnute\u013en\u00e9 a vysk\u00fa\u0161ate\u013en\u00e9 \u010d\u00edseln\u00e9 kombin\u00e1cie.<\/p>\n
2. Pre ka\u017ed\u00fd formul\u00e1r generova\u0165 unik\u00e1tny CSRF token (nepou\u017e\u00edva\u0165 jeden CSRF token pre cel\u00e9 spojenie).<\/p>\n
3. Nikdy neposiela\u0165 CSRF token (alebo „session ID“) v GET \u017eiadostiach, ale v\u00fdhradne len v POST formul\u00e1roch.<\/p>\n
4. V pr\u00edpade, \u017ee aplik\u00e1cia obdr\u017e\u00ed od pou\u017e\u00edvate\u013ea invalidn\u00fd token, tak je potrebn\u00e9 pou\u017e\u00edvate\u013ea okam\u017eite odhl\u00e1si\u0165 a vygenerova\u0165 bezpe\u010dnostn\u00fd incident.<\/p>\n
5. Na strane klienta pou\u017ei\u0165 vhodn\u00fa ochranu vo\u010di CSS history hack – „private browsing<\/a>„, „safehistory plugin<\/a>“ alebo Firefox 4.0.<\/p>\n","protected":false},"excerpt":{"rendered":"
\u00davod do CSRF Unik\u00e1tny (n\u00e1hodn\u00fd) \u010d\u00edseln\u00fd alebo alfanumerick\u00fd token predstavuje be\u017en\u00fa ochranu s\u00fa\u010dasn\u00fdch aplik\u00e1ci\u00ed vo\u010di CSRF \u00fatokom. Citliv\u00e9 POST formul\u00e1re zvykn\u00fa by\u0165 chr\u00e1nen\u00e9 unik\u00e1tnym tokenom, ktor\u00fd je obvykle posielan\u00fd aplik\u00e1ciou v „hidden field“, teda skrytom poli formul\u00e1ra. Citliv\u00e9 GET \u017eiadosti zase pou\u017e\u00edvaj\u00fa v URL \u010fal\u0161\u00ed parameter – napr\u00edklad „csrftoken“. V oboch pr\u00edpadoch sa aplik\u00e1cia chr\u00e1ni […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[12],"tags":[542,543,83],"class_list":["post-1196","post","type-post","status-publish","format-standard","hentry","category-uncategorized-cs","tag-csrf-cs","tag-css-history-hack-cs","tag-nethemba-cs"],"yoast_head":"\nCSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov - Nethemba<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/\" \/>\n<meta property=\"og:locale\" content=\"cs_CZ\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov - Nethemba\" \/>\n<meta property=\"og:description\" content=\"\u00davod do CSRF Unik\u00e1tny (n\u00e1hodn\u00fd) \u010d\u00edseln\u00fd alebo alfanumerick\u00fd token predstavuje be\u017en\u00fa ochranu s\u00fa\u010dasn\u00fdch aplik\u00e1ci\u00ed vo\u010di CSRF \u00fatokom. Citliv\u00e9 POST formul\u00e1re zvykn\u00fa by\u0165 chr\u00e1nen\u00e9 unik\u00e1tnym tokenom, ktor\u00fd je obvykle posielan\u00fd aplik\u00e1ciou v „hidden field“, teda skrytom poli formul\u00e1ra. Citliv\u00e9 GET \u017eiadosti zase pou\u017e\u00edvaj\u00fa v URL \u010fal\u0161\u00ed parameter – napr\u00edklad „csrftoken“. V oboch pr\u00edpadoch sa aplik\u00e1cia chr\u00e1ni […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/\" \/>\n<meta property=\"og:site_name\" content=\"Nethemba\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/nethemba\" \/>\n<meta property=\"article:published_time\" content=\"2011-01-23T19:49:11+00:00\" \/>\n<meta name=\"author\" content=\"Pavol Lupt\u00e1k\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@nethemba\" \/>\n<meta name=\"twitter:site\" content=\"@nethemba\" \/>\n<meta name=\"twitter:label1\" content=\"Napsal(a)\" \/>\n\t<meta name=\"twitter:data1\" content=\"Pavol Lupt\u00e1k\" \/>\n\t<meta name=\"twitter:label2\" content=\"Odhadovan\u00e1 doba \u010dten\u00ed\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minut\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/\"},\"author\":{\"name\":\"Pavol Lupt\u00e1k\",\"@id\":\"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234\"},\"headline\":\"CSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov\",\"datePublished\":\"2011-01-23T19:49:11+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/\"},\"wordCount\":1324,\"commentCount\":0,\"keywords\":[\"csrf\",\"css history hack\",\"nethemba\"],\"articleSection\":[\"Uncategorized @cs\"],\"inLanguage\":\"cs\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/\",\"url\":\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/\",\"name\":\"CSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov - Nethemba\",\"isPartOf\":{\"@id\":\"https:\/\/nethemba.com\/de\/#website\"},\"datePublished\":\"2011-01-23T19:49:11+00:00\",\"author\":{\"@id\":\"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234\"},\"breadcrumb\":{\"@id\":\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/#breadcrumb\"},\"inLanguage\":\"cs\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/nethemba.com\/cs\/home-new-2025\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/nethemba.com\/de\/#website\",\"url\":\"https:\/\/nethemba.com\/de\/\",\"name\":\"Nethemba\",\"description\":\"We care about your security\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/nethemba.com\/de\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"cs\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234\",\"name\":\"Pavol Lupt\u00e1k\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"cs\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g\",\"caption\":\"Pavol Lupt\u00e1k\"},\"sameAs\":[\"https:\/\/www.nethemba.com\/\"],\"url\":\"https:\/\/nethemba.com\/cs\/author\/nethemba-admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov - Nethemba","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/","og_locale":"cs_CZ","og_type":"article","og_title":"CSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov - Nethemba","og_description":"\u00davod do CSRF Unik\u00e1tny (n\u00e1hodn\u00fd) \u010d\u00edseln\u00fd alebo alfanumerick\u00fd token predstavuje be\u017en\u00fa ochranu s\u00fa\u010dasn\u00fdch aplik\u00e1ci\u00ed vo\u010di CSRF \u00fatokom. Citliv\u00e9 POST formul\u00e1re zvykn\u00fa by\u0165 chr\u00e1nen\u00e9 unik\u00e1tnym tokenom, ktor\u00fd je obvykle posielan\u00fd aplik\u00e1ciou v „hidden field“, teda skrytom poli formul\u00e1ra. Citliv\u00e9 GET \u017eiadosti zase pou\u017e\u00edvaj\u00fa v URL \u010fal\u0161\u00ed parameter – napr\u00edklad „csrftoken“. V oboch pr\u00edpadoch sa aplik\u00e1cia chr\u00e1ni […]","og_url":"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/","og_site_name":"Nethemba","article_publisher":"https:\/\/www.facebook.com\/nethemba","article_published_time":"2011-01-23T19:49:11+00:00","author":"Pavol Lupt\u00e1k","twitter_card":"summary_large_image","twitter_creator":"@nethemba","twitter_site":"@nethemba","twitter_misc":{"Napsal(a)":"Pavol Lupt\u00e1k","Odhadovan\u00e1 doba \u010dten\u00ed":"8 minut"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/#article","isPartOf":{"@id":"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/"},"author":{"name":"Pavol Lupt\u00e1k","@id":"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234"},"headline":"CSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov","datePublished":"2011-01-23T19:49:11+00:00","mainEntityOfPage":{"@id":"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/"},"wordCount":1324,"commentCount":0,"keywords":["csrf","css history hack","nethemba"],"articleSection":["Uncategorized @cs"],"inLanguage":"cs","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/","url":"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/","name":"CSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov - Nethemba","isPartOf":{"@id":"https:\/\/nethemba.com\/de\/#website"},"datePublished":"2011-01-23T19:49:11+00:00","author":{"@id":"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234"},"breadcrumb":{"@id":"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/#breadcrumb"},"inLanguage":"cs","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/nethemba.com\/cs\/csrf-utok-s-vyuzitim-css-history-hacku-na-ziskanie-csrf-tokenov\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nethemba.com\/cs\/home-new-2025\/"},{"@type":"ListItem","position":2,"name":"CSRF \u00fatok s vyu\u017eit\u00edm CSS history hacku na z\u00edskanie CSRF tokenov"}]},{"@type":"WebSite","@id":"https:\/\/nethemba.com\/de\/#website","url":"https:\/\/nethemba.com\/de\/","name":"Nethemba","description":"We care about your security","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nethemba.com\/de\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"cs"},{"@type":"Person","@id":"https:\/\/nethemba.com\/de\/#\/schema\/person\/5f4ba68c8e1a2013d30e0804245b8234","name":"Pavol Lupt\u00e1k","image":{"@type":"ImageObject","inLanguage":"cs","@id":"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/978b23022518d076eaa243b375d2e0272af4f00dd502ce79cc357276d9bc2495?s=96&d=mm&r=g","caption":"Pavol Lupt\u00e1k"},"sameAs":["https:\/\/www.nethemba.com\/"],"url":"https:\/\/nethemba.com\/cs\/author\/nethemba-admin\/"}]}},"_links":{"self":[{"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/posts\/1196","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/comments?post=1196"}],"version-history":[{"count":0,"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/posts\/1196\/revisions"}],"wp:attachment":[{"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/media?parent=1196"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/categories?post=1196"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nethemba.com\/cs\/wp-json\/wp\/v2\/tags?post=1196"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}