One-click attack nima?

XSRF/CSRF (one-click attack) hujumlar deb bir zararli saytdan turib boshqa saytga hujum qilinishga aytiladi.

Quyidagi holatga nazar tashlang:

siz https://halol-bank.uz saytiga login qilganingizda u sayt sizga id_token ya’ni kalit beradi.

Login*dan…


This content originally appeared on DEV Community and was authored by DEV Community

XSRF/CSRF (one-click attack) hujumlar deb bir zararli saytdan turib boshqa saytga hujum qilinishga aytiladi.

Quyidagi holatga nazar tashlang:

  • siz https://halol-bank.uz saytiga login qilganingizda u sayt sizga id_token ya'ni kalit beradi.
  • Login*dan keyin sizni **https://halol-bank.uz* har bir so'rovingizga brauzer yuqoridagi kalitni qo'shib yuboradi. Bu har bir tugma bosga parolni qayta-qayta teravermaslik uchun kerak.
  • siz endi https://parazit.uz nomli zararli saytga kirdingiz va u yerda Sovg'ani yutib ol 🥳🎉 degan tugmani ko'rib uni bosasiz
  • bu tugma ortida quyidagicha kod yashiringan 
<h1>Sovg'ani yutib ol 🥳🎉</h1>
<form action="https://halol-bank.uz/api/account" method="post">
    <input type="hidden" name="Transaction" value="PulYechish" />
    <input type="hidden" name="Qiymat" value="1000000" />
    <input type="submit" value="Tugmani bosing!" />
</form>
  • yuqoridagi kodga e'tibor bering. Zararlangan vebsayt halol-bank ga so'rov jo'natmoqchi.
  • esingizda bo'lsa siz login qilganingizdan keyin kalit berilgandi. Ushbu yuqoridagi tugma bosilganda so'rov halol-bankga boradi, shuning uchun kalit qo'shib jo'natiladi
  • qarabsizki kalitni ko'rgan bank bu parazit saytni siz deb o'ylaydi va 1000000 miqdordagi pulni hisobingizdan yechib oladi

Yuqorida tushinish One-click attackni tushintirish uchun sodda/uydirma misollardan foydalanildi.

Bunda hujumlarni oldini olish uchun ASPNET Coreda AntiForgeryTokenlardan foydalaniladi. Ular haqida batafsil keyingi postda.


This content originally appeared on DEV Community and was authored by DEV Community


Print Share Comment Cite Upload Translate Updates
APA

DEV Community | Sciencx (2022-03-16T02:11:45+00:00) One-click attack nima?. Retrieved from https://www.scien.cx/2022/03/16/one-click-attack-nima/

MLA
" » One-click attack nima?." DEV Community | Sciencx - Wednesday March 16, 2022, https://www.scien.cx/2022/03/16/one-click-attack-nima/
HARVARD
DEV Community | Sciencx Wednesday March 16, 2022 » One-click attack nima?., viewed ,<https://www.scien.cx/2022/03/16/one-click-attack-nima/>
VANCOUVER
DEV Community | Sciencx - » One-click attack nima?. [Internet]. [Accessed ]. Available from: https://www.scien.cx/2022/03/16/one-click-attack-nima/
CHICAGO
" » One-click attack nima?." DEV Community | Sciencx - Accessed . https://www.scien.cx/2022/03/16/one-click-attack-nima/
IEEE
" » One-click attack nima?." DEV Community | Sciencx [Online]. Available: https://www.scien.cx/2022/03/16/one-click-attack-nima/. [Accessed: ]
rf:citation
» One-click attack nima? | DEV Community | Sciencx | https://www.scien.cx/2022/03/16/one-click-attack-nima/ |

Please log in to upload a file.



There are no updates yet.
Click the Upload button above to add an update.

You must be logged in to translate posts. Please log in or register.

Related Posts