在本文中,我们将会为读者分析利用CSRF劫持YouTube用户通知的过程。故事发生在某天的半夜,当时,我正在YouTube上闲逛,无意中打开了自己的通知页面,具体请求如下所示:POST /notifications_ajax?action_register_device=1 HTTP/1.1Host: www.youtube.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://www.youtube.com/sw.jsContent-Type: multipart/form-data; boundary=---------------------------41184676334Origin: https://www.youtube.comContent-Length: 1459Connection: closeCookie: duh, cookies! -----------------------------41184676334Content-Disposition: form-data; name="endpoint" https://updates.push.services.mozilla.com/wpush/v1/gAAA...-----------------------------41184676334
………………………………