Hi , i am Febin , a security researcher. This is my first post in OBB blog, which is about the mighty CSRF attack.
IMPACT OF CSRF:
In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user’s account. If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application’s data and functionality.
First of all , what actually CSRF is??
CSRF (Cross-Site Request Forgery), as its name suggests it is all about requesting a resource to another domain or webserver from an attacker created webpage.
For example, an attacker webpage sends a POST/GET request to change the password of the victim to a website in which the victim has an account created in it. This makes CSRF one of the most dangerous attacks in the wild because it could lead to User account take-over.
On the other hand there are CSRFs involving a request to logout the victim from the target site. For Example , attacker webpage sends a GET request to “target.com/logout.php” , which will then logs out the victim from target.com. But these kind of CSRFs are not considered as a security issue because it has no impact on the users or the website owners.
Here are some good techniques for finding CSRFs!
- Create a dummy user account in the target site which you need to test!
- Verify your mail address if it asks for verification.
- Go to your profile/account settings.
- Look for some sensitive forms like “Billing address”, “Change Username”, “Change Password”, “Add Bio”, “Delete profile” etc..
- Try changing the default values on those forms and submit the form.,
- Capture the request in BurpSuite.
- Check if any CSRF token is present or not! That is , in some websites they use CSRF/Form tokens while sending the request. Those tokens are random string of characters which changes each time when the website loads. It is a mitigation measure against CSRF attacks.
- If Token is not present then the site may be vulnerable to CSRF.
- Now you are good to go, send the request to repeater and drop the request.
- Go to repeater tab send the request. If you got 200 response , try one more time , but this time just change any value in the request and send the request.
- Go to your profile and check that the value you sent via burp repeater gets updated in your profile. If it gets updated, then it is vulnerable.
- Now build a sample exploit by creating an example attacker webpage
- Sample exploit webpage should contain the same form but the “action” parameter should be equal to “http://target.com/csrf_vulnerable.php” and all the form input fields shoulb be “hidden”. Sample Exploit WebPage Code will be available here : Exploit_page_code , the exploit is meant to add arbitary billing address into the victim profile after 10 seconds since the victim opens the webpage. I found a CSRF bug in a website and used the same exploit for the PoC. Note : I changed the domain name to “example.com” .
Some Tips to bypass CSRF tokens!
- Check the CSRF token and identify the parameter name, if it is a hash like md5 , sha1 , sha256 etc., try cracking the hash. If you are successfully able to crack the hash and the cracked value is something predictable like numbers, then you can bypass it by predicting the CSRF token value ; hash it using the same algorithm ; add it into the malicious webpage/request
- Try removing the token value and parameter from the request and see that the request actually made any changes in the profile, if yes then you can bypass it.
- Try adding your own custom / random string into the token parameter replacing the original token. It’s length should be equal to the original token
- Try using the old tokens in the new request
- Try Converting POST request to GET request , remove CSRF token and send the request.
- Try removing anti CSRF headers from the request.