Find valid and impactful CSRF vulnerabilities and bypass protections.

Hi, I am Febin, a security researcher, bug bounty hunter, CEH and a cybersecurity enthusiast.

Twitter: febinrev

In this blog I am going to talk about CSRF!

What is CSRF?

CSRF (Cross-Site Request Forgery), as its name suggests it is all about requesting a resource to another domain or webserver from an attacker created webpage.

For example, an attacker webpage sends a POST/GET request to change the password of the victim to a website in which the victim has an account created in it. This makes CSRF one of the most dangerous attacks in the wild because it could lead to User account take-over.

On the other hand there are CSRF attacks involving a request to logout the victim from the target site. For Example , attacker webpage sends a GET request to “target.com/logout.php” , which will then logs out the victim from target.com. But these kind of CSRF attacks are not considered as a security issue because it has no impact on the users or the website owners.

CSRF attack.

IMPACT of CSRF:

In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user’s account. If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application’s data and functionality.

Some Good techniques for hunting CSRF vulnerabilities:

• Create a dummy user account in the target site which you need to test!
• Verify your mail address if it asks for verification.
• Go to your profile/account settings.
• Look for some sensitive forms like “Billing address”, “Change Username”, “Change Password”, “Add Bio”, “Delete profile” etc..
• Try changing the default values on those forms and submit the form.,
• Capture the request in BurpSuite.
• Check if any CSRF token is present or not! That is , in some websites they use CSRF/Form tokens while sending the request. Those tokens are random string of characters which changes each time when the website loads. It is a mitigation measure against CSRF attacks.
• If Token is not present then the site may be vulnerable to CSRF.
• Now you are good to go, send the request to repeater and drop the request.
• Go to repeater tab send the request. If you got 200 response , try one more time , but this time just change any value in the request and send the request.
• Go to your profile and check that the value you sent via burp repeater gets updated in your profile. If it gets updated, then it is vulnerable.
• Now build a sample exploit by creating an example attacker webpage
• Sample exploit webpage should contain the same form but the “action” parameter value should be “http://target.com/csrf_vulnerable.php” and all the form input fields shoulb be “hidden”. Sample Exploit WebPage Code :

`<html>
<body>
<h1> Hi This is Febin!! </h1>
<img src=”https://mumbrella.com.au/wp-content/uploads/2018/04/money-cash-768x486.png"> </img>

<h2> click below to win cash prize </h2>

<form action=”https://www.example.com/index.php?route=account/edit" method=”post” enctype=”multipart/form-data” class=”form-horizontal”>
<input type=”hidden” name=”firstname” value=”hacker”>
<input type=”hidden” name=”lastname” value=”hacker”>
<input type=”hidden” name=”email” value=”hacker@mail.com”>
<input type=”hidden” name=”confirm_email” value=”hacker@mail.com”>
<input type=”hidden” name=”telephone” value=”809090900">

<input type=”submit” value=”Click Here!”>
</form>

</body>
</html>`

Sometimes developers might implement some protection mechanisms against CSRF attacks, like CSRF tokens etc. Sometimes these protections could be weak or vulnerable.

Some CSRF protection bypasses that you can test against the Target!

1. Remove the CSRF token.
2. Remove the token value and the parameter from the request .
3. Register 2 users. Replace One user’s CSRF protection token with other User’s request. If the Request succeeds, then the Target app is vulnerable to CSRF attacks.
4. Remove the CSRF token and change the request method to “GET”.
5. Try adding your own custom / random string into the token parameter replacing the original token. It’s length should be equal to the original token.
6. Try removing anti CSRF headers from the request.
7. Remove “Origin” header and “Referer” header.
8. Check the CSRF token, , if it is a hash like md5 , sha1 , sha256 etc., try cracking the hash. If you are successfully able to crack the hash and the cracked value is something predictable like numbers, then you can bypass it by predicting the CSRF token value ; hash it using the same algorithm ; add it into the malicious webpage/request. Use hash identifier tools like “hash-id” to identify the algorithm.

Mitigation/Prevention:

Owasp CSRF prevention Cheatsheet

Thank You!

Happy Hacking!

Follow Me on Twitter