Understanding the CSRF Vulnerability (A Beginner Guide)

Today we will see CSRF attack in different scenario like transferring fund and password changing but before we see how cross site request forgery works we need to understand of few concepts.

Tabbed browsing: Tabbed browsing is an attribute of the Web browsers which allow the users to view multiple web sites on a single window instead of opening new browser window. These extra web pages are represented by tabs at the top of the browser window.

Imagine that you are logged into the Facebook server and visit a malicious website in the same browser, although on different tab. In absence of the same origin policy (SOP), an attacker can go through your profile and other sensitive information with the help of JavaScript. For example read private messages, send fake message, read your chats.

SOP: The same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

XHR: XML Http Request is an API in the form of an object whose methods transfer data between a web browser and a web server. 

  • Update a web page without reloading the page
  • Request data from a server – after the page has loaded
  • Receive data from a server  – after the page has loaded
  • Send data to a server – in the background

CSRF: Cross-site request forgery also known as single-click attack or session traversing, in which a malicious website will throw a request to a web application that the user is already authenticated against from a different website. This way an attacker can access functionality in a targeted web application via the victim’s already authenticated browser.

If the victim is an ordinary user, a successful CSRF attack can force the user to perform state changing requests like transferring funds, changing their email address, and so forth. If the targeted end user is the administrator account, this can compromise the entire web application.

In this article we will test a web application against csrf vulnerability with the help of burp suit Poc.

Source https://www.w3schools.com/xml/xml_http.asp

https://en.wikipedia.org/wiki/Same-origin_policy

Let’s start!!

 For this tutorial I had used bWAPP the vulnerable web application and create a new user raaz with password 123 for login inside the web server.

Now set the security level low then from list of given vulnerability choose your bug cross site request forgery (change secret) and click on hack.

If you have noticed the first image for creating a new user in that the user “raaz” has set his secret value as 123 now if the user raaz wish to change the secret value for his password he can change it from here.

Now let’s check out how we can test this functionality against CSRF attack and force raaz to change his secret value from the attacker’s desired value that is set a new secret value without his (user) knowledge.

Start the burp suite to capture the sent request between the browser and web application.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

CSRF PoC generator will automatically generates an HTML form page which you can see in given below screenshot, Click on copy HTML tag and open a text document to past the copied data.

Once you have paste the html code now add your (attacker) secret value “1234” moreover you need to add user name “raaz” for whom the secret value will get changed, now save the text document as csrf1.html and then use social engineering technique for sharing csrf1.html file to the targeted user.

When victim will open Csrf1.html file, here he will found a submit button now as he will click on submit button the secret value for target location will get changed without his (victim) knowledge.

Here you observe the result form given below screenshot. Hence in this way CSRF attack change the old secret value for password set by user “raaz”.

In next scenario we are going to test CSRF attack while transfer amount from users account. You might be well aware from such scenario when phone operator let say Airtel transfer an amount (Rs 500) in order to recharge customer phone and user receive the message of transaction and other example is related  bank amount transfer from one user’s account to another user’s account.

In order to learn csrf attack in this situation again login in bWAPP then choose your next vulnerability cross site request forgery (transfer Amount) and click on hack.

In the given screenshot you can see user have only 1000 EUR in his account it means above this amount the transaction  is not possible for both (user as well as for attacker). Further it is showing user’s account number to transfer and amount to be transfer.

The procedure for csrf attack is similar as above use burp suite to capture the sent request of browser.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

Again it will create html form automatically for intercepted data now click on copy html tag given at below to copy the generate html code for form.

Open a text document to past the copied data, Once you have paste the html code now add your (attacker) amount “100” to be transfer, now save the text document as csrf2.html and then use social engineering technique for sharing csrf2.html file to the targeted user.

When victim will open Csrf2.html file, here he will found a submit button now as he will click on submit button given amount will be transfer without his (victim) knowledge.

From given screenshot result you see now the amount is left 900 EUR in user’s account which means 100 EUR has been deducted from his account. Hence again we saw effect of CSRF attack while amount transaction from once account to another.

At last we are going to learn the most impactful CRSF attack for changing the password of user account without his knowledge. Again we will login into bwapp and choose the bug “cross site request forgery (change password)” to test the csrf vulnerability.

Here you can clearly saw two text field, one for new password another for confirm password again we will repeat the process using burp suite to catch the request of browser.

Form given screenshot you can see we have successfully captured the request inside burp suite now here once you have received intercepted data then go towards ACTION tab select engagement tools and at last choose Generate CSRF PoC.

Once again it has generated the html code for changing the password, hence you can see burp suite itself generate related html form for destination website, and this is an advantage which save attacker’s time for generating CSRF html form. Again click on copy html tab to copy the code.

Open a text document to past the copied data, Once you have paste the html code now add your (attacker)new password value and confirm password value, now save the text document as csrf3.html and then use social engineering technique for sharing csrf3.html file to the targeted user.

If you remember the old password was “123” for user “raaz” and from screenshot you can perceive that now new password is raj.

When victim will open Csrf3.html file, here he will found a submit button now as he will click on submit button the password will reset for his account without his (victim) knowledge.

Hence you can verified it through given below image where it has clearly gave the message that “password has been changed”

So today you have seen how we had made csrf attack on web application server in different scenario with help of burp suite Poc.

Try it yourself!!

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...

Leave a Reply