Cross site request forgery (CSRF) attack

9 min readMar 9, 2023

للإطلاع علي النسخة باللغة العربية
https://cyberfortech.blogspot.com/2023/03/cross-site-request-forgery-csrf-attack.html

What is CSRF(Cross-Site Request Forgery)?

CSRF (Cross-Site Request Forgery) is a type of vulnerability that allows an attacker to perform unwanted actions on a website on behalf of an authenticated or logged-in user. The attack takes advantage of the fact that the website relies on the user’s browser for authentication, and thus does not verify that the request is made by the user themselves.

A common example of a CSRF attack is when a user visits a malicious website while still logged into a vulnerable website. The malicious website can then send a request to the vulnerable website on behalf of the user, and the vulnerable website will think the request is legitimate and perform the requested action.

CSRF attacks can have severe consequences, such as unauthorized transactions, data theft, or even full account takeovers. Web developers need to take steps to protect their websites from CSRF attacks, such as implementing CSRF tokens, validating the Referer header, and using in-site cookies.

What is the impact of CSRF?

The impact of a CSRF attack depends on the actions the attacker is able to perform on behalf of the victim. Some examples of the impact of a successful CSRF attack include:

1- Unauthorized transactions: An attacker can use CSRF to trick a user into making unsolicited transactions on a vulnerable website, such as transferring money to the attacker’s account.
2- Data theft: CSRF can be used to steal sensitive data from a vulnerable website, such as personal information, credit card numbers, or login credentials.
3- Account takeover: If the attacker is able to perform actions on behalf of the victim, they may be able to take over the victim’s account on the vulnerable website, allowing them to perform further malicious activities.
4- Reputation damage: A successful CSRF attack can damage the reputation of a vulnerable website, as users may lose confidence in the security of the site and become reluctant to use it in the future.

How does CSRF work?

A CSRF attack works by exploiting the trust a website has in a user’s browser. Typically, a website uses cookie or tokens to identify a user and verify that they are authorized to perform certain actions on the website.

In a CSRF attack, the attacker creates a malicious website or email that contains a request to perform a specific action on the compromised website. When the victim clicks on a link or visits the malicious website, their browser sends the request to the vulnerable website, along with any cookie or tokens associated with the website or needed by the website to accept the request.

Since the vulnerable website trusts the user’s browser, it processes the request and performs the action as if it were from a legitimate user. This allows the attacker to perform actions on behalf of the victim, such as changing their account information, making purchases, or performing other sensitive operations.

To succeed, a CSRF attack requires that the victim is currently logged in to the vulnerable website, and that the site does not have sufficient defenses to prevent these types of attacks or attempt to bypass these defenses.

EXAMPLE

For example, let’s say an application has a functionality that allows a user to change the email address on their account. When the user performs this action, it presents an HTTP Request like the following:

POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=yvthwsztyeQkAPzeQ5gHgTvlyxHfsAfE

email=wiener@normal-user.com

This satisfies the required conditions for CSRF:

1- The action of changing the email address on the user account is of interest to the attacker. After this procedure, the attacker will usually be able to reset the password and take full control of the user account.
2- The application uses the cookie session to identify the user who issued the request. There are no tokens or other mechanisms in place to track user sessions.
3- An attacker can easily specify the request parameter values required to perform the action.

With these conditions in place, the attacker can create a web page containing the following HTML code:

<html>
    <body>
        <form action="https://vulnerable-website.com/email/change" method="POST">
            <input type="hidden" name="email" value="pwned@evil-user.net" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

If the victim user or victim visits the attacker’s web page, the following will happen:

1-The attacker’s page will send an HTTP Request to the vulnerable website.
2- If the user is logged into the vulnerable website, their browser will automatically include their session cookie in the Request (assuming SameSite cookies are not being used).
3- The vulnerable website will process the request in the normal way, treating it as having been made by the victim, and changing their email address.
This example is from portswigger

Steps to find CSRF vulnerabilities

1- Create a dummy user account on the target site you need to test: This involves creating a new account on the target site specifically for testing purposes. This ensures that it does not inadvertently affect other users.

2- Verify your email address if verification is required: Some sites require email verification to activate newly created accounts. Be sure to verify your email address if necessary.

3- Go to profile / account setting: Once logged in, go to profile or account settings.

4- Look for sensitive forms: Look for forms that allow users to perform sensitive actions such as changing passwords, updating information, or deleting accounts. These forms are likely to be more vulnerable to CSRF attacks.

5- Try changing the default values in those forms and submit the form: Modify the default values in the forms and submit them to see if the site is vulnerable to CSRF attacks.

6- Capture request in BurpSuite: Use a proxy tool like BurpSuite to intercept and modify HTTP requests.

7- Check for CSRF tokens: Check for server-generated tokens present on each form to prevent CSRF attacks. If the model does not include a CSRF token or if the token is predictable or easily guessable, the site may be vulnerable to CSRF attacks.

8- Send the request to repeater and drop the request: Repeat the request in BurpSuite and see if you get a 200 response. The site may be vulnerable.

9- Try modifying the order: Tweak the order a bit and see if it still works. If so, the site is likely to be vulnerable to CSRF attacks.

10- Check if the value you provided via Burp repeater has been updated in your profile: If the value you provided via Burp repeater has been updated successfully in your profile, the site is vulnerable to CSRF attack.

11- Create a smaple exploit by creating a webpage for the attacker: This step involves creating a webpage that contains a form with the same fields as the vulnerable form on the target site. The action parameter should be set to the vulnerable URL, and all form input fields should be set to “hidden.”

<html>
  <body>
    <h1>this is page!</h1>
    <img src="https://example.com/images/candidate.jpg">
    <form action="https://example.com/vote.php" method="post" enctype="multipart/form-data" class="form-horizontal">
  <input type="hidden” name="firstname" value="hacker">
  <input type="hidden" name="lastname" value="hacker">
  <input type="hidden" name="email" value="hacker@mail.com">
  <input type="hidden" name="confirm_email" value="hacker@mail.com">
  <input type="hidden" name="telephone" value="809090900">
  <input type="submit" value="Click Here!">
    </form>
  </body>
</html>

Bypassing CSRF Protection

1- Remove the CSRF token:Some websites use a CSRF token as a mitigation measure against CSRF attacks. This token is a random string of characters that changes each time when the website loads. If you remove the token value and parameter from the request, it can bypass the CSRF protection. However, not all websites use CSRF tokens, and some may have other forms of protection, so this technique may not always be effective.

2- Register 2 users:In this technique, you register two users on the target website and replace one user’s CSRF protection token with the other user’s request. If the request succeeds, then the target app is vulnerable to CSRF attacks. This technique can be used to test the effectiveness of the CSRF protection mechanism.

3- Remove the CSRF token and change the request method to “GET” : Changing the request method to GET can bypass CSRF protection mechanisms that only validate POST requests. However, many websites use additional security measures, such as checking the request method, so this technique may not always work.

4- Try adding your own custom / random string into the token parameter: If you can guess the format of the CSRF token, you can add your own token into the request to bypass the CSRF protection. The new token should be of the same length as the original token. However, guessing the token format may not always be easy, especially if it is generated randomly.

5- Remove anti-CSRF headers from the request: Some websites use additional security measures, such as anti-CSRF headers, to protect against CSRF attacks. By removing these headers, you can bypass the protection mechanism. However, some websites may have other security measures in place, and this technique may not be effective.

Escalate the attack

CSRF attacks can be a serious security risk and can lead to a range of potential consequences, from account takeover to data theft. Therefore, it’s important to escalate the attack once a CSRF vulnerability has been identified.

Here are some techniques to escalate the attack:

1- Perform actions with more impact: Once a CSRF vulnerability is found, the attacker can start to craft requests to perform actions with more impact, such as changing the victim’s email, password, or even performing financial transactions. The attacker can modify the existing request to perform these actions, or create new requests to achieve the same goal.

2- Chain multiple attacks: An attacker can chain multiple CSRF vulnerabilities together to perform a more complex attack. For example, if an attacker can change a victim’s email and password, they can then use these credentials to log into the victim’s account and perform further actions.

3- Exploit vulnerabilities in related systems: An attacker can look for vulnerabilities in related systems to escalate the attack. For example, if the victim’s email is changed, the attacker can try to use this email to reset passwords on other systems that are linked to the victim’s email.

4- Use social engineering: An attacker can use social engineering techniques to trick the victim into performing certain actions, such as clicking on a link or entering their login credentials. This can be combined with a CSRF attack to achieve a more complete compromise of the victim’s account.

5- Target privileged users: If the attacker is able to compromise a privileged user’s account through a CSRF attack, they can use this access to escalate the attack and perform more damaging actions. For example, they may be able to access sensitive data or perform actions that are restricted to privileged users.

please look this https://sl4x0.github.io/web-notes/csrf/#:~:text=Escalating%20the%20Attack

Common defences against CSRF

Nowadays, successfully finding and exploiting CSRF vulnerabilities often involves bypassing anti-CSRF measures deployed by the target website, the victim’s browser, or both. The most common defenses you’ll encounter are as follows:

1- CSRF tokens : A CSRF token is a unique, secret, and unpredictable value that is generated by the server-side application and shared with the client. When attempting to perform a sensitive action, such as submitting a form, the client must include the correct CSRF token in the request. This makes it very difficult for an attacker to construct a valid request on behalf of the victim.

2- SameSite cookies : SameSite is a browser security mechanism that determines when a website’s cookies are included in requests originating from other websites. As requests to perform sensitive actions typically require an authenticated session cookie, the appropriate SameSite restrictions may prevent an attacker from triggering these actions cross-site. Since 2021, Chrome enforces Lax SameSite restrictions by default. As this is the proposed standard, we expect other major browsers to adopt this behavior in future.

3- Referer-based validation : Some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the application’s own domain. This is generally less effective than CSRF token validation.

4-CAPTCHAs : CAPTCHAs are used to verify that the request is being made by a human and not by a script or bot. They can be effective in preventing CSRF attacks, but can also be inconvenient for users.

5- Two-Factor Authentication: Two-factor authentication adds an extra layer of security by requiring the user to provide two forms of authentication. This can be effective in preventing CSRF attacks, but can also be inconvenient for users.

6- HTTP Methods: HTTP methods can be used to restrict the type of requests that can be made. For example, GET requests can be used for reading data, while POST requests can be used for modifying data. This can be effective in preventing CSRF attacks that rely on modifying data.

7- Session Expiration: Session expiration can be used to limit the amount of time that a session is active. This can be effective in preventing CSRF attacks that rely on stealing an active session.

look this