All the great things are simple, and many can be expressed in a single word: freedom, justice, honor, duty, mercy, hope.

Sunday, October 28, 2012

How to exploit CSRF vulnerability(CSRF tutorial)?

Today, I'm going to explain you about WEB vulnerability that not everyone knows...but it very popular.This vulnerability is very dangerous and effective.Usually, the vulnerability exploiting never leave evidences.This vulnerability called: Cross Site Request Forgery(CSRF).CSRF and the way to exploit it is extremely easy; Much easier then all the complicated injections.

How does it works?

It works by forcing the slave's browser to run HTTP requests in order to implement a range of actions, for example :
  • Permission faking\stealing.
  • Transfer of funds from the Bank
  • Disruption of the normal sequence of the site
And much more.
Requirements to exploiting CSRF.
  • Make sure that the slave have SESSION \ COOKIE on the target site.
  • slave must be identified by the network protocol verification (HTTP Authentication)                                                                                                  
Actually, In order to cause the slave to perform unwanted actions he is not aware of, the slave must be logged to the target site with cookies and verified by the browser \ server.

Common uses CSRF attacks.

Common attack is using the image tag (img src) in the HTML document. I mean, in the SRC of the image tag must be inserted malicious link should send HTTP requests to the target, such as a GET request can be excellent. The benefits of using an image tag on the normal link tag (a href) are :
  1. Image tag does not require clicking the link compared Tag-A requires clicking on the link to activate the HTTP request.
  2. Nature of browsers is to send HTTP requests to visual objects such as picture or remote files (CSS, JS, etc.) even while loading the page without the user's permissions. This means the user does not need to perform any action in order to see the image on the page, all he has to do is go to a certain site specific browser sends HTTP requests have to load the image. In this case, since the browser recognizes the HTML code of the image tag, it sends HTTP requests to load the image even if the SRC of the image is not really a picture, but a malicious link ...

For those of you that uses Fire-Bug(Firefox add-on) can see in the next snapshot example of sending an HTTP request from the browser to the server to load an image during the login of the user:
csrf-tutorial

Also, CSRF attacks can be implemented not only through websites but through email messages. Since the mail boxes allow sending data to HTML format, the attached image perfectly legal. In this case I can send a malicious email message to huge amount of recipients, put a photo tag email body when the SRC contain a malicious link, when the slave opens the email, the desired action done.


Exploiting code examples: 


HTML
Using img tag:
PHP Code:
<img style="display:none;" src="http://targetsite.com/change_password.php?new_password=123456">

Using iframe tag:
PHP Code:
<iframe src="http://targetsite.com/change_password.php?new_password=123456"></iframe>

Java Script
using image object.
PHP Code:
<script>
var poniz = new Image();
test.poniz = "http://targetsite.com/change_password.php?new_password=123456";
</script>

Exploiting sequence

Here a cool example that actually belong to Black-SEO.
What I want to check in my user control panel is the parameters are sent as a request to HTTP server when I'm updating my home page via the user control panel.
There are a variety of fields that can be updated, such as address, phone, email, name, content, and most importantly for this example: The favorite website\home page address.
These parameters are sent to the server when updating my website address. So it seems to Firebug: 
csrf-tutorial

 
These parameters are sent to the server using POST method. So we do not see the parameters in the URL address. But, if the parameters will be written via GET method, the data will sent? Let's see.
Code:
http://targetsite.com?users.php?db[webaddress]=http://www.PonizSite.com&action=save
It works! (Actually...in the server-side code(php), the variable was in REQUEST method...but it's not matter)

Now ... Imagine that Dork like this one:
Quote:
site:targetsite.com & intext:"Homepage" & intext:"email: "

Now, I've got all the emails of users and I can send them an emails with img tag, and when they will open it, their home page\website address field in their profile will change(To http://www.ponizSite.com) Oui

How to prevent?

There are not many hermetical familiar solutions to prevent CSRF attacks.
Except from one: Tokens.
What are actually tokens? This is a hidden random ID responsible for sending structured data, such as logging into forms, forms that allow registered users to update data or home page(in our case Evilgrin)


<input type="hidden" name="8pssf18ssdmf8s7p80fodi" value='1' id="token" />

Since the tokens are defined, the attacker can not know what is the token of the slave, because every loading of the page the token will change to other random number\string.

Tips :
  • Don't forget to delete your cookies.
  • Use tokens(Captcha is safer).
  • When you built your php site, don't use GET \ REQUEST super-global variables.

4 comments:

nirav said...

If you want to know How to find CSRF vulnerable website ,then you can comment here. :)

mahesh padeniya said...

most of srilankan web sites are vulnerable to CSRF.

Clark Kent Rosal said...

how to detect if site is vulnerable to CSRF attak

Nirav Desai said...

Sorry for late reply, most of time you have to find manually,but you can also use some script. Following links are useful to know if website is vulnerable to CSRF or not

https://github.com/marlon-be/marlon-csrfscanner
http://seclist.us/2011/12/xssscanner-1-1-csrfscanner-1-0-released.html@Clark Kent Rosal

Post a Comment

UA-35960349-1