Unmasking Basic CSRF Bugs: Hunter Guide for Beginners
Cross-site Request forgery
Hey, guys welcome to my blog so today we are going to discuss about CSRF vulnerability which is probably medium/low severity and we are going to solve the basic portswigger lab of CSRF finale we end up with some common defenses against CSRF
“Application security prioritizes impact over bug classification.!!”
https://evilox.medium.com/explanation-of-csrf-cross-site-request-forgery-bc6a5042bcbf
In the above article, I discuss basic of CRSF vulnerability which you will get a good understanding of CSRF vulnerability so now let’s move on to the portswigger lab
Hunting for CSRF
Alert: Before looking for this check your out-scope of the bug bounty program
Lab : CSRF vulnerability with no defenses: In this lab, there is no protection against CSRF vulnerability
- First Login/signup into that application
You can log in to your account using the following credentials: wiener:peter
2. Look for the state change action endpoint:
which is password change, email change, address change, deleting an account, sending a message
the above endpoints are the example you can choose any high-severity action endpoint that makes the change high for the user
Here there is an email updating endpoint and you can able to change the mail
3. Lack of CSRF Protection: Check for Lack of CSRF protection using burpsuite
First, enter any mail id hacked@gmail.in and capture that request in burp and check whether there is a CSRF token in the body or the cookie
It looks like this [ csrf_token = “e1f55fd7a4b0c8d7c32a3be95a38f6bc” ]
check the header also X-CSRF: e1f55fd7a4b0c8d7c32a3be95a38f6bc
So there is no CSRF token
3. Draft the HTML form to confirm this Vulnerability
If you have burpsuite professional edition it would be easy to generate the CSRF POC or if you don’t have the means it is ok there alternative for this
- Burpsuite Professional Edition { Engagement tools -> Generate CSRF POC generator }
Click Generate CSRF POC you will get the HTML form
Here you can directly test this by test in the browser option or copy and paste it into a local file and saved it in CSRF.html which makes it better for future use or report
Now open this in your browser and click the submit request
Now the Email id will get the change if it changes congratulations you have found the first CSRF vulnerability on that application
2. Alternative Method if don’t have Burpsuite pro edition
Use this website: https://csrf.infos3c.net/
On this website, you need to copy and paste the message body on that site and you will get the POC ( Use at your own risk )
or simply use the below HTML form
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="URL" method="POST">
<input type="hidden" name="email" value="id@mail.in" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>In this form, you need to do it manually adding the input but it is better to use the website for POC
3. Solving this Lab
To solve this Lab there is an exploit server right so go to the exploit server and paste the CSRF HTML form on the body
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://0a8800fd03f47b4580bab77.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="hacked@burpsuite.in" />
<input type="hidden" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>And we have added some javascript
<script>
document.forms[0].submit();
</script>Which helps us to automaticity redirect this is not necessary for the bug bounty program but it CTF
You just need to show the change in the application
Beginners Tip: First, take note of all the state-changing requests and use firefox don’t use Chrome for CSRF bug
Common protection for CSRF
- CSRF tokens — A CSRF token is a unique, secret, and unpredictable value that is generated by the server-side application and shared with the client. When attempting to perform a sensitive action, such as submitting a form, the client must include the correct CSRF token in the request. This makes it very difficult for an attacker to construct a valid request on behalf of the victim.
- SameSite cookies — SameSite is a browser security mechanism that determines when a website’s cookies are included in requests originating from other websites. As requests to perform sensitive actions typically require an authenticated session cookie, the appropriate SameSite restrictions may prevent an attacker from triggering these actions cross-site. Since 2021, Chrome enforces
LaxSameSite restrictions by default. As this is the proposed standard, we expect other major browsers to adopt this behavior in the future. - Referer-based validation — Some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the application’s own domain. This is generally less effective than CSRF token validation
In the next article, we will see how to bypass the above protection
So I hope you will understand this article if you like this give applause and follow me on Medium for more articles if have any doubts don’t hesitate to contact me
Follow Me on Instagram: https://www.instagram.com/_._vicki__/
