CSRF Vulnerabilities: How to Exploit and Defend Against Attacks
Today, in this article, we will explore a comprehensive guide to CSRF exploitation and prevention. Cross-Site Request Forgery (CSRF) is a common web security vulnerability that can have serious consequences if left unaddressed. Understanding how CSRF attacks work and how to protect your applications against them is crucial for any web developer. Let’s dive into the details.
CSRF-Vulnerability:
Cross-Site Request Forgery (CSRF) is a type of web security vulnerability that allows attackers to trick victims into executing unwanted actions on a web application in which they are currently authenticated. In simpler terms, it’s a way for an attacker to make your web browser do something you didn’t intend to do, even if you’re logged into a trusted website.
How CSRF Attacks Work
Step-by-Step Breakdown
- Victim Authentication: The victim logs into a web application and establishes a session.
- Malicious Request Creation: The attacker creates a malicious website or email containing a request to the web application.
- Victim Interaction: The victim unknowingly interacts with the malicious link or form.
- Request Submission: The malicious request is sent to the web application, using the victim’s authenticated session.
- Action Execution: The web application processes the request as if it was made by the victim, performing the unwanted action.
Example Scenario
Imagine a banking application where users can transfer money by sending a POST request to a specific endpoint. An attacker crafts a malicious webpage containing a form that submits a POST request to the transfer endpoint with predetermined parameters. When the victim, who is already authenticated on the banking site, visits the malicious page and submits the form (intentionally or unintentionally), the money is transferred without their consent.
Techniques to Exploit CSRF Vulnerabilities
1. Using Hidden Forms
Attackers can create hidden forms that automatically submit requests when the victim visits a page. These forms can be hidden using CSS or JavaScript to prevent the victim from noticing them.
Exploiting CSRF to Add a New Admin
Scenario:
- Bank Website Admin Panel: The bank has an admin panel where authenticated administrators can add new admin users. The endpoint to add a new admin is something like
https://bankwebsite.com/admin/add_user
Exploitation Steps:
Exploitation Steps:
- Victim Authentication: The victim (a current admin) logs into the bank website and has a valid session.
- Malicious Request Creation: The attacker crafts a malicious page designed to exploit the CSRF vulnerability. The page contains a form that will be auto-submitted to the bank’s admin endpoint to add a new admin user.
- Malicious Form Example:
<html>
<body>
<form method="POST" action="https://bankwebsite.com/admin/add_user" name="Write Any name Example: CSRF">
<input type="hidden" name="txtEmail" value="target@gmail.com"/>
<input type="hidden" name="hidUserrName" value="Test"/>
<input type="hidden" name="txtPassword" value="12345678"/>
<input type="hidden" name="txtConfirmNewPassword" value="12345678"/>
<input type="hidden" name="IsAdmin" value="1"/>
<input type="submit" value="Submit">
</form>
<script>
function myFunction(){
document.CSRF.submit();
}
setTimeout(myFunction, 50);
</script>
</body>
<html>4. Victim Interaction: The victim, while logged into the bank website, visits the malicious page. The form is auto-submitted without the victim’s knowledge.
5. Request Submission: The request to add a new admin user (attackerAdmin) is sent to the bank's server, using the victim's authenticated session.
6. Action Execution: The bank server processes the request and adds the new admin user, thinking the request is legitimate.
Step-by-Step Guide to Burp Suite
Step 1: Open Burp’s browser and log in to your account. Submit the “add admin” form, and find the resulting request in your Proxy history.
Step 2: If you’re using Burp Suite Professional, right-click on the request and select Engagement tools / Generate CSRF PoC.
Step 3: Alternatively, if you’re using Burp Suite Community Edition, use the following “https://tools.nakanosec.com/csrf/" just submit the “POST” request it will be convert into html.
Step 4: Send the file to victim when victim click this file you will be admin of the victim company.
Defense Strategies Against CSRF
Token-Based Mitigation:
The synchronizer token pattern is one of the most popular and recommended methods to mitigate CSRF.
Use Built-In Or Existing CSRF Implementations for CSRF Protection:
Since synchronizer token defenses are built into many frameworks, find out if your framework has CSRF protection available by default before you build a custom token generating system. For example, .NET can use built-in protection to add tokens to CSRF vulnerable resources. If you choose to use this protection, .NET makes you responsible for proper configuration (such as key management and token management)
SameSite Cookies:
Set cookies with the SameSite attribute to prevent them from being sent with cross-site requests.
Set-Cookie: sessionId=abc123; SameSite=StrictDouble-submit cookie prevention:
A double-submit cookie token approach can be used if using a valid token on the server side is impossible. In this cookie-based session handling, when a user visits a website, the site generates a value that stores as a cookie on the user’s device, apart from the cookie that serves as a session identifier. When a legitimate request is submitted to the site, it must contain the same value as included in the cookie. The server then verifies this, and the request parameter is accepted if the values match
Custom request header:
A technique that is particularly effective for AJAX or API endpoints is the use of custom request headers. In this approach, JavaScript is used to add a custom header. Unfortunately, JavaScript can’t make cross-origin requests with a custom header because of the SOP security restrictions. This prevents sending a cross-domain request with custom headers, thereby eliminating the possibility of a CSRF attack.
Important Note
This guide is provided for educational purposes only. Unauthorized access to systems or exploiting vulnerabilities without permission is illegal and unethical. Always ensure you have explicit permission before testing or exploiting security vulnerabilities. If you discover a vulnerability, follow responsible disclosure practices by reporting it to the affected organization.
Conclusion
Understanding how CSRF vulnerabilities can be exploited is crucial for web security professionals. Using tools like Burp Suite, you can generate CSRF proof-of-concept files to demonstrate these vulnerabilities and help organizations strengthen their security measures. Always use this knowledge responsibly to improve security and protect users.
If you enjoyed it please do clap & let’s collaborate.
Twitter: https://x.com/xamiron
Linkedin: https://bd.linkedin.com/in/sabuj-modak
Email: xamiron.modak@gmail.com
