ATO Attack Series 1: Cross-Site Request Forgery Account Takeover
Posted on Apr 15, 2022 | By Mritunjay
Cross-Site Request Forgery (CSRF) is a vulnerability that lets an attacker execute some action on the web application on behalf of an authenticated victim user. So, for taking over an account, an attacker can update the password of the victim user. Other possibilities include updating the email or phone number of the victim and then resetting the password.
As a demonstration, we will be using a vulnerable application having Cross-Site Request Forgery as a known vulnerability.
|Vulnerable Application||Cups Easy 1.0|
|Associated CVE||CVE-2020-8425, CVE-2020-8424|
Marty is an attacker and he wants to take over his friend Elif’s account.
Steps to Reproduce
Login to the application as Marty and click on Password from the Utils dropdown.
Click on Change my password and the password change option will show up.
Next, fill up the password input with the password of your choice and click on Change.
Intercept this request in a proxy server such as Burp and send it to the repeater. Drop the request from the proxy tab.
Note: The request needs to be dropped because if it reaches the server, then Marty’s password will be changed. Our current objective is to change Elif’s password.
Go to the CSRF POC generator and fill up the required details accordingly.
Note: Do not forget to change the username to elif. Click on Download CSRF POC to download the HTML file.
The POC that was downloaded needs to be hosted on a server. For this, we can use the http.server module from python to create a server.
After getting hosted, our page looks like this:
Note: This is just a simulation of an attack. The sensitive parameters are clearly visible in the page, but these things can easily be hidden in HTML through the hidden attribute. Consult the exploit link in the description.
Now we need to lure Elif to our page. This can be done through social engineering.
As soon as Elif visits our page (with an active session on the application) and clicks on the button, a password change request will be sent to the server.
The password change message will now appear on the browser saying the password was updated successfully.
Now Marty can access Elif’s account through the known password.
The most common and easy method of prevention against CSRF is to include a unique CSRF token with each and every request. The token should be completely random and should be strictly validated at the backend.
A same-site attribute in the cookie can also be used as a CSRF prevention mechanism. The same-site attribute tells the browser not to include the user’s session cookie in the requests that do not originate from the original domain.
Start Protecting your Credentials Today! Get in touch with CSW for Red Teaming and VMaaS services.
Never miss a patch or an update with CSW’s Patch Watch Newsletter. Subscribe now!