Website Hacking Series; Part D: Cross-Site Request Forgery(CSRF)
Disclaimer: This article is for educational purposes and seeks to promote ethical hacking and superior cybersecurity practices in organizations and private entities. It does not advocate for any malicious intent. Furthermore, all materials used in this tutorial are solely personal and intentionally set vulnerable. I, therefore, absolve myself from any future unauthorized scripting from parties reading this article that may compromise the integrity of respective wireless networks
Hello, welcome back to this series. We are exploiting website hacking tricks and today I will be demonstrating the CSRF. This is part D of a running series. In the previous article, I covered manual and automated SQL injection on DVWA and recommended users to try their skills also on https://www.hackthissite.org/ which is free for exploitation of any kind that we have been learning so far
In this article, I will talk about CSRF which involves using malicious code to take advantage of a user’s trusted session inside their browser. For example, a common cause of CSRF would be when an attacker sends a malicious link to a user, who if he/she clicks it, allows the attacker full privilege of their trusted current session [i.e password autofill can be manipulated] . The attacker can then access some sites like their banking sites and wire themselves some money. Learn more here
Requirements
- Kali Linux Separate OS /VMware Kali Linux
- Burpsuite(installed by default in Kali)
- DVWA (download from https://github.com/digininja/DVWA )
- MySQL ( installed by default in kali)
- Apache (installed by default in kali)
- Basic mastery of MySQL, PHP & Bash scripting.
- Basic prompt engineering skills: chatGPT
- Basic Python skills
Procedure
- Installing & running DVWA. This video offers the best explanation for getting DVWA up and running and explains in video my script instructions below (if you succeed, jump to step 2 directly ). Furthermore, I fully covered it in the previous article step 1. Read more here. Make sure you have a window as below. We set our Username and password as Admin & password respectively.
2. Navigate to the CSRF page below and start the testing. You can type in test as the new password.
3. Click Test credentials to see if the “test” is a valid password for the admin. We can indeed see the password is valid for the user admin
4. Before moving to step 5, We need to understand the logic behind the previous two steps to understand the CSRF. From the window below, we can observe the URL at the top and note the fields as highlighted in red below: password_new=test&password_conf=test&Change=Change#
We denote that we can manually change the password_new variable to that of our choice. This malicious editing actually forms the logic behind CSRF. We can imagine, considering our current practice page, that a user is changing passwords for their bank account web app and is in the process of typing the fields. If the user let’s say clicks on our link, which we can target as a pop-up ad or as an email link where we manipulate the password_new values so if they click the link, we have changed the passwords without their knowledge and before they realize that they can’t log in since we have changed the password, an attacker may have already accessed the account and siphoned some valuables. You can try parsing in any password values that you want in the fields itacilized below. You can actually leave it here if the process is successful. But in case that fails, the next steps cover in case the website has more advanced protection against CSRF.
password_new=hacked&password_conf=hacked&Change=Change#
We will advance the security of the page and attempt the same trick
5. Observing the source code[Figure 5.1], we can see specific code snippets that prevent CSRF attacks as highlighted in red below. Snippet 1 basically lets us know that the request should come from the server of the system that should be the admin (Changing the Admin password inside the MySQL Database before parsing to the 127.0.0.1 host). If you want to know how that works, read our first article in this series. Snippet 2, lets us know that in case the request comes from someone else like an attacker, it should highlight the request is not possible. We attempt the use the trick in step 4 and see that it fails as in fig 5.2, The next step gives us a solution :)
6. Our solution is using Burpsuite. We need to intercept the request before its sanitized by the PHP code, manipulate it to legitimize the request to appear as if it is coming from the server and forward it to sanitization allowing us to change the password.
7. Fire up Burpsuite, and turn on the intercept as below. More on using Burpsuite and Foxyproxy have been covered in our previous articles.
8. Let’s try step 5; where we want to change the password to “hacked”. Once we click change, we are redirected to the burp window, figure 8.2 below. We are interested in the referrer field below. We change it to “127.0.0.1” as in figure 9.2. Also, click the Request Headers field and observe the change of Referer. After these procedures, hit forward.
9. When we go back to the Window in step 7, we see the message “password” is changed and boom! We can test the credentials now in [figure 9.2]. Remember to turn off FoxyProxy / Burpsuite intercept from step 8 otherwise, you will be redirected back to Burpsuite
Optional section → Python Automation
We can use python to execute the whole CSRF with the code below which sends our request, parses in as a legitimate referrer and gives us back the response. We want to change the password to “tested”.
- Code the script below using python → GitHub link
2. Execute the script on terminal [ scroll down to see password changed]
3. Test the new password and observe if it changed
Conclusion & Follow-Up Notes
We have finished the Manual, Semi-Automated CSRF and automated one using a python script. To buff up our knowledge more, try running the script for https://www.hackthissite.org/. Furthermore, study on Python sockets module and feel free to view my GitHub repository here that has some scripts written in Python demonstrating the different applications of the sockets module
Recommendations
Actually, No major organizations or websites can program less sanitized code to allow our level of CSRF to take place. In case, there is, well best PHP sanitization should be placed to deter any CSRF of any kind. Admins should not place the server addresses carelessly as we only need them to carry out CSRF. If you suspect CSRF, alert security immediately and avoid clicking links on pages that require you to change your sensitive information like Passwords frequently.
The next article and the last one in this series, next week, will discuss the coveted Cross Site Scripting! stay tuned. Before then, read the articles from parts A to D and be conversant before XSS scripting
