Cross-Site Request Forgery (CSRF) bug

Cross-Site Request Forgery (CSRF) bug

Cross-Site Request Forgery (CSRF): Missing CSRF token can make critical actions on your account remotely. Simple bug to find, this is one of my favourite type of bugs too. Most people think that finding this is not worth to find. They are wrong, I have tons of success stories found these, escalating simple CSRFs to an account takeover is more simple than you think. Look for an interesting action, once you detect is vulnerable. Think how you can escalate, you maybe can change a password? an email? even an username could lead an account takeover and give you a High/Critical issue, which later most companies will pay you $5k/$10k per bug. That's easy money for me!

**So what's csrf? and how can be your best friend? **

Cross-Site Request Forgery (CSRF), also known as a one-click attack, is a malicious exploit where an attacker tricks a victim's browser into performing unwanted actions on a web application that the victim is authenticated with. Imagine a puppeteer pulling the strings, forcing unsuspecting users to carry out their bidding.

Understanding CSRF: The Mechanics

CSRF attacks exploit the trust that a web application has in its users. When a user is logged into a website, the site often relies on cookies or other session tokens to verify their identity. CSRF attacks leverage this trust by sending forged requests that appear to come from the legitimate user, but are actually initiated by the attacker.

The CSRF Attack Flow

**1. The Setup:** The attacker identifies a vulnerable web application and creates a malicious website or email containing a hidden request.
**2. The Bait:** The victim, who is already logged into the target website, clicks on a link or views the malicious content.
**3. The Trigger:** The hidden request is automatically sent to the target website, using the victim's authenticated session.
**4. The Action:** The target website processes the request, believing it to be legitimate, and performs the action specified by the attacker.

Types of CSRF Attacks

**1. GET-Based CSRF:** The malicious request is sent as a GET request, often embedded in a link or image tag.
**2. POST-Based CSRF:** The malicious request is sent as a POST request, usually through a hidden form or JavaScript code.

Impact of CSRF Attacks

CSRF attacks can have devastating consequences. Some potential impacts include:

**● Changing a user's email address:** An attacker could change the email associated with a victim's account, locking them out and taking control.
**● Transferring funds:** If the target website is a banking application, an attacker could initiate unauthorized transactions.
**● Posting unauthorized content:** An attacker could post malicious content or spam on behalf of the victim.
**● Changing a user's password:** This could allow the attacker to completely take over the victim's account.Identifying and Exploiting CSRF Vulnerabilities

**1. Manual Testing:**

    ○ Analyze web forms and identify actions that can be performed with a single request.
    ○ Look for missing or weak CSRF tokens.
    ○Test if the application verifies the origin of requests.

**2. Automated Scanning:**

    ○ Use web vulnerability scanners like Burp Suite or OWASP ZAP to automate the process of finding CSRF vulnerabilities.

Example Payloads:

<img src="https://vulnerable-website.com/transfer?amount=1000&recipient=attacker" width="0" height="0">
<form action="https://vulnerable-website.com/change-email" method="POST">
    <input type="hidden" name="email" value="attacker@email.com">
    <input type="submit" value="Click me!">
</form>

Mitigating CSRF Attacks

**○ CSRF Tokens:** Implement a unique and unpredictable token for each user session and include it in all state-changing requests.
**○ Referer Header Validation:** Verify that the `Referer` header of requests matches the expected domain.
**○ SameSite Cookies:** Use the `SameSite` attribute to restrict cookies from being sent with cross-site requests.

Real examples helps to understand better the situation, and find more reports.

Common CSRF Scenarios:

** ● Changing Account Settings:** An attacker sends a malicious link to the victim. When clicked, it triggers a hidden request to the website, changing the victim's email address, password, or other sensitive settings without their knowledge.
** ● Transferring Funds:** A victim is logged into their online banking account. The attacker sends them a malicious link that, when clicked, initiates a hidden request to transfer funds from the victim's account to the attacker's account.
** ● Posting Unauthorized Content:** On a social media platform, a victim is logged in. An attacker sends them a link that, when clicked, makes a post on their behalf, potentially spreading misinformation or offensive content.
** ● Making Purchases:** An attacker sends a malicious link to the victim, who is logged into an e-commerce site. Clicking the link could trigger a hidden request to purchase items from the attacker's store.

Advanced CSRF Examples:

** ● Exploiting File Upload Features:** An attacker can craft a malicious HTML form that automatically submits a file upload request to a vulnerable website when the victim visits their page. This could be used to upload malicious files like backdoors or malware.
** ● Bypassing CSRF Tokens:** Some websites implement CSRF tokens for protection, but these can sometimes be bypassed using techniques like session riding or cross-origin vulnerabilities.
** ● Targeting APIs:** CSRF attacks can be targeted towards APIs, especially those that rely on non-standard request methods or lack proper CSRF protection.
** ● Chain Attacks:** Attackers might combine CSRF with other vulnerabilities like XSS (Cross-Site Scripting) to amplify the impact and gain further control over the victim's account.

Additional Considerations:

** ● Impact:** The impact of a successful CSRF attack can be significant, ranging from minor inconvenience to serious financial loss or reputational damage.
** ● Prevention: CSRF can be prevented by implementing security measures like CSRF tokens, using HTTP Strict Transport Security (HSTS), and enabling Content Security Policy (CSP).
** ● Awareness:
Users should be cautious about clicking links from unknown sources and keep their software updated to mitigate the risk of CSRF attacks.

Happy hunting!

Author: Ayush khatkar is a cybersecurity researcher, technical writer and an enthusiastic pen-tester at Asecurity. Contact here.

#bugbounty #infosec #cybersecurity