CSRF

curl

Cross-Site Request Forgery (CSRF) is a web security vulnerability that forces an authenticated user to perform unwanted actions on a web application. These attacks exploit the trust a web application has in a user’s browser, potentially leading to unauthorized actions such as changing account details, transferring funds, or making purchases.

Identifying and testing for CSRF vulnerabilities involves understanding how the application handles session state, tokens, and user authentication. Below is an overview of tools and methods commonly used by penetration testers to detect and exploit CSRF vulnerabilities.

CSRF Testing Methods

1. Burp Suite:

Burp Suite provides an intuitive way to test CSRF vulnerabilities, leveraging its request intercepting and tampering capabilities.

Steps:

  1. Intercept a request using the Proxy tool.
  2. Send the intercepted request to the Repeater tab for analysis.
  3. Check for CSRF tokens in the request parameters or headers.
  4. If a CSRF token exists:
    • Determine if the token is validated server-side.
    • Modify the token or remove it entirely, then replay the request.
  5. Generate a CSRF Proof of Concept (PoC) from the CSRF PoC Generator under the Engagement Tools menu.

2. OWASP ZAP:

OWASP ZAP, an open-source alternative to Burp Suite, also supports automated and manual CSRF testing.

Steps:

  1. Capture a request to a target endpoint using the Passive Scanner.
  2. Navigate to the CSRF tab in the Passive Scan results to identify any missing or misconfigured CSRF tokens.
  3. Use the Manual Request Editor to modify and replay requests, similar to Burp Suite’s Repeater.
  4. If the application lacks CSRF protection, create a PoC using ZAP’s built-in PoC generation tool.

3. Manual Testing:

Manual testing is a fundamental approach for CSRF that requires crafting and executing malicious requests.

Steps:

  1. Identify a state-changing request (e.g., account settings update, fund transfer).
  2. Examine the request for:
    • Presence of a CSRF token.
    • Headers that enforce origin checks (e.g., Referer or Origin headers).
  3. If no token or header validation exists:
    • Craft an HTML form to mimic the request.
    • Host the form on an attacker-controlled site.
    • Execute the form while logged in to the target application.

Example Malicious Form:

<form action="http://example.com/transfer" method="POST">
    <input type="hidden" name="amount" value="1000">
    <input type="hidden" name="recipient" value="[email protected]">
    <input type="submit" value="Submit">
</form>

4. CSRF-Token Testing:

CSRF-token testing focuses on evaluating the effectiveness of existing CSRF defenses.

Steps:

  1. Identify requests containing CSRF tokens.
  2. Validate token properties:
    • Are tokens unique per session or user?
    • Are tokens embedded in hidden form fields or headers?
  3. Replay the request after:
    • Modifying the token to an invalid value.
    • Removing the token entirely.
  4. Observe the server’s response:
    • If the server processes the request without validating the token, it may be vulnerable.

Key Indicators of CSRF Vulnerability

  • Absence of CSRF tokens in state-changing requests.
  • Lack of origin or referer header validation.
  • Improper token validation or predictable token values.

Example Use Cases

  1. Unauthorized Account Changes: Exploit missing token validation to update account passwords or personal information.
  2. Fund Transfers: Craft malicious requests to transfer funds between accounts without the victim’s knowledge.
  3. Session Hijacking: Combine CSRF with other vulnerabilities (e.g., XSS) to perform advanced attacks.