Thursday, January 30, 2014

CSRFin' USA! CSRF Mitigation Bypass with XSS

Cross Site Request Forgery

Cross Site Request Forgery (CSRF) is an attack where an attacker can trick a user's browser into performing actions on the attacker's behalf. This has the added benefit of taking advantage of the user's authentication. The archetypal example of CSRF is to imagine that if a bank customer wanted to transfer funds, they would have to visit a specific URL such as, http://bank.com/?transfer.php?to=hacker_acct&amount=1000. Then, all the attacker would have to do is trick people into clicking a link for that URL so that the victim's browser performs a GET and, if the victim happens to be logged into that bank, the victim will unknowingly transfer money to that attacker. The web application is going to assume that the user is in full control of its own actions and will execute the transfer. CSRF is about exploiting the trust that the web application has in the user's browser. You can read more about CSRF here.

CSRF Mitigation

The majority of CSRF mitigation strategies revolve around some sort of nonce being associated with the request being made. That can mean that instead of a dumb URL such as http://bank.com/?transfer.php?to=hacker_acct&amount=1000, you would have http://bank.com/usersession-1234?transfer.php?to=hacker_acct&amount=1000 so that the attacker could  not generate the link ahead of time. Another example of this when performing a POST is to add a hidden field set to a nonce. This token will get passed along when the user hits the submit button and the server will check that the nonce it set for that form is what was submitted. Like before, this nonce can't be pre-generated, and thus an attacker is unable to create a dumb link to trick users with. Here is what a CSRF token looks like:
That token prevents us from hard coding a POST to the URL since the value of that token should change each and every time the form is loaded.

Mitigating CSRF Mitigations

With these tokens and nonces making the URL or parameters unique, CSRF should pretty much be resolved because the attacker is not able to perform any actions right? Not quite. Let's review what XSS provides for us. XSS allows an attacker to run a script on a victim's browser. The victim's browser is going to trust that the script is safe and will execute, no questions asked. We can use an XSS vulnerability to execute code that will gather the necessary information to overcome the CSRF protections in place. In other words we use the XSS vulnerability to determine what the specific session information or token is, incorporate that into a CSRF attack, and proceed as a normal.

Putting It All Together

Let's go back to a previous post. What we had there was a XSS vulnerability in the body of an email. With that in mind, let's go looking around the web application a little more to see what we can find. Within the Advanced Options, we see that there is an option to configure the password reset question, answer, and a checkbox to enable the feature at all.
Let's go fill this out, hit submit, and trap the request with a Firefox plugin, named Tamper Data, that the browser makes so we know what we have to replicate. 

Here we see the POST that is made once we update these values and hit Save:

Tamper Data is showing us on the right hand side all of the parameters that are being passed to the URL. Of particular interest, we see that enabling the password reset question corresponds to the usepassresetting parameter having a value of checkbox and you can also see the URL encoded password reset question and the password reset answer. The other parameters are important as well and will play a part later.

The other important thing to realize is that another parameter that gets passed along is the id parameter that has a value of 333n487v6y1sJjJ0GFnzPsID8oKJBfmEZeyk20140130002922. If you log in and out a few times you will come to notice that this is probably a random value. I did not expend any time doing a statistical analysis with Burp to verify this but I assumed it was. This id parameter is what will stop us from being able to hardcode a POST to _processaccountoptions with usepassresetting set to checkbox and passresetanswer set to whatever we want. Fortunately, we can get around this thanks to the XSS vulnerability we have in our backpocket. 

The flow of the attack will go as follows, the victim opens an email with JavaScript embedded in the body of the email. This JavaScript snippet will call a piece of JavaScript on the attacker's server that will:
  1. Parse out the value of the id parameter in the URL of the victim's browser
  2. Use that id parameter value and complete the POST request to set the victim's password reset question.
Now, we will send an email to the victim with this embedded into the body of the email:


That will then call this piece of JavaScript that will be on the attacker's server:

This script will first grab the URL and then proceed to parse out the value of the id parameter by performing a substring. Next, it then calls the passwordReset function and that will piece together the parameters necessary to perform a proper POST to the _processaccountoptions URL. Notice that this sets the usepassresetting, passresetquestions, and passresetanswer.

This should be enough to bypass the randomly generated id and if everything works, when a user opens the malicious email they will unknowingly enable the password reset feature and set their password reset answer to whatever the attacker chose. This will then allow the attacker to set a user's password by using the password reset feature.

Thus when the user opens the email the attacker can:

  1. Go to the webmail login screen and click the Forgot your password? link 
  2. Enter the victim's email address
  3. And we should see that the victim will have their password reset question set to what we set it to be in our script, "Hacked via XSS"
  4. From there the attacker can input the answer to the question as, 'h4cked', and then set a new password for the user. Heck, you could probably do step 3 and 4 by extended the script to do another CSRF POST to save you the manual effort. 
I hope this post helped describe what CSRF is and what it allows you to do and just how powerful XSS can be and how its impact can be much more than just dumping cookies and throwing alert boxes.




96 comments:

  1. Thanks Admin for sharing such a useful post, I hope it’s useful to many individuals for whose looking this precious information to developing their skill.
    Regards,
    PHP Training in Chennai|PHP Course in Chennai

    ReplyDelete
    Replies
    1. DR. JOROMI IS TRULY A POWERFUL MAN. Contacting Dr Joromi is the best thing that has ever happened to me. My husband left me for another woman for the reason which i know nothing about. I tried every means to get him back but to no avail, all my efforts proved abortive. I was even contemplating suicide. On a lucky day when i was browsing the internet, i came across some amazing testimonies about Dr. Joromi on how he has helped a lot of people with his powerful love spells. I contacted him and explained all my problems to him and he assured me that he will help me. He told me what to do and assured me that my man will be back in 12 hours. I obeyed him and followed the instructions and to my Greatest surprise, my man called me in 12 hours time just as Dr. Joromi said. Thank you Dr Joromi. May the good God continue to bless you. If you are in need of help please contact Dr Joromi now on his website: https://www.joromispells.com and you can also reach him with his email: Joromispells@gmail.com and here is his WhatsApp number which you can also use to reach him +2348138695387 Thank you Dr Joromi. Thank you once again

      Delete
  2. Token have a useful part to play.

    ReplyDelete
    Replies
    1. Hi, Great.. Tutorial is just awesome..It is really helpful for a newbie like me.. I am a regular follower of your blog. Really very informative post you shared here. Kindly keep blogging. If anyone wants to become a Front end developer learn from Javascript Training in Chennai . or learn thru Javascript Training in Chennai. Nowadays JavaScript has tons of job opportunities on various vertical industry. JavaScript Training in Chennai

      Delete
  3. This is a great inspiring article.I am pretty much pleased with your good work.You are posting really very helpful information. Keep it up. Keep blogging.
    Final Year Project Center in Chennai | Final Year Project Center in Velachery

    ReplyDelete
  4. This is really great work and very interesting article thanks for sharing TNPSC Coaching Centre in Chennai

    ReplyDelete
  5. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.
    Selenium Training in Chennai

    ReplyDelete
  6. Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here.
    Best Python Training Institute in Bangalore

    ReplyDelete
  7. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

    Best Hadoop Training Institute in chennai

    ReplyDelete
  8. I ‘d mention that most of us visitors are endowed to exist in a fabulous place with very many wonderful individuals with very helpful things.
    datascience training in chennai

    ReplyDelete

  9. Learned a lot from your blog. Good creation and hats off to the creativity of your mind. Share more like this.
    Loadrunner Training in Chennai
    French Classes in Chennai
    iOS Training in Chennai

    ReplyDelete
  10. Informative Blog, Thank you to share this
    Regards,
    PHP Training in Chennai

    ReplyDelete
  11. Attend The Python Training in Bangalore From ExcelR. Practical Python Training in Bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Python Training in Bangalore.

    ReplyDelete
  12. A very interesting topic that you have discussed here, definitely, your tips help me out to reach my passion. I would love to see more updates. Thank you, admin.web design company in velachery

    ReplyDelete
  13. I learned World's Trending Technology from certified experts for free of cost. I Got a job in decent Top MNC Company with handsome 14 LPA salary, I have learned the World's Trending Technology from Python Training in pune experts who know advanced concepts which can help to solve any type of Real-time issues in the field of Python. Really worth trying Freelance seo expert in bangalore

    ReplyDelete
  14. Attend The Data Analytics Courses in Bangalore with Placement From ExcelR. Practical Data Analytics Courses in Bangalore with Placement Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Analytics Courses in Bangalore with Placement.
    ExcelR Data Analytics Courses in Bangalore with Placement

    ReplyDelete
  15. Great Post. It was very informative and keep sharing. Home Lift India

    ReplyDelete
  16. Great post i must say and thanks for the information. Education is definitely a sticky subject. However, is still among the leading topics of our time. I appreciate your post and look forward to more.
    data analytics course

    ReplyDelete
  17. I still can not understand where do I have to type these codes? It all seems very complicated to me. I would be very grateful, if someone told me.

    ReplyDelete
  18. German Classes In Bangalore
    The information given in this blog is very nice and i like it if you share more this kind of blog and i also have written this kind of blog you can also read for more knowledge.

    ReplyDelete
  19. Confront your cheating spouse with evidence, i was able to spy on my cheating ex phone without finding out.....it really helped me during my divorce ...you can contact BESTAPPSHACKERS@GMAIL.COM) call and text him whatsapp +1(602) 609-4730 for spying and hacking social networks, school servers, icloud and much more, viber chats hack, Facebook messages and yahoo messenger, calls log and spy call recording, monitoring SMS text messages remotely, cell phone GPS location tracking, spy on Whats app Messages, his services are AFFORDABLE .............179800

    ReplyDelete
  20. php developer interview questions
    Important PHP and MySQL Interview Questions and Answers for freshers and experienced to get your dream job in PHP! Basic & Advanced PHP Interview Questions for Freshers & Experienced.

    ReplyDelete
  21. Attend The Data Analyst Course From ExcelR. Practical Data Analyst Course Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Analyst Course.
    Data Analyst Course

    ReplyDelete
  22. interview questions node js
    Important Node JS Interview Questions and Answers for freshers and experienced to get your dream job & Advanced Node.JS Interview Questions for Freshers & Experienced.

    ReplyDelete
  23. <a href="https://www.excelr.com/business-analytics-training-in-pune/”> Courses in Business Analytics </a> have express a few of the articles on your website now, and I really like your style of blogging. I added it to my favorite’s blog site list and will be checking back soon…
    I am always searching online for articles that can help me. There is obviously a lot to know about this. I think you made some good points in Features also. Keep working, great job !

    ReplyDelete
  24. Attend The Data Analytics Courses From ExcelR. Practical Data Analytics Courses Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Data Analytics Courses.
    Data Analytics Courses

    ReplyDelete
  25. I am Leah Hart I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from united hacking company  blank ATM card that can withdraw $5,500 daily. I got it from him  last week and now I have withdrawn about $15,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met united hacking company  because I met Five persons before him and they could not help me. But am happy now united hacking company  sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to the united hacking company   because he changed my story all of a sudden. The card works in all countries that is the good news contact. email address: unitedblankatmhackcard@gmail.com 

    ReplyDelete
  26. This is a splendid website! I"m extremely content with the remarks!ExcelR Business Analytics Courses

    ReplyDelete
  27. Thanks for posting the best information and the blog is very helpful.python course in Bangalore

    ReplyDelete
  28. Wonderful blog found to be very impressive to come across such an awesome blog. I should really appreciate the blogger for the efforts they have put in to develop such an amazing content for all the curious readers who are very keen of being updated across every corner. Ultimately, this is an awesome experience for the readers. Anyways, thanks a lot and keep sharing the content in future too.

    data science institute in bangalore

    ReplyDelete
  29. This information is impressive. I am inspired with your post writing style & how continuously you describe this topic. Eagerly waiting for your new blog keep doing more.
    Selenium Coaching
    QTP Training Institute
    IOS Training Institute

    ReplyDelete
  30. your blog' s design is simple and clean and i like it. Your blog posts about Online writing Help are superb. Please keep them coming. Greets!

    Python Training Institute in Pune
    Best Python Classes in Pune

    ReplyDelete
  31. Really Superb! Thanks for sharing this useful information.
    Farina Hair Care

    ReplyDelete
  32. Thanks for sharing this.. Really usefull blog.
    Chill Bro Bala

    ReplyDelete
  33. I feel happy to say this I have learnt new things from your blog and it’s really useful for me, keep sharing valuable information regularly.
    Ramakrishnan Interview

    ReplyDelete
  34. Awesome blog. Thank you for sharing such a useful information.
    Dharsha Gupta Interview

    ReplyDelete
  35. Your blog is very interesting to read and easy to understand. Keep on blogging.
    Actress Monika Interview

    ReplyDelete
  36. Thanks for sharing the nice article, keep updating news article.
    Chill Bro Bala

    ReplyDelete
  37. I recently read your post and I got a lot of information. Keep on sharing more blogs like this.
    Milla Exclusive Interview

    ReplyDelete
  38. Thank you for allowing me to read it, welcome to the next in a recent article.
    Dharsha Gupta

    ReplyDelete
  39. Your website is really cool and this is a great inspiring article.
    Sam Anderson

    ReplyDelete
  40. Your blog is very informative. Thanks for sharing such a useful information with us.
    Rachitha Mahalakshmi Haircare

    ReplyDelete
  41. Very nice information. Thank you for sharing it.
    Chill Bro

    ReplyDelete
  42. Your blog is very easy to understand many concepts and I got a lot of information.Thanks for sharing.
    Yamuna Chinnadurai Interview

    ReplyDelete
  43. Best article.Thanks for sharing this.
    Kavin

    ReplyDelete
  44. This blog is very useful for me to understand the information.Keep on blogging.
    Dharsha Gupta Emotional

    ReplyDelete
  45. Thanks for your informative article. Keep on sharing.
    Kuhasini Interview

    ReplyDelete
  46. I got to favourite this web site it seems very useful very beneficial
    Theni Eswar

    ReplyDelete
  47. Great blog.thanks for sharing such a useful information
    BDD with Cucumber Online Training

    ReplyDelete
  48. Very nice piece of information, please keep updating and share your valuable information with us.
    Mime Gopi

    ReplyDelete
  49. Great blog.thanks for sharing such a useful information
    Pytest Online Training

    ReplyDelete
  50. Really awesome Blog.Thanks for sharing this.
    Sakthi Chidambaram

    ReplyDelete
  51. Excellent blog! So many ideas in a single site. Thanks for the informative article. Keep updating more article.
    Jeeva Subramaniyam

    ReplyDelete
  52. Best blog i had ever read.Thanks for sharing this.
    Bigg Boss 5 Tamil Live

    ReplyDelete
  53. This blog is a great source of information which is very useful for me. Keep sharing more article like this.
    Milla Babygal

    ReplyDelete
  54. Excellent blog. Thanks for sharing such a useful information. Keep on blogging.
    Tn Local Body Election 2021

    ReplyDelete
  55. This blog is really nice and informative blog, The explanation given is really comprehensive and informative.
    Dhilip Subbarayan

    ReplyDelete
  56. Really very useful article for us. Thanks for sharing such an informative blog.
    Fish Curry and Fry

    ReplyDelete
  57. This comment has been removed by the author.

    ReplyDelete
  58. Very informative article. Thanks for posting this useful content.
    Yamuna Skincare

    ReplyDelete
  59. Nice article. The information you give is very interesting.
    Actress Anagha

    ReplyDelete
  60. Great blog. Thanks for sharing such a useful information.
    Java training chennai

    ReplyDelete
  61. Equal Hands has a simple ethos. We relish our time with nature and with each other. The items our makers create reflect this belief.
    Ethical home goods handmade sustainable clothing brands
    ethical jewelry brands ecologically sustainable lifestyle brand

    ReplyDelete