Thursday, January 30, 2014

CSRFin' USA! CSRF Mitigation Bypass with XSS

Cross Site Request Forgery

Cross Site Request Forgery (CSRF) is an attack where an attacker can trick a user's browser into performing actions on the attacker's behalf. This has the added benefit of taking advantage of the user's authentication. The archetypal example of CSRF is to imagine that if a bank customer wanted to transfer funds, they would have to visit a specific URL such as, http://bank.com/?transfer.php?to=hacker_acct&amount=1000. Then, all the attacker would have to do is trick people into clicking a link for that URL so that the victim's browser performs a GET and, if the victim happens to be logged into that bank, the victim will unknowingly transfer money to that attacker. The web application is going to assume that the user is in full control of its own actions and will execute the transfer. CSRF is about exploiting the trust that the web application has in the user's browser. You can read more about CSRF here.

CSRF Mitigation

The majority of CSRF mitigation strategies revolve around some sort of nonce being associated with the request being made. That can mean that instead of a dumb URL such as http://bank.com/?transfer.php?to=hacker_acct&amount=1000, you would have http://bank.com/usersession-1234?transfer.php?to=hacker_acct&amount=1000 so that the attacker could  not generate the link ahead of time. Another example of this when performing a POST is to add a hidden field set to a nonce. This token will get passed along when the user hits the submit button and the server will check that the nonce it set for that form is what was submitted. Like before, this nonce can't be pre-generated, and thus an attacker is unable to create a dumb link to trick users with. Here is what a CSRF token looks like:
That token prevents us from hard coding a POST to the URL since the value of that token should change each and every time the form is loaded.

Mitigating CSRF Mitigations

With these tokens and nonces making the URL or parameters unique, CSRF should pretty much be resolved because the attacker is not able to perform any actions right? Not quite. Let's review what XSS provides for us. XSS allows an attacker to run a script on a victim's browser. The victim's browser is going to trust that the script is safe and will execute, no questions asked. We can use an XSS vulnerability to execute code that will gather the necessary information to overcome the CSRF protections in place. In other words we use the XSS vulnerability to determine what the specific session information or token is, incorporate that into a CSRF attack, and proceed as a normal.

Putting It All Together

Let's go back to a previous post. What we had there was a XSS vulnerability in the body of an email. With that in mind, let's go looking around the web application a little more to see what we can find. Within the Advanced Options, we see that there is an option to configure the password reset question, answer, and a checkbox to enable the feature at all.
Let's go fill this out, hit submit, and trap the request with a Firefox plugin, named Tamper Data, that the browser makes so we know what we have to replicate. 

Here we see the POST that is made once we update these values and hit Save:

Tamper Data is showing us on the right hand side all of the parameters that are being passed to the URL. Of particular interest, we see that enabling the password reset question corresponds to the usepassresetting parameter having a value of checkbox and you can also see the URL encoded password reset question and the password reset answer. The other parameters are important as well and will play a part later.

The other important thing to realize is that another parameter that gets passed along is the id parameter that has a value of 333n487v6y1sJjJ0GFnzPsID8oKJBfmEZeyk20140130002922. If you log in and out a few times you will come to notice that this is probably a random value. I did not expend any time doing a statistical analysis with Burp to verify this but I assumed it was. This id parameter is what will stop us from being able to hardcode a POST to _processaccountoptions with usepassresetting set to checkbox and passresetanswer set to whatever we want. Fortunately, we can get around this thanks to the XSS vulnerability we have in our backpocket. 

The flow of the attack will go as follows, the victim opens an email with JavaScript embedded in the body of the email. This JavaScript snippet will call a piece of JavaScript on the attacker's server that will:
  1. Parse out the value of the id parameter in the URL of the victim's browser
  2. Use that id parameter value and complete the POST request to set the victim's password reset question.
Now, we will send an email to the victim with this embedded into the body of the email:


That will then call this piece of JavaScript that will be on the attacker's server:

This script will first grab the URL and then proceed to parse out the value of the id parameter by performing a substring. Next, it then calls the passwordReset function and that will piece together the parameters necessary to perform a proper POST to the _processaccountoptions URL. Notice that this sets the usepassresetting, passresetquestions, and passresetanswer.

This should be enough to bypass the randomly generated id and if everything works, when a user opens the malicious email they will unknowingly enable the password reset feature and set their password reset answer to whatever the attacker chose. This will then allow the attacker to set a user's password by using the password reset feature.

Thus when the user opens the email the attacker can:

  1. Go to the webmail login screen and click the Forgot your password? link 
  2. Enter the victim's email address
  3. And we should see that the victim will have their password reset question set to what we set it to be in our script, "Hacked via XSS"
  4. From there the attacker can input the answer to the question as, 'h4cked', and then set a new password for the user. Heck, you could probably do step 3 and 4 by extended the script to do another CSRF POST to save you the manual effort. 
I hope this post helped describe what CSRF is and what it allows you to do and just how powerful XSS can be and how its impact can be much more than just dumping cookies and throwing alert boxes.




68 comments:

  1. Thanks Admin for sharing such a useful post, I hope it’s useful to many individuals for whose looking this precious information to developing their skill.
    Regards,
    PHP Training in Chennai|PHP Course in Chennai

    ReplyDelete
  2. Token have a useful part to play.

    ReplyDelete
  3. This is a great inspiring article.I am pretty much pleased with your good work.You are posting really very helpful information. Keep it up. Keep blogging.
    Final Year Project Center in Chennai | Final Year Project Center in Velachery

    ReplyDelete
  4. This is really great work and very interesting article thanks for sharing TNPSC Coaching Centre in Chennai

    ReplyDelete
  5. I believe there are many more pleasurable opportunities ahead for individuals that looked at your site.

    Best Hadoop Training Institute in chennai

    ReplyDelete

  6. Learned a lot from your blog. Good creation and hats off to the creativity of your mind. Share more like this.
    Loadrunner Training in Chennai
    French Classes in Chennai
    iOS Training in Chennai

    ReplyDelete
  7. Informative Blog, Thank you to share this
    Regards,
    PHP Training in Chennai

    ReplyDelete
  8. Attend The Python Training in Bangalore From ExcelR. Practical Python Training in Bangalore Sessions With Assured Placement Support From Experienced Faculty. ExcelR Offers The Python Training in Bangalore.

    ReplyDelete
  9. Great Post. It was very informative and keep sharing. Home Lift India

    ReplyDelete
  10. Great post i must say and thanks for the information. Education is definitely a sticky subject. However, is still among the leading topics of our time. I appreciate your post and look forward to more.
    data analytics course

    ReplyDelete
  11. I still can not understand where do I have to type these codes? It all seems very complicated to me. I would be very grateful, if someone told me.

    ReplyDelete
  12. German Classes In Bangalore
    The information given in this blog is very nice and i like it if you share more this kind of blog and i also have written this kind of blog you can also read for more knowledge.

    ReplyDelete
  13. php developer interview questions
    Important PHP and MySQL Interview Questions and Answers for freshers and experienced to get your dream job in PHP! Basic & Advanced PHP Interview Questions for Freshers & Experienced.

    ReplyDelete
  14. interview questions node js
    Important Node JS Interview Questions and Answers for freshers and experienced to get your dream job & Advanced Node.JS Interview Questions for Freshers & Experienced.

    ReplyDelete
  15. I am Leah Hart I live in Ohio USA I’m 32 Years old, am so happy I got my blank ATM card from united hacking company  blank ATM card that can withdraw $5,500 daily. I got it from him  last week and now I have withdrawn about $15,000 for free. The blank ATM withdraws money from any ATM machines and there is no name on it because it is blank just your PIN will be on it, it is not traceable and now I have money for business, shopping and enough money for me and my family to live on.I am really glad and happy i met united hacking company  because I met Five persons before him and they could not help me. But am happy now united hacking company  sent the card through DHL and I got it in two days. Get your own card from him right now, he is giving it out for small fee to help people even if it is illegal but it helps a lot and no one ever gets caught or traced. I’m happy and grateful to the united hacking company   because he changed my story all of a sudden. The card works in all countries that is the good news contact. email address: unitedblankatmhackcard@gmail.com 

    ReplyDelete
  16. This information is impressive. I am inspired with your post writing style & how continuously you describe this topic. Eagerly waiting for your new blog keep doing more.
    Selenium Coaching
    QTP Training Institute
    IOS Training Institute

    ReplyDelete
  17. Really Superb! Thanks for sharing this useful information.
    Farina Hair Care

    ReplyDelete
  18. Thanks for sharing this.. Really usefull blog.
    Chill Bro Bala

    ReplyDelete
  19. I feel happy to say this I have learnt new things from your blog and it’s really useful for me, keep sharing valuable information regularly.
    Ramakrishnan Interview

    ReplyDelete
  20. Awesome blog. Thank you for sharing such a useful information.
    Dharsha Gupta Interview

    ReplyDelete
  21. Your blog is very interesting to read and easy to understand. Keep on blogging.
    Actress Monika Interview

    ReplyDelete
  22. Thanks for sharing the nice article, keep updating news article.
    Chill Bro Bala

    ReplyDelete
  23. I recently read your post and I got a lot of information. Keep on sharing more blogs like this.
    Milla Exclusive Interview

    ReplyDelete
  24. Thank you for allowing me to read it, welcome to the next in a recent article.
    Dharsha Gupta

    ReplyDelete
  25. Your website is really cool and this is a great inspiring article.
    Sam Anderson

    ReplyDelete
  26. Your blog is very easy to understand many concepts and I got a lot of information.Thanks for sharing.
    Yamuna Chinnadurai Interview

    ReplyDelete
  27. Best article.Thanks for sharing this.
    Kavin

    ReplyDelete
  28. This blog is very useful for me to understand the information.Keep on blogging.
    Dharsha Gupta Emotional

    ReplyDelete
  29. Thanks for your informative article. Keep on sharing.
    Kuhasini Interview

    ReplyDelete
  30. I got to favourite this web site it seems very useful very beneficial
    Theni Eswar

    ReplyDelete
  31. Very nice piece of information, please keep updating and share your valuable information with us.
    Mime Gopi

    ReplyDelete
  32. Really awesome Blog.Thanks for sharing this.
    Sakthi Chidambaram

    ReplyDelete
  33. Excellent blog! So many ideas in a single site. Thanks for the informative article. Keep updating more article.
    Jeeva Subramaniyam

    ReplyDelete
  34. Best blog i had ever read.Thanks for sharing this.
    Bigg Boss 5 Tamil Live

    ReplyDelete
  35. This blog is a great source of information which is very useful for me. Keep sharing more article like this.
    Milla Babygal

    ReplyDelete
  36. Excellent blog. Thanks for sharing such a useful information. Keep on blogging.
    Tn Local Body Election 2021

    ReplyDelete
  37. Thanks for your informative article.
    Fake Blood in Movies

    ReplyDelete
  38. This comment has been removed by the author.

    ReplyDelete
  39. Very informative article. Thanks for posting this useful content.
    Yamuna Skincare

    ReplyDelete
  40. Nice article. The information you give is very interesting.
    Actress Anagha

    ReplyDelete
  41. Equal Hands has a simple ethos. We relish our time with nature and with each other. The items our makers create reflect this belief.
    Ethical home goods handmade sustainable clothing brands
    ethical jewelry brands ecologically sustainable lifestyle brand

    ReplyDelete
  42. Thanks a lot for giving us such a helpful information. You can also visit our website for nmims project

    ReplyDelete

  43. This post is so interactive and informative.keep update more information...
    DevOps course in Tambaram
    DevOps Training in Chennai

    ReplyDelete
  44. I’m really happy to say it was an interesting post to read. I learned new information from your article on Bearing , you are doing a great job

    ReplyDelete
  45. Are you in need of a credit specialist to help you fix your poor credit? Then I strongly recommend Metronet Credit Solution. I had a very poor credit which made it impossible for me to acquire an auto loan, but my problem was solved when I met Metronet Credit Solution on Reddit. They helped me erase every irregularity and boosted my score to 801, 780 and 775. With our new car life is a lot easier. You can contact them via email: metronetcreditsolution@gmail.com or whatsapp: +16265140620

    ReplyDelete