LOGO
OFFENSIVE | DEFENSIVE | WIKI | ABOUT

[CROSS-SITE REQUEST FORGERY]



GENERAL INFORMATION 3 METHOD QUESTION: 1. A relevant action? 2. Cookie based session handling? 3. No unpredictable request parameters = CSRF Token? ******* 1. First thing, activity needs to be from authenticated actions. 2. Check if the CSRF token is present. [inspect the headers / burpsuite] 3. If no token is present, a CSRF PoC can be used. [burpsuite PRO / manual way] Burpsuite: On RAW request > right click > engagement tools > generate CSRF PoC NOTE: user interaction is required at some point. NOTE: inspect the code is vital, so you can use the form HTML code to prepare your CSRF PoC. with burpsuite PRO it will be easy. Diferent payloads can be used. HTML tags <img src="https://vulnerable-website.com/email/[email protected]">
TOKEN TECHNIQUES DESCRIPTION: Collection of techniques used to test the different tokens we can find, CSRF tokens and more. 1. Inspect the source code of the page and look for any kind of token associated to the action. For example, maybe a form with a csrf token. SAMPLE: <input type="text" name="csrf" id="csrf" value="rt6A7TkfcGHMUc" hidden> 2. It is important to test if the specific token provided is validated or if it is only validating that the field exists. In other words, is this validating the key value or format? 3. Are you able to attempt XSS ?
BYPASS TECHNIQUES
PAYLOADS/EXPLOITS CSRF_PoC_POST_sample.html
CSRF_PoC_onload_sample.html
CSRF_PoC_python_server.html
TOKEN VALIDATION ON REQUEST METHOD it is when the control applies defenses against certain types of requests. 1. important to validate if the CSRF token is been validated or not. rejected or not ? 2. first test is to change request method and validate if the CSRF token is rejected or not. 3. burp profesional > right click > engagement tools > generate CSRF PoC 4. use the following code as sample, check source code to confirm the parameters needed for the action.
TOKEN VALIDATION ON BEING PRESENT pretty important to validate, 1. without csrf token 2. changing method 3. validating GET requests y CSRF tokens 4. validating if the CSRF toke is being validated
BROKEN REFERER VALIDATION
NOT TIED TO USER SESSION - several tests * csrf token is valid ? * csrf token is needed ? * csrf token is tied to session ? can you use one from other user session ?
TOKEN TIED TO NON-SESSION COOKIE * important tests - repeat same tests - important, is the csrf valid ? - exist the possibility to add input data to the cookie ? - if csrf cookie results in the CSRF token being rejected. This suggests that the csrfKey cookie may not be strictly tied to the session. - it is important to get 2 users. NOTE: important to read about possible ways to inject data in cookie headers. SAMPLE: Cookie: csrfToken=Vwd4uGdvuY9niiMD54K6WGaJWuLUCGbu; session=NyeAhFL0RXY89SGOuXMORNgCfuknGOaV; Search=hack NOTE: Exist some different ways that can be used to trigger the alerts or inject payloads. one way is using SCRIPT HTML tag and the other can be IMAGES. <img src="https://b0ydc.com/?search=MV%0d%0aSet-Cookie:%20csrfToken=TOKEN%3b%20SameSite=None" onerror="document.forms[0].submit()">
TOKEN DUPLICATED IN COOKIE - same similar tests can be applied. - important to check or inspect the traffic using burpsuite or ZAP - check if exist CSRF token or not. is only one ? two ? - exist the possibility to add input data to the cookie ?

©® - Since 2023