Hello guys, Hope everyone is good. I would like to share one of my findings.
What is Cross-Site Request Forgery(CSRF)?
CSRF is a client-side attack which targets functionality that causes a state change on the server, such as changing the victim’s email address or password or purchasing something.
How the attacker make use of this vulnerability?
The attacker uses this vulnerability to forge the victim to click the link/file to change the victim passwords, to make a funds transfer etc.,
Note: To perform a CSRF attack, the user should be logged in on the vulnerable web application.
How I exploited this vulnerability?
- I self-registered the account on the testing website (eg: abc.com).
- I logged in to the website, simultaneously I intercepted the request using burp suite,
3. Using the response of the above request, I created an HTML web form and changed the values for the parameters (Pass, Pass0) on the created form.
4. Then I saved the form in my machine with HTML Extention (CSRF.HTML).
5. As I mentioned earlier user should be logged in to the vulnerable website, I already logged in to the website.
6. After clicking HTML file which is stored on my machine, boom the old password of my login credential got changed. Check the below screenshots,
How did I confirm the password changed or not?
In the CSRF attack, we won't get any response in terms of successful/unsuccessful exploit. what is did has I tried to log in the website (eg:abc.com) with my old username and password, I cannot able to log in the website (eg:abc.com). Check the below screenshot,
Remediation:-
The application should implement anti-CSRF tokens into all requests that perform actions which change the application state or which add/modify/delete content. An anti-CSRF token should be a long randomly generated value unique to each user so that attackers cannot easily
brute force it.
It is important that anti-CSRF tokens are validated when user requests are handled by the application. The application should both verify that the token exists in the request and check that it matches the user’s current token. If either of these checks fails, the application should reject the request.
