Hope you guys Doing well and hunting lots of bugs and Dollars !
well, so for today we are going to talk about CSRF, some relevant bypasses, Impact and mitigation.
What is Cross site request forgery ?
CSRF stands for cross site request forgery. CSRF is an attack which force users to submit a request without their consent, which is crafted by attacker for any malicious intentions. This vulnerability also popularly known as also known as XSRF, Sea Surf, One-Click attack or Session Riding.
This attack works because browser request automatically include all cookie including session cookie, as user is authenticated to the site. This is because browser is not able to compared between legitimate request and malicious request.
Now, Lets take some overview idea about CSRF possibilities. There are three conditions must be in place :-
- A relevant actions should be there to do some kind of changes like email,Profile picture or any kind of user control changes. which can be further escalated for other attacks.
- The attacker can Predict all the parameter required to perform the actions and no unpredictable parameter should be in the request, which can make some differences between two request for same action from different users.
- The application should relies only on session cookie to recognize the user who has made the request. There should no other stuffs to map up the same.
Impact of these vulnerability always depends on the actions. Some common results of this vulnerability are leaking sensitive user’s details, account takeover and many more.
The most relevant way to mitigate CSRF is to include a CSRF token with request, which should to follow these :-
- CSRF tokens should not be sent as part of cookies.
- These tokens must be unpredictable.
- Tokens must be unique per session & tied to user’s session.
Even after web application are not perfectly configured to defend for the same. There are some bypasses which are based on some common mistake developers use to make. Let’s look around those :-
- Changing Request Methods :- Some applications correctly validate the token when the request uses the POST method which is defined for that request but ignore the validation when the other method is used.
- Delete the token Parameter or send a blank token :- Some applications correctly validate the token if only it is there but ignore the validation if the token is not found.
- Use another unused session’s CSRF :- Some applications do not validate that the token belongs to the same session as the user who is making the request. Instead, the application maintains a global pool of tokens that it has issued and accepts any token that appears in this pool.
- Replace the value with random same length token :- This bypass work when application is not validating token and verifying it due to some misconfiguration.
- Use only the static Parts of token :- Some applications do not validate whole token in right manner, So playing with token can leads to bypass CSRF protections.
- Decode CSRF token :- Sometime CSRF token can be predictable and leads to bypass the protections. Normally it should be random, unique and unpredictable value.
There are some more approach to bypass the CSRF protection. We need to understand the functionality and behavior of the application, and try more bypasses.
Nord Security disclosed on HackerOne: CSRF to change password
Description Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious web site, email, blog…
HackerOne disclosed on HackerOne: Login CSRF vulnerability on...
Summary Hi. We found a CSRF token bypass on the Hacker One login page. So, this report describes Hacker One login CSRF…
Web Application Security, Testing, & Scanning - PortSwigger
PortSwigger products help more than 60,000 professionals - at over 15,000 organizations - to secure the web and speed…
Hope this is useful for you guys
Happy Hacking !
Twitter handle :- https://twitter.com/Xch_eater