Cross-Site Request Forgery

By /

Cross-Site Request Forgery (CSRF) is a common web security vulnerability that allows an attacker to trick a victim into executing unwanted actions on a web application in which they are authenticated. This type of attack leverages the trust that the web application has in the user’s browser.

How CSRF Works:

  1. Session Exploitation: The attacker tricks the user’s browser into sending a request to a vulnerable web application where the user is authenticated (e.g., via cookies). The application trusts the request because it comes from the user’s browser with valid session credentials.
  2. Executing Unintended Actions: The attacker can execute any action that the user is authorized to perform, such as changing account settings, making a purchase, or even transferring funds.

Example Scenario:

  • Suppose you are logged into your bank account and at the same time, you visit a malicious website.
  • The malicious website has a hidden form that, when submitted, makes a request to the bank’s server to transfer money from your account to the attacker’s account.
  • Since you’re already logged in, the bank’s server processes the request as if it was authorized by you.

How to Find CSRF Vulnerabilities:

  1. Test Actions Requiring Authentication: Identify critical actions that require user authentication (e.g., changing an email, password, or financial transaction).
  2. Check for CSRF Tokens: Examine the request parameters to see if the application uses anti-CSRF tokens. These tokens should be unique and unpredictable for each request and should be validated by the server.
  3. Missing or Reusable Tokens: A potential CSRF vulnerability exists if the application doesn’t use CSRF tokens or if the tokens are static or predictable.
  4. Examine HTTP Methods: CSRF attacks are usually associated with state-changing HTTP methods like POST, PUT, DELETE, etc. Some applications fail to implement CSRF protection on these methods.
  5. Test with a Malicious Request:
    • Create a Form: If you suspect a CSRF vulnerability, create a simple HTML form that submits a malicious request to the application.
    • Simulate the Attack: Host this form on a separate domain and see if it triggers the action on behalf of an authenticated user.

Exploiting CSRF Vulnerabilities:

  • Craft a Malicious HTML Form: Create an HTML form that sends a request to the target application.
<form action="https://bank.com/transfer" method="POST">
    <input type="hidden" name="amount" value="1000">
    <input type="hidden" name="to_account" value="attacker_account">
    <input type="submit" value="Transfer">
</form>
<script>
    document.forms[0].submit();
</script>
  • URL-Based Attack: If the application uses GET requests for actions (which is a bad practice), you can simply embed the URL in an image tag or link.
<img src="https://bank.com/transfer?amount=1000&to_account=attacker_account">

Mitigation Techniques:

  1. CSRF Tokens: Implement unique CSRF tokens in forms or requests that are validated server-side.
  2. SameSite Cookies: Use SameSite cookie attributes to prevent browsers from sending cookies with cross-site requests.
  3. Custom Headers: Require custom headers in requests, which can’t be easily forged by attackers.
  4. Re-authentication: For sensitive actions, require the user to re-enter their password or authenticate again.

Tools for Finding CSRF:

  • Burp Suite: It has automated features to detect CSRF vulnerabilities.
  • OWASP ZAP: Another tool for scanning web applications, including CSRF issues.

By using these methods, you can identify and exploit CSRF vulnerabilities during a bug bounty assessment

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top