What is CSRF?
CSRF is a type of application vulnerability that lures users in to doing certain actions that are not intended to be performed. Usually a very genuine looking but a changed email is sent to the users , which when clicked or performed certain actions upon , leads to execution of certain actions on the original genuine source with the user’s original credential pair.
We will now perform CSRF attacks on DVWA (Damn Vulnerable Web App) and see in detail on how a CSRF exploit works.
Prerequisites
- DVWA
- Basic HTML knowledge
- Basics of CSS
- Basic JavaScript knowledge
- BurpSuite Community Edition
LEVEL = LOW
1) Open DVWA on local host and set the module difficulty level to low.
2) Now open CSRF module and change the password once to capture , test and understand the request layout.
3) Now make a phishing page which will redirect to the URL , that DVWA CSRF module uses to change password.
The phishing page looks pretty authentic at first. But look at the code below :
Now compare it with DVWA’s change password source code :
Looking at both the codes , we observer that in phishing page , we have diverted the request to the change password module of the DVWA page.
Also comparing id’s of every field , we note that in the phishing page , we have kept the id of password fields the same , as used in DVWA.
This will trick the backend database to process data and hit the query from the data we are sending from the phishing page and not from authentic DVWA page.
As the id’s of the password fields match , database will be triggered and process the backend query , which will ultimately change the password for what the user has entered in the phishing page.
One can easily collect logs from this and now can get access to authentic site via the changed password!!
Below is a demo of the same.
4) Opening the phishing page.
5) Filling up the details.
I have filled up the data as a normal user would , when promised a free giveaway upon credential updation of an authentic website. This phishing page basically tries to trick the user , to change/update the credentials of a website in which the user has account in.
example gmail/facebook/Instagram and then promising them a free entry in name of CYBERSECURITY AWARENESS. The user would enter the details and the credentials would get updated to the original site. But the hacker now knows the credentials and user’s security gets compromised.
6) When the user clicks submit , we get the request in burp.
Captured incoming request in BURP :
Passwords changed!!
Now performing in medium and High levels.
LEVEL = MEDIUM
In medium level, DVWA uses the Referrer field of the GET request to identify if a user is accessing the website from a local machine or some other locations. In this case, the Phishing page technique doesn’t work.
1) Capture the change password request format from the DVWA change password page into BURP.
2) Now copy the highlighted part of the request and open the cross-site scripting module.
3) Click on inspect element on Name field and change maxlength to 500.
4) Enter the <img src=” /DVWA-master/vulnerabilities/csrf/?password_new=password&password_conf=password&Change=Change#”> into the name field.
This is perform a XSS attack which will eventually trigger the database query to change password and password will be changed.
Click “sign guestbook” button.
5) Logging in with the new password.
6) Login successful!!
LEVEL = HIGH
In high level CSRF security , DVWA appends a user token in response which is used to authenticate the session and then change the password. Failing to authenticate the password will result in an “Invalid CSRF token” error.
1) First open CSFR page on DVWA module with security set to “High” and view page source.
2) Now copy the highlighted line in above screenshot into the Phishing page we created during low level CSFR attack.
3) Now send the phishing page to the user and then make them enter info to change the password.
Entering INFO :
Capturing request :
Password Changed :
This is how a CSRF exploit is performed on a web application in different scenarios and different applications of security measures.
Written By: Priyansh Gupta
Reviewed By: Sayan Chatterjee
If you are Interested In Machine Learning You Can Check Machine Learning Internship Program
Also Check Other Technical And Non Technical Internship Programs