Attack Scenario<\/h2>\n
Marty is an attacker and he wants to take over his friend Elif\u2019s account.<\/p>\n
Steps to Reproduce<\/h2>\n\n- \n
Login to the application as Marty and click on Password from the Utils dropdown.<\/p>\n<\/li>\n<\/ol>\n
![](\"https:\/\/lh5.googleusercontent.com\/s2ezb-x1ZtKVTIXJBYBokDDMnLFoykO5Njt2WFQT1zxH_roPzR2NtyG5PViLZ15Q9n7Tm20TzVNk3ino15Luk9p4IJs6PwHrO6Y7RswIRgZPoLWJUAjzdSR9T1ZvIxGUDp71agWj\")
<\/p>\n
\n- \n
Click on Change my password and the password change option will show up.<\/p>\n<\/li>\n<\/ol>\n
![](\"https:\/\/lh6.googleusercontent.com\/jtZAm8d3MO7ppfKWR4sWxWOwnKnEzhHJhj5Tr81pJvKSszXnYUANdJo-GbCljbG6gKUrsK9g6xFcUGww82jABHxx3D9A2RJ2a_IwDUC2B6Pw5sg3BtrVSxNIo1j7L-I-Jtpj_dkI\")
<\/p>\n
\n- \n
Next, fill up the password input with the password of your choice and click on Change.<\/p>\n<\/li>\n<\/ol>\n
![](\"https:\/\/lh6.googleusercontent.com\/XgyKLmXRYKqV3x-frX51J8KAskfnVrys3RL1xvSDRrqh4d_87udMYxepx_lyS940a7m3AOU4dEWOC1NpVnzEu1vdZonA08UCkFGtMmvUxvlxcZi9IislfGlmyfkoJ7SWuShDZl4o\")
<\/p>\n
\n- \n
Intercept this request in a proxy server such as Burp and send it to the repeater. Drop the request from the proxy tab.<\/p>\n<\/li>\n<\/ol>\n
![](\"https:\/\/lh5.googleusercontent.com\/YXRHYmryrK-pgRlz8ku0R0Az1i6b8pn25Hhqcw9i85ucv0S07NkVTJxlGL67E9gz-L7sCt7d7quxwUvEtTRmvmw7Z2jH2d5Q_tttm-Uy7YQUMnaepfv2o-i6EcPjUWlIXIGJMyji\")
<\/p>\n
Note:<\/strong> The request needs to be dropped because if it reaches the server, then Marty\u2019s password will be changed. Our current objective is to change Elif\u2019s password.<\/p>\n\n- \n
Go to the CSRF POC generator<\/a> and fill up the required details accordingly.<\/p>\n<\/li>\n<\/ol>\nNote:<\/strong> Do not forget to change the username to elif. Click on Download CSRF POC to download the HTML file.<\/p>\n![](\"https:\/\/lh5.googleusercontent.com\/yILLc6GTgrLDVYLhxw6NnSdTGRKDsnBtNlJE_D46FmDBI7n8kRJDSh_yBLcjxS3FyNgIu28q8uCArynZVUpGM9byNtbeoA_ScjNs2NbAewufX2f_Pb1TZy5MN3LdNEg2-LE0cV68\")
<\/p>\n
\n- \n
The POC that was downloaded needs to be hosted on a server. For this, we can use the http.server module from python to create a server.<\/p>\n<\/li>\n<\/ol>\n
![](\"https:\/\/lh5.googleusercontent.com\/ELW2wSxbH01DVakFfVJ9mGK7ObeUKTAJEpKAjEW9hyr2toDSZ4sApQOVgx2-wN5s9ERbA58DIBVRG5z0DlRpgw2MOONlXSEUzOQ700ZB_aHHxALq_lEKBP0VufE7w0suFaoMR8Hj\")
<\/p>\n
\n- \n
After getting hosted, our page looks like this:<\/p>\n<\/li>\n<\/ol>\n
![](\"https:\/\/lh5.googleusercontent.com\/9jxYuNDa13uYts4ZxfaVNUbukVJgtLrI9eIjPZ6kWQmeEDMui561GmbhlvUd0chzbK_B7mj_6B3hDloc1ZYc4Tq7Gv95IbZ7E5UjpGtjovA2q7f0g15FGeOZ1O4Z4hMBirxymckj\")
<\/p>\n
<\/p>\n
Note: <\/strong>This is just a simulation of an attack. The sensitive parameters are clearly visible in the page, but these things can easily be hidden in HTML through the hidden attribute. Consult the exploit link in the description.<\/p>\n\n- \n
Now we need to lure Elif to our page. This can be done through social engineering.<\/p>\n<\/li>\n
- \n
As soon as Elif visits our page (with an active session on the application) and clicks on the button, a password change request will be sent to the server.<\/p>\n<\/li>\n<\/ol>\n
The password change message will now appear on the browser saying the password was updated successfully.<\/p>\n
![](\"https:\/\/lh5.googleusercontent.com\/w7ln_NgO3RDX9C_e-LcS4FhFvR3JLwqSpD65bJ4pBMXWUK96UAT6eDAzX9bKVflhhvHAd0xrnU5daMjNW6_3PuYI0r0Ig1b2A1DPuIA1JeIeaTnY34DolQngxixiWL9JsDLia2D3\")
<\/p>\n
\n- \n
Now Marty can access Elif\u2019s account through the known password.<\/p>\n<\/li>\n<\/ol>\n
Mitigation<\/h2>\n\n- \n
The most common and easy method of prevention against CSRF is to include a unique CSRF token with each and every request. The token should be completely random and should be strictly validated at the backend.<\/p>\n<\/li>\n
- \n
A same-site attribute in the cookie can also be used as a CSRF prevention mechanism. The same-site attribute tells the browser not to include the user\u2019s session cookie in the requests that do not originate from the original domain.<\/p>\n<\/li>\n<\/ol>\n
Related Blogs<\/h2>\n
Login to the application as Marty and click on Password from the Utils dropdown.<\/p>\n<\/li>\n<\/ol>\n
- \n
- \n
Click on Change my password and the password change option will show up.<\/p>\n<\/li>\n<\/ol>\n
- \n
- \n
Next, fill up the password input with the password of your choice and click on Change.<\/p>\n<\/li>\n<\/ol>\n
- \n
- \n
Intercept this request in a proxy server such as Burp and send it to the repeater. Drop the request from the proxy tab.<\/p>\n<\/li>\n<\/ol>\n
Note:<\/strong> The request needs to be dropped because if it reaches the server, then Marty\u2019s password will be changed. Our current objective is to change Elif\u2019s password.<\/p>\n
- \n
- \n
Go to the CSRF POC generator<\/a> and fill up the required details accordingly.<\/p>\n<\/li>\n<\/ol>\n
Note:<\/strong> Do not forget to change the username to elif. Click on Download CSRF POC to download the HTML file.<\/p>\n
- \n
- \n
The POC that was downloaded needs to be hosted on a server. For this, we can use the http.server module from python to create a server.<\/p>\n<\/li>\n<\/ol>\n
- \n
- \n
After getting hosted, our page looks like this:<\/p>\n<\/li>\n<\/ol>\n
<\/p>\n
Note: <\/strong>This is just a simulation of an attack. The sensitive parameters are clearly visible in the page, but these things can easily be hidden in HTML through the hidden attribute. Consult the exploit link in the description.<\/p>\n
- \n
- \n
Now we need to lure Elif to our page. This can be done through social engineering.<\/p>\n<\/li>\n
- \n
As soon as Elif visits our page (with an active session on the application) and clicks on the button, a password change request will be sent to the server.<\/p>\n<\/li>\n<\/ol>\n
The password change message will now appear on the browser saying the password was updated successfully.<\/p>\n
- \n
- \n
Now Marty can access Elif\u2019s account through the known password.<\/p>\n<\/li>\n<\/ol>\n
Mitigation<\/h2>\n
- \n
- \n
The most common and easy method of prevention against CSRF is to include a unique CSRF token with each and every request. The token should be completely random and should be strictly validated at the backend.<\/p>\n<\/li>\n
- \n
A same-site attribute in the cookie can also be used as a CSRF prevention mechanism. The same-site attribute tells the browser not to include the user\u2019s session cookie in the requests that do not originate from the original domain.<\/p>\n<\/li>\n<\/ol>\n
Related Blogs<\/h2>\n
- \n
- \n
- \n
- \n
- \n
- \n
- \n
- \n