Cross Site Request Forgery:
- Here attacker studies the website functionality.
- After studying the functionality attacker can create similar page with same functionality but changes the values of attributes/parameters.
- Here victim user should be already logged into intended website, that is they should already have active session.
- Victim should already be logged into the web application then only this vulnerability will work.
- Study the web application functionalities.
- Below are some of the functionalities where CSRF may be possible:
- Change passwords
- Transfer money
- Add users
- Delete users
- Change roles
- Post data on behalf of users
How to avoid CSRF:
Use CSRF Token
- In DVWA (Damn Vulnerable Web Application) Attacker can go through change password functionality.
- We can see that when we try to change password, password can be visible in clear text in URL
- http://192.168.0.7/vulnerabilities/csrf/?password_new=abcd&password_conf=abcd&Change=Change#
- Now we can change the password value in URL i.e craft the URL and send it to victim user who is already logged into same application.
- As mentioned below we changed the password value to new value.
- http://192.168.0.7/vulnerabilities/csrf/?password_new=dddd&password_conf=dddd&Change=Change#
- Here we have created new HTML page in linux ubuntu
- Type notepad in command prompt.
- Enter below html text in notepad, i.e. change password value in it and enter forged URL in anchor tag of HTML Save it as html page
- <html>
<body>
<a href="192.168.0.7/vulnerabilities/csrf/?password_new=dddd&password_conf=dddd&Change=Change#"> Click Here </a>
</body>
<html> 
- Save this forged html page in attacker's domain /var/www
- /var/www - here web pages are hosted in linux so that anyone will be able to open web pages in their browser by typing the address.
- Provide this link to victim user, who is already logged into DVWA.
- Once user clicks on that link his password will be changed , that is without knowledge of victim.
No comments:
Post a Comment