Understanding The Cross Site Request Forgery (CSRF) Attack - by Grzegorz Piechnik - Medium

10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium
Understanding the Cross Site Request Forgery

(CSRF) attack
Grzegorz Piechnik · Follow
5 min read · May 11
Listen Share More
The Cross Site Request Forgery attack is one of those types of attacks that are hard
to recognize at first glance. It is most often used in conjunction with other attacks. It
involves forcing a user to perform an unwanted action in a web application. When
combined with other vulnerabilities, CSRF can result in various effects. Sometimes
it can be [exposing sensitive data](https://rohitcoder.medium.com/victims-anti-csrf-
token-could-be-exposed-to-third-party-applications-installed-on-user-s-device-
be8e40d511ba), [deleting, editing and adding data](https://ysamm.com/?p=702) or
https://medium.com/@gpiechnik/understanding-the-cross-site-request-forgery-csrf-attack-b1dc2374f83 1/15
even [taking access to a user’s account](https://nirajmodi51.medium.com/missing-

cors-leads-to-complete-account-takeover-1ed4b53bf9f2).
Token
There are several ways to protect against CSRF attacks. It is worth mentioning that
most of today’s frameworks have built-in protection against CSRF (for example,
.NET).
One of the many and also the most well-known way to protect against CSRF is to
generate random tokens, i.e. using the Synchronizer Token Pattern. These tokens
are generated on the server side once per user session or each time before the next
request. Then, after submitting a form that looks like the following:
<form action="/checkout" method="post">

<input type="hidden" name="CSRFToken" value="edc5bb791b41b9d5d25a662dfe0bd117
(...)
</form>
The server verifies that the CSRFToken it generated earlier is correct. The attacker is
not able to predict the token that will be generated moments earlier.
Example on a live application

All the time we are revolving in the world of abstractions and theorizing. So let’s
move on to practice, which will illustrate the problem and the Cross Site Request
Forgery attack. To start with, let’s locally replicate [repository]
(https://github.com/Learn-by-doing/csrf-examples). Then let’s install the necessary
libraries and run the application locally. At http://localhost:3000/login is our
vulnerable application. Let’s log in using the login bob and password test .
Open in app
Search Medium
We see in front of us a simple form for transferring funds to other users’ accounts.
We have 500 funds in our account. Now let’s go to the attacker’s site at the link
http://localhost:3001/ .
Let’s take a look at the Network tab in the developer tools.
Let’s take a look at the Network tab in the developer tools.As you can see, several
requests have been sent to the vulnerable page. In addition, when we enter it, we
can see that our balance has changed.
How did it happen that the balance of our account decreased by 13? Let’s check the
requests from the attacker more closely.
GET /transfer?to=alice&amount=4 HTTP/1.1

Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://localhost:3001/
Cookie: connect.sid=s%3AIIXi7mXyaq2sXJuCSaiBEUtkwrYzQxFu.CrlsY1pvQRTrS615VWPdhP
POST /transfer HTTP/1.1

Host: localhost:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
Origin: http://localhost:3001
DNT: 1
Connection: keep-alive
Referer: http://localhost:3001/
Cookie: connect.sid=s%3AIIXi7mXyaq2sXJuCSaiBEUtkwrYzQxFu.CrlsY1pvQRTrS615VWPdhP
Upgrade-Insecure-Requests: 1
to=alice&amount=9
Between the requests there were two with a response status of 302. One of them is a
GET request, in which we define in the parameters the person to whom we are to
send our funds (alice) and their amount (4). The second request is already of POST
type and in its body we find the same information. This time, however, the number
of funds to be sent has a value of 9. This gives us a total of 13 funds, which is exactly
how much has disappeared from our account.
Vulnerability detection scripts

There are a slew of scripts and tools to check if an application is using tokens
correctly (if at all). One of the tools is [Bolt](https://github.com/s0md3v/Bolt). Its
operation is trivially simple.
┌──(figaro㉿kali)-[~/Desktop/3rdtools/Bolt]
└─$ python3 bolt.py -u http://www.ip:port/ -l 2
⚡ BOLT ⚡
(...)
⚡ Phase: Crawling [1/6]
[!] Crawled 12 URL(s) and found 12 form(s).
⚡ Phase: Evaluating [2/6]
[+] Insecure form(s) found
⚡ Phase: Comparing [3/6]
[-] No CSRF protection to test
Another example of the tool is [XSRFProbe]

(https://github.com/0xInfection/XSRFProbe).
┌──(figaro㉿kali)-[~/Desktop/3rdtools/XSRFProbe]
└─$ xsrfprobe -u http://www.ip:port/
_____ _____ _____ _____ _____

__|__ |_ __|___ |_ __|___ |_ _|____ |_ _|____ |_ _____ _____ ___
\ ` / || ___| || _ _| || ___| | | _ | || _ ,' / \| _
> < | `-.`-. || \ || ___| | | __| || \ | - || |_
/__/__\ _||______| _||__|\__\ _||___| _| |___| _||__|\__\\_____/|___
|_____| |_____| |_____| |_____| |_____|
[---] XSRFProbe, A Cross Site Request Forgery Audit Toolkit

[---]
[---] ~ Author : Pinaki Mondal ~
[---] ~ github.com / 0xInfection ~

[---]
[---] ~ Version 2.3.1 ~
[!] Testing site www.evil-page.com status...

[+] Site seems to be up!
[!] Testing endpoint status...
[+] Endpoint seems to be up!
[*] Preparing the request...
[*] Processing the GET Request...
[!] Trying to parse response...
[!] Checking endpoint request validation via Referer Checks...
+--------------------------------------+
| Referer Based Request Validation |
+--------------------------------------+
[!] Making request on normal basis...

[*] Setting generic headers...
[!] Making request with Tampered Referer Header...
[-] Endpoint Referer Validation Not Present!
[-] Heuristics reveal endpoint might be VULNERABLE to Origin Based CSRFs...
[+] Possible CSRF Vulnerability Detected : http://www.evil-page.com/!
[+] Possible Vulnerability Type: No Referer Based Request Validation
[!] Confirming the vulnerability...
[!] Confirming endpoint request validation via Origin Checks...
+-------------------------------------+
| Origin Based Request Validation |
+-------------------------------------+
[!] Making request on normal basis...

[*] Setting generic headers...
[!] Making request with Tampered Origin Header...
[-] Endpoint Origin Validation Not Present!
[-] Heuristics reveal endpoint might be VULNERABLE to Origin Based CSRFs...
[+] Possible CSRF Vulnerability Detected : http://www.evil-page.com/!
[!] Possible Vulnerability Type: No Origin Based Request Validation
[!] Retrieving all forms on http://www.evil-page.com/...
[+] Scan completed!
Sources
https://owasp.org/www-community/attacks/csrf
https://github.com/Learn-by-doing/csrf-examples
https://rohitcoder.medium.com/victims-anti-csrf-token-could-be-exposed-to-third-
party-applications-installed-on-user-s-device-be8e40d511ba
https://ysamm.com/?p=702
https://nirajmodi51.medium.com/missing-cors-leads-to-complete-account-takeover-
1ed4b53bf9f2
https://github.com/s0md3v/Bolt
https://github.com/0xInfection/XSRFProbe
Csrf Vulnerability Hacking Bugbounty Pentesting
Follow
Written by Grzegorz Piechnik

41 Followers
Performance Test Engineer, bug bounty hunter
More from Grzegorz Piechnik
Grzegorz Piechnik
Loki: Effective Logging and Log Aggregation with Grafana

If you are a programmer or application administrator, you surely understand how important
logs are in the infrastructure. Through them, you…
5 min read · Sep 4
Grzegorz Piechnik
Scanning ports and finding network vulnerabilities using nmap

Reconnaissance is one of the basic and most important stages of penetration testing. It helps
us gain information that may be crucial for…
Grzegorz Piechnik
How to Become Performance Tester in 2023?

In today’s dynamic world, where technology plays a pivotal role, the field of performance
testing is a crucial element in ensuring…
5 min read · Sep 13
Grzegorz Piechnik
Content Security Policy explained

Every more or less experienced pentester has come into contact with the Content Security
Policy header. Generalizing the whole thing, we…
See all from Grzegorz Piechnik
Recommended from Medium
v1dr4x in System Weakness
Dav Tryhackme Writeup [Detailed]

Dav is an Easy machine in TryHackMe in which we’ll use basic enumeration, learn more about
WebDAV and how to exploit it to gain access to…
Furkan Uyar
Csrf with content type change.

Hi guys, i hope your well. Today i will tell you how i made 400 dollars with csrf. This writing will
be a little long because it will…
65 1
Lists
Best of The Writing Cooperative

67 stories · 81 saves
Medium Publications Accepting Story Submissions

Staff Picks
Kidnapshadow
Finding of Host Header Vulnerability in Website

Hey everyone, This Side Sidharth Today topic about host header vulnerability. Firstly, I am
explaining background concept about host header…
3 min read · Aug 3
10
RoadToOSCP
Sudoedit Local Privilege Escalation Vulnerability (CVE-2023–22809)

On January 18th, 2023, Synacktiv released an advisory regarding a vulnerability in sudo (CVE-
2023–22809). This vulnerability allows users…
3 min read · Aug 27
82 1
Vignesh in InfoSec Write-ups
Unmasking Basic CSRF Bugs: Hunter Guide for Beginners

Cross-site Request forgery
Alvaro Balada
My Bug Bounty failures

I was very frustrated due to my constant failures in Bug Bounty, I had high expectations when I
started and I thought that I would have a…
3 min read · 6 days ago
33 5
See more recommendations

Understanding The Cross Site Request Forgery (CSRF) Attack - by Grzegorz Piechnik - Medium

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Understanding The Cross Site Request Forgery (CSRF) Attack - by Grzegorz Piechnik - Medium

Uploaded by

Copyright:

Available Formats

10/4/23, 11:30 AM Understanding the Cross Site Request Forgery (CSRF) attack | by Grzegorz Piechnik | Medium

Understanding the Cross Site Request Forgery

Listen Share More

even [taking access to a user’s account](https://nirajmodi51.medium.com/missing-

<form action="/checkout" method="post">

Example on a live application

Let’s take a look at the Network tab in the developer tools.

GET /transfer?to=alice&amount=4 HTTP/1.1

POST /transfer HTTP/1.1

Vulnerability detection scripts

Another example of the tool is [XSRFProbe]

_____ _____ _____ _____ _____

[---] XSRFProbe, A Cross Site Request Forgery Audit Toolkit

[---] ~ github.com / 0xInfection ~

[!] Testing site www.evil-page.com status...

[!] Making request on normal basis...

[!] Making request on normal basis...

[!] Retrieving all forms on http://www.evil-page.com/...

[+] Scan completed!

Csrf Vulnerability Hacking Bugbounty Pentesting

Written by Grzegorz Piechnik

Performance Test Engineer, bug bounty hunter

More from Grzegorz Piechnik

Loki: Effective Logging and Log Aggregation with Grafana

5 min read · Sep 4

Scanning ports and finding network vulnerabilities using nmap

6 min read · May 11

How to Become Performance Tester in 2023?

5 min read · Sep 13

Content Security Policy explained

3 min read · May 15

See all from Grzegorz Piechnik

Recommended from Medium

v1dr4x in System Weakness

Dav Tryhackme Writeup [Detailed]

4 min read · Sep 15

Csrf with content type change.

4 min read · Sep 24

Best of The Writing Cooperative

Medium Publications Accepting Story Submissions

Finding of Host Header Vulnerability in Website

3 min read · Aug 3

Sudoedit Local Privilege Escalation Vulnerability (CVE-2023–22809)

3 min read · Aug 27

Vignesh in InfoSec Write-ups

Unmasking Basic CSRF Bugs: Hunter Guide for Beginners

5 min read · May 30

My Bug Bounty failures

3 min read · 6 days ago

See more recommendations

You might also like

___ _ _ _ ___