Select a request anywhere in Burp Suite Professional that you want to test or exploit.įrom the right-click context menu, select Engagement tools / Generate CSRF PoC.īurp Suite will generate some HTML that will trigger the selected request (minus cookies, which will be added automatically by the victim's browser). The easiest way to construct a CSRF exploit is using the CSRF PoC generator that is built in to Burp Suite Professional: Manually creating the HTML needed for a CSRF exploit can be cumbersome, particularly where the desired request contains a large number of parameters, or there are other quirks in the request. The vulnerable web site will process the request in the normal way, treat it as having been made by the victim user, and change their email address.Īlthough CSRF is normally described in relation to cookie-based session handling, it also arises in other contexts where the application automatically adds some user credentials to requests, such as HTTP Basic authentication and certificate-based authentication. If the user is logged in to the vulnerable web site, their browser will automatically include their session cookie in the request (assuming SameSite cookies are not being used). The attacker's page will trigger an HTTP request to the vulnerable web site. If a victim user visits the attacker's web page, the following will happen: With these conditions in place, the attacker can construct a web page containing the following HTML: The attacker can easily determine the values of the request parameters that are needed to perform the action. There are no other tokens or mechanisms in place to track user sessions. The application uses a session cookie to identify which user issued the request. Following this action, the attacker will typically be able to trigger a password reset and take full control of the user's account. The action of changing the email address on a user's account is of interest to an attacker. When a user performs this action, they make an HTTP request like the following:Ĭontent-Type: application/x-www-form-urlencodedĬookie: meets the conditions required for CSRF: For example, when causing a user to change their password, the function is not vulnerable if an attacker needs to know the value of the existing password.įor example, suppose an application contains a function that lets the user change the email address on their account. The requests that perform the action do not contain any parameters whose values the attacker cannot determine or guess. There is no other mechanism in place for tracking sessions or validating user requests. Performing the action involves issuing one or more HTTP requests, and the application relies solely on session cookies to identify the user who has made the requests. This might be a privileged action (such as modifying permissions for other users) or any action on user-specific data (such as changing the user's own password). There is an action within the application that the attacker has a reason to induce. If the compromised user has a privileged role within the application, then the attacker might be able to take full control of all the application's data and functionality.įor a CSRF attack to be possible, three key conditions must be in place: Depending on the nature of the action, the attacker might be able to gain full control over the user's account. For example, this might be to change the email address on their account, to change their password, or to make a funds transfer. In a successful CSRF attack, the attacker causes the victim user to carry out an action unintentionally. If you're already familiar with the basic concepts behind CSRF vulnerabilities and just want to practice exploiting them on some realistic, deliberately vulnerable targets, you can access all of the labs in this topic from the link below. Be wary of cross-origin, same-site attacks.Validation of Referer can be circumvented.Validation of Referer depends on header being present.Bypassing Lax restrictions with newly issued cookies.Bypassing restrictions via vulnerable sibling domains.Bypassing restrictions using on-site gadgets.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |