In this document, we will discuss what is CSRF vulnerability, what are the problems if CSRF is exploited, how can you check for it, and how to mitigate it.
Table of content:
- Introduction to CSRF.
- Advantage of CSRF for an attacker
- How to perform CSRF
- When there is no CSRF token
- When a CSRF token is implemented
- How to prevent CSRF as a developer
- How to prevent CSRF as a user
So basically, what is a CSRF vulnerability?
CSRF is a short form for Cross-Site Request Forgery. It is an attack where a legitimate user is tricked into parsing a malicious request (which is requested by an attacker) in his/her account.
In other words, let’s say in your house your mother has cookies and your brother has access to it but you don’t. So, you tricked your brother and you gain those cookies. That’s the CSRF.
What could an attacker gain if CSRF is exploited?
Suppose you have a bank account and a phone in which you have enabled 2FA(Two Factor Authorization). So, an attacker gave you a malicious script and you ran that.
After a while, you noticed you are not getting notifications on your phone and you realized that your 2FA is disabled.
In this case, the attacker gave his request to disable his 2FA and you ran it and you disabled your 2FA.
So imagine how horrible can be the situation if CSRF is commonly exploited.
And unfortunately, CSRF is a common vulnerability.
How to perform CSRF?
- Make sure the user is logged in during this time.
- Intercept the request, modify it and generate CSRF PoC.
- Now, send that HTML page to the user.
- And when the user opens the link while he is still authenticated,
- the CSRF attack is successful.
Situation 1. When there is no CSRF token.
It will be quite easy.
Step 1. As an attacker: Fill in the required details and intercept that request with burp.
Step 3. As an attacker: Copy the HTML part and save it as an HTML document.
- ToAccountNo is the account number that an attacker wants the user to transfer.
- The amount is the amount that an attacker wants to transfer to the user account.
Step 4. As an attacker: Send that HTML document to the user and make sure he is logged in.
So the above steps were when there is no CSRF token.
Then what is a CSRF token?
CSRF token is a value that is given to a request by the server to make that user unique.
So are you as a hacker will stop just because of some float value.
The answer is NO WAY.
Situation 2. When there is a CSRF token.
Sometimes or better, oftentimes these CSRF token are not checked by the server so to evade this security measure, you just have to remove that CSRF token completely or just replaces it by 1 or if that token is 432321 then give a random value of 6 digits.
Let’s automate this process through burp.
Step 1: Go to Proxy section in burp and go to Options and there will be Match and Replace.
Step 2: Click on add and fill as below:
CSRF token will be either in Request header or in the Request body. By completing the above steps burp will automatically replace “CSRF:” with something you have given in Replace box in burp.
To bypass CSRF token security implementation you just need to give the following in Replace box in burp without double quotes one by one.
- “” (blank)
- Random digits
- “123456” (if the original token in 6 digits)
How can you prevent CSRF (as a developer)?’
- Make the server verify the CSRF token.
- Make user give their password if any sensitive information is changing. Every user will have a different password so there will be no CSRF.
How can you prevent CSRF (as a user)?’
- Beware of social engineering attack.
- Your virtual details are primarily your responsibility.
I hope this article helps you to understand the CSRF attack.
Thank you for your time (Divy Tej).