Cross-Site Request Forgery (CSRF) Explained

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

we are officially at the halfway mark for the five-week program and if you're not familiar with the five-e program a few weeks ago I launched this program to help beginners find their first valid vulnerability whether it's a bug Bounty program or a VDP a vulner disclosure program and shout outs to you guys a bunch of you have found your first roll ability and I want to take this time to congratulate you all on your hard work and also encourage you to finish these next three weeks strong and kick us off with an easier week this week because I understand that xss and idor are pretty big and heavily loaded and it takes a while to get used to those so this week we're going to take it easy with a little bit of csrf which it is kind of still valid especially if you're doing a pentest you'll see a lot of these csfs but also with bug Bounty huntings there are going to be times where you will find some old applications that not only have an implemented csrf but sometimes they have implemented csrf very wrong and you can actually bypass those limitations and I'm hoping to explain all those to you throughout this video before we jump into the video you got to do me a favor drop me a comment let me know if you're a part of the 5we program you can just drop a comment that says 5wp 5we program and that will let me know how many of you guys are actually participating and if you haven't done it already it's never too late and you still have time go down below into the description click on that Discord link come join us and let me help you find your first roll in ability but before we jump into our lab let me explain what csrf is and then I'm going to show you what an example of a good versus bad csrf looks like and and we're going to solve some of our labs for csrf specifically it pretty much means that an attacker can force their target into an unwanted action that action could be things like deleting their address changing their name changing their username or even turning off their notifications which in some cases that is not really a higher priority vulnerability and that's is an example of a bad csrf because you want to be able to justify the criticality of your csrf by answering the question of so what how is this going to affect that user if if I force them into this unwanted action so for example if you force them into changing their password obviously you can gain access to their account and they're going to lose access to it versus turning off notifications which isn't really a critical vulnerability but in some cases it is still valid and some companies are going to actually award it but in this case I think it's maybe a low or medium at its highest value and a lot of times companies aren't going to actually acknowledge it so keep that in mind when you look for csrf again it is just dependent on what the ACT is but there are also other ways you can bypass csrf mechanism which I will show you in this video but for now let's jump into our lab we're going to go to hacking up. iio if you want to follow along go to this Hub it's under my 5we program Hub click on csrf and launch it and it's going to give you a username and password and as you can see I'm already logged in here and we're going to take a look at what functionalities are within the profile page here so for example in this case like I mentioned there's notifications here and if I pull up kaido and intercept this we can see that it's sending this request and it's sending it to profiles notifications and the only header that we see here is a cookie header everything else here is for a browser and it's sending this post at a notification and making it disabled so in this case we don't even see a single hint of a csrf protection because usually you would see something in the headers for example they will have X csrf token and it has some values or sometimes you will see it attached to the post data for example let's say token equals to whatever authenticity token is equals to whatever here and that's when you can see that there is some sort of a defense against csrf so for this case there isn't anything here this is by default a vulnerable csrf all you have to do is now take this into a csrf generator so if you have burb suet Pro you can right click actually and say create csrf but if you don't have it don't worry you can actually go into here to security. love CSR of PC generator give them the data and it will create that POC for you and once you're Target for example on the right if the right browser clicks that link that is created by that csrf POC then it would immediately uh disable the notifications so now let's take a look at this example and as you can see notifications here are enabled and I have my csrf PC here we're going to click on this button and we're going to refresh this page as you can see it says notifications change and it turns out that we were able to turn this into false but again please keep in mind this isn't really a critical vulnerability disabling notifications isn't a vulnerability but I want to show you an example an action that has no CSR protection against it and this is a good case to take a look at let's look at other functionalities here let's we go to password this case changing password is going to be kind of hard because even if there isn't a CSR of protection for this it requires a current password but I'm going to try it one more time and I'm going to request this it's going to send this request and you can see again there isn't any CSR protection here but even though there isn't one the current password itself kind of acts as a mechanism here that stops you from reporting it so in some cases some companies may take this I personally would never report this because it requires me to ignore their password and if you know their password then what's the point of doing all this but in this case on appentice I would report this but honestly their password itself is some sort of a mechanism here that stops us from reporting and if we remove it that password isn't going to change it's going to come back and ask us for more information but now let's at a couple more things this is actually a really good place to look for CSR if anything that allows you to alter a user's information that could gain you access to their account is always a good place to look at so for example in this case we have the email address sometimes you may be able to actually delete or add a API token for example if it allows you to put your own API token sometimes you can add a new secondary email address or agressive to an organization those are all actions that are very sensitive so in this case if we update this I'm going to update this to 1 one.com I'm going to make sure we're intercepting this I'm going to update this we can see that it's the same thing here same thing as last time there is no csrf token here but this is a great example of a good CS have to report because at the end of the day if you change that email address and it's becoming one one.com you actually fully have taken over an account and this is considered a csrf leading to account takeover which in some cases could be a high or a critical depending on the program and how the application is created but in this case the reason why this is valuable is because by changing the email address what we can do is we can take that email address go to the login page click forgot password and request a new token to send to our email address that we have changed to so in this case you have a full account takeover it may require some user interaction but again this is a good csrf versus the bad csrf in the case of notifications there's going to be some times where a functionality is going to present itself with a csrf token so in this case I'm assuming this one has something and you can see this has a csrf token and if you change the username and if you remove it sometimes now it works we're going to try that one more time no homc 3 we're going to update it when there is this value present for our request what I like to do a lot of times is I like to actually go into our repeater and see what I can do with it so for example can I remove this csrf parameter completely and see if it works and if that does work then sometimes it is a csrf on its own I'm actually going to go and go to our profile again let's make sure we're not intercepting this one didn't work but there's a couple other things that you can try so the first thing when I see a csrf token is to completely remove it the other option is to actually add a invalid token to it so maybe if I change a value it's just looking for a number of characters in that string I send it I refresh the page again I go to username that doesn't work the third thing that I'd like to try here is since we have the capability of making two different accounts what I'm going to do is I'm going to perform this action on this other account so on my build hack secure which is Adam's account I'm going to make this action I'm going to call two here and I'm going to intercept I'm going to take the value for this user csrf token and I'm going to drop this request just in case that you that value is unique I'm going to go to my original request for naham so on this account now we want to change naham to to n 3 I'm going to replace that token with another user's token so I have two accounts this one is the one that I want to take over I perform the action with this account take it csrf token and put it in here so if I send this and refresh the page and the username has been changed it it is going to hint at us that hey they actually allow you to reuse csrf tokens and the csrf usage is one of the top things I've seen on my pentest and some of these bug bounding programs is that they allow you to do that and by having that bypass you kind of could just just do csrf on a lot of different actions so and a lot of times I will report this as a csrf mechanism bypass and then if there are some really interesting end points like the email address one then I would go in there and change the email address to demonstrate a critical csrf where it leads to an account takeover so if you do see csrf tokens try these things remove them edit them or also see if you can change the csrf value from account a to account B and see if that request still works but now let's talk about one more case of csrf that isn't technically a post request so for example in this case if I start my intercept again and delete this we can see that it's actually doing this process with a get request so in this case if I send this get request it is still going to perform this action so the one number one thing we want to try here is we want to go in here I'm going to actually drop this request so it doesn't get deleted I'm going to go back our addresses are still here but I want to see if I can delete this again I see a csrf token the first thing I'm going to do is I'm going to send an mty value and if that does work that didn't work maybe if I can remove the entire csrf value for it and refresh the page that one worked so in this case not only we didn't need to have a secondary csrf token by removing that entire parameter it worked but now what we want to do here is we can actually redo this process so I'm going to actually go into this victim account I'm going to get my address book I'm going to get the link for this drop in here to look at it looks like ID3 is what belongs to that user so what I'm going to do is I'm going to put that here ID3 and what I'm going to do here is I'm going to make a csrf PC but this one's going to be super easy you can actually do something like an image tag or an if frame and then you're going to say this is the URL that I want you to send a request to and I'm going to remove the csrf value entirely with the ID3 and make sure we put it in the quotation marks yes and now we want to open this in our browser so I'm going to actually close this one and open open our csrf and now if we refresh this page and our proof of concept have worked properly we can see that the address is gone and now we have a get based request where you don't even have to create a csrf PC and it works the reason why I show that is because I want to also make sure you understand that there are other actions it's not always a post put or delete request also get request based are things that are in this case valid as well and deleting someone's address is better than a notification csrf still not super sensitive but it is an action that is not supposed to happen so when you are looking for csrf always look at all these forms that you see on a website see if there is a csrf protection against and if there is how can you bypass it and create a PC and send to the program all right that's it if you haven't already do me a favor hit that subscribe button and I will see you all in next week's video [Music] peace

Info

Channel: NahamSec

Views: 9,493

Rating: undefined out of 5

Keywords:

Id: wYazaHJ3l0E

Channel Id: undefined

Length: 11min 58sec (718 seconds)

Published: Wed Mar 06 2024