Web App Penetration Testing - #13 - CSRF (Cross Site Request Forgery)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Laughter] [Music] hey guys hackersplate here back again with another video and welcome back to the web application penetration testing series in this video we're going to be looking at cross site request forgery or csrf now this is an extremely important topic and a big one that i cover it correctly so for the purpose of this video i've set up a very unique environment that in at least in my opinion will demonstrate how to utilize or how to perform this attack all right now i'm just going to give you a brief overview of the environment that i have now of course you can see i have a few files open here don't worry about them right now just uh just remember that we'll be using them later on and i'll be using them really really well to explain what's going on here so you can see as my target or as my vulnerable uh system i'm going to be using or my vulnerable web application i should say i'm going to be using the os juice shop now uh not actually no one actually recommended this to me but i remember that i performed this during the ctf challenge that i went to uh earlier i think late last year uh i'm not too sure exactly when but uh the whole process was involved with exploiting this web application all right and in my opinion this really outlined or really showed off how to perform all of these various web application attacks in this case we're going to be focusing on cross site request forgery all right so i have the juice shop running it's uh it's based on node.js and it's running on my localhost let me just show you that right now there we are so i haven't logged in or done anything yet and that's because i'm going to do that with you so i've set it up it's running on my local host if you want me to make a video now to set the os juice shop up uh i will make it because this is a fantastic way of explaining how everything works and understanding how these attacks work and in in regards to that the os juice shop is a complete ctf challenge that you can run or take place in or you can you can go through it and if you find the flag well done uh so remember if you want me to make a video of that just let me know in the comment section down below so let's get started with this really really simple but sometimes uh complicated topic all right so cross site request forgery csrf now from the name you can already tell that it's split into two in into two sections you have your cross site and your request for gerry so from that we can get a basic example of what's going on here we have cross-site scripting and we are going to be forging requests or we are going to be manipulating requests hmm interesting so we are kind of understanding what's going on here now the technical explanation for what csrf is is it is an attack that forces an end user to executed unwanted actions on a web application in which they are currently authenticated all right so let me put that really really simply right it's an attack that will force an end user to execute unwanted actions on a web application these actions can be anything but in this case we're going to be looking at changing the password uh and they have to be currently authenticated to that web application which means they have to be logged in to that web application for this to work because if they're logged out then you get the idea it really doesn't help or it doesn't work all right so we use cross-site scripting in this case to perform the request forgery and to get either desired or undesired results in our case we're going to be looking at how to uh to change the password of any user that's logged in to the to this web application and how will we how will we be doing that well uh we are going to be using csrf but uh the first thing you need to understand is how an html form works all right and this is very important because uh first of all a client will request a page from a server all right the server will then respond and give the uh the client the html form the client will then send back uh the the form with the data back to the server the server will then authenticate and authorize the user and then we'll will perform the requested action uh and based on the request and the response we are able to forge or to change the request and get a desired response if you're looking at it from an attacker's perspective all right so uh the way crs cs csrf works sorry about that is the attacker will manipulate the victim into submitting the attacker's form data to the victim's web server essentially uh essentially performing these uh these requests in our case as i've mentioned it will allow us to change the password of any user on this web application in this case the os juice shop web application all right so now you might be asking well if i'm a bug bounty hunter or i'm practicing to become a bug bounty hunter how do i go about finding this vulnerability well that's a very good question and that is the question you should be asking yourself when performing any uh penetration test now coming back to my environment i'm running burp suite the community edition you you'll just need the community edition for this one we're not performing any advanced techniques here because we're essentially just changing uh we're just going to be changing the requests to get our desired responses but once we move on to the advanced stuff i'll then be using os zap for our uh attacks all right so keeping things really really simple uh we uh the the way to look for these vulnerabilities is to target the login pages which we have right here uh we then need to we can then create the account and log in and then finally we will be creating our own uh our own script to perform the cross-site scripting and that will allow us to submit the data or if we send the url to another user of this web application who is currently authenticated it will allow there it will allow us to make them change their password uh and then we can log into their account all right so this uh vulnerability is very common on sites with accounts uh you know sites that have emails passwords and as you probably would have guessed there are a lot of sites that utilize this functionality but remember most of the sites out there will be protected from this vulnerability so it's up to you to find uh these vulnerabilities all right so as i've mentioned we'll be using os juice shop as our target and the reason is is because it will explain what i want to explain really really well all right and we'll be using the burp suite community edition now as you can see i'm currently running the proxy i'm not intercepting any traffic if i open up burp suite i'm not intercepting any traffic if i go to the proxy and intercept i'm not intercepting anything so uh it's currently just i'm just going through the proxy and all traffic and data is being logged through the proxy so uh when it comes down to this little data that i've saved here i've already created an account the reason i've done that is to save time because i don't want to explain everything about it so i've create i've created a user with the email of test at test.com and a password of password so really simple again there's nothing really complicated here and if you want if you're wondering what exactly does this mean well this is a security uh question with the answer so the the question was uh what's my favorite pet and i wrote in dog so hopefully that doesn't scare you into thinking that i've gone completely crazy and then in here we have the script that we'll be using uh or we'll be utilizing to perform the csrf on the site i'll get to this in a second we don't need that right now so if i want to log in i know that the the email is testattest.com and the password is password all right so let me do that right now we need to authenticate uh so let me log in like so and i'm gonna hit test at test dot com all right and i'm going to write the password which is password and i'm gonna hit login all right and i'm don't want to save the password and there you also have logged in now now as i said this is very this vulnerability works really really well when you're talking about changing passwords because as you can probably guess an attacker would be looking to exploit this functionality because imagine if we were able to send a request a get request to our target with the url encoded url of course we can also use link shorteners if we wanted to to do that and essentially if they authenticated it it will allow us to make them change their password simply by clicking on the link uh changing their password to whatever we specify all right so how do we do this well the first thing we need to do is we need to look at how the get requests are being sent uh and we can do that using uh burp so uh we are just going to change our password so our current password is password and what i'm going to do is i'm going to change uh my password into password uh oops sorry um password one two three and i'm gonna repeat it so pass word one two three and i'm gonna hit change all right so the password was successfully changed okay now let's look at how this was processed in burp or how the request was sent in bob so i'm going to going to burp a proxy and http history and i'm going to go all the way to the bottom and as you can see we have the get request right over here okay so the get request is very interesting you can see we have the get request and it's targeting the uh the following uh url and these are the parameters so change password the current password is password uh new password one two three and we've repeated it all right so now let us perform the forgery here so i'm going to send this in to the repeater all right so i'm going to click on repeater and in here we can manipulate the requests and see what responses we get all right in case you you did not know about that but again let's start off really really simply so uh we are going to be working with the raw request we don't want to work with individual parameters although you could change it but we are going to be manipulating the request entirely so that it performs what we want to do all right so what we can do first is we can test so let's change what if we were to change um the current password to something like let's see test let's change it to test and then we hit go you can see that the response we get is a is a 401 error which means we are unauthorized to make that and it will give you the message right here the current password is not correct all right that's good that is good from a web application perspective which means that this web application is performing validation and it's not going to allow us to you know to just go in and start manipulating any requests and making changes so from a security perspective the web application is doing really really well all right what if was to change the new password uh let me change this back to password to the current password which is what we set and i changed the new password to password pass one two three all right and i hit go uh again we get another error again the 401 unauthorized error telling us that uh the new and repeated password do not match so yes the current password is correct and the only thing that we're getting an error is the new password and the repeated password are not correct so interesting what if we want to change the password into password one two three and we can repeat that again so we want to confirm this so password one two three um actually hold on so i'm gonna say password one two three and now uh let's see what this tells us this should verify it but let's see if this works so you can see yes that does work and we know that this works because that's what we did that was the original request but what if we do not know the current password of the user remember we're going to be targeting other users of this web application so what if we get rid off and this is very very uh this is the way penetration testers go about it what if we get rid of stuff so what if we get rid of the current password all right and now essentially the get is targeting change password with the question mark here essentially requesting and we're only entering the fields or parameters new and repeat what if we do that and we change them to password one two three uh i mean pass one two three and pass one to three let me hit go you can see yes it does work uh we get the 200 uh the 200 response which means everything was processed correctly and we were able to get a password that looks to be hash that looks to be hashed uh and we got the email that we used so yes we do know that it is working all right so uh we know that um we know that this worked but we need to confirm that this has worked so we can do this by going back into our web application and we can log out and we can try and log in again so log in with our new password so we're going to say test at test.com and our new password was pass one two three remember we we changed it earlier but again i was demonstrating that we if we are to send this to our target we need to specify to make sure that it will work without any pre-required information like their current password so we've manipulated the request there so let's hit login and voila you can see it does work excellent all right so this is a fantastic example of how csrf can be utilized or how it can be how you can find vulnerabilities for it all right so this can allow us to change or update anyone's password uh anyone's accounts password uh that are currently logged into this web application all right so now what do we what we need to do well we can we can log in as we've already seen we can log in and uh once we've logged in we can uh we can test to see if cross site scripting does work uh and then of of course utilizing it throughout the web application is very important so we can run a simple cross-site script attack to see if it will work on the search bar right here so i'm going to type in script uh and a simple one so alert just to test whether it works and in the alert we can say uh hello um just something stupid hello world you know uh that's and i can't even type man come on world and um we have typed in the alert and we can finally close the script here script like so and let's hit search and voila we can see that indeed cross-site scripting work works which means we can insert uh we can insert our our get request inside a script and and use a cross-site scripting to perform the csrf and now you can see them conjoining together cross-site scripting with request forgery okay so we now need to create our custom script that will allow us to utilize the attack and we will be using xml and http now you might have seen this script right over here let me just minimize this and open up leafpad you might have seen this script that i created now you can find many of these csrs scripts online that utilize uh different languages in my case i find the one that works the best is the is the one that works with xml and http and contains the get request in here okay now you can see that the get request requires the url in which we submit uh the the parameters without the current password so we need to go back into bub and if i was to go back into proxy http um uh sorry about that http uh we look to change the password there so if we go back into uh sorry uh the repeater and if we look at this now uh we can see that the url is right over here so that's the get request so if we copy this the localhost obviously and we are not using any current password field so if we can do that really really simply you can see how this can be utilized really really well so what we need to do now is understand how the url will be formatted of course the web application is going to encode it and i'll get to that in a second so we need to copy this url right here so i'm just going to copy the url and we can edit our our script so https and we paste it in inside the url you can copy this script if you want to let's take a look at whether this script is formatted correctly so get http no that's not the way we want it let me get rid of the pre pre determined http there so http localhost it's hosted on my localhost with the port 3000 node node.js standard uh and the we want to change the password the new password is pass one to three and repeat is pass one to three you can change that to whatever you want if you want to you know play around with the script but in my case um i don't would want to do any of that so this is the script so what we can do is we can copy this now and we can run this in the search bar and that should uh in theory and in practice give us our first csrf attack on the site so i'm going to paste this in here and let's see whether it does this so i'm going to hit search and you can see you successfully solved a challenge error handling provoke an error that is not very gracefully handled again this is a fantastic web application vulnerable web application that is awesome for practicing your your web application penetration testing skills now i talked about the url that you should send to your target and that is the url that will essentially make them change their password or without them knowing given that they are logged in to the web application or they have an account it will not work if they have not logged in all right so that's very important to understand and many people just you know forget about this now again uh if you you could have done this uh you i can log out again and uh i can log in try and log in now and i can type in for example test i just want to show you something very interesting your test and i can change the password uh we already changed it to password one two three now before i do that i can just inspect the element here and i'm going to log in and i just want you to check something out all right now let me just expand this a little bit here if we were to look at the network this will essentially show us all the get requests so if i was to hit login you can see that uh if we are to look at the get request here the login get request you can go ahead and look at um at the exact format in which it was sent you can look at the cookie the it should give you the uh the authentication token i'm not too sure it should give you the authentic the authentication token but that's something for another day i don't want to complicate you guys you can look at the cookie if you want to and you have all the responses right here so there we are there's the authentication token and you can see something very interesting in regards to the token all right so let me show you this right now all right so as i was saying uh you can see all right so as i was saying uh you can see that if we look at the parameters the password will be displayed then it will be updated to the one that we selected or specified in the script all right so remember if you want to customize the cross site scripting attack you can do it through your script and where is leafpad here so there we are so you can change the password uh the as you see we we just got rid of the current password parameter which is a vulnerability on the site but you can change the password to whatever you want and now you might be asking as i've mentioned what link do you send to the target and that is very very simple if i was to run the script again and i changed the password to maybe something else like uh password one two four or three four five sorry three four five let me just add that to the password and i run the script on an authenticated user which is me uh so let me copy that and it should change my account password and you can see once i log log out and try logging in it will have changed it successfully so let me just run it in here uh so i'm going to paste the new one in here and i'm going to search and there we are so now it's changed my password and if i log out and i try and log in with with the old password which is uh password one two three you can see oops sorry i think i typed that in wrongly one two three like so fight login there we are you can see that we entered the new password and it did work fantastic so we were successfully able to execute the script and again when if i just run the script again this is the url that you will send to your target all right so if i just copy it and i inspect it in my leaf pad here i really love leafpad i don't know whether you guys love it too if i just inspect it you can see that this indeed is a url and if the web application was being hosted on a server outside my local air network it would give you the website name the port if it is port specific and the url here which as you can see is encoded so what i would recommend so what i would recommend is that you copy this link here and you use a link shortener like bitfly or any of the other google shorteners and you send that to your target and once they click on the link and if they already logged in to this specific web application it will update their password and you can essentially uh you have their password now because you've updated it and you'll all you need is the email which i'm pretty sure you must be knowing if you're performing this attack or you could just be gathering passwords of users or of of which you can you can send this link to and are authenticated with the web application all right so that was a very advanced topic that i wanted to explain and hopefully i was able to do it using juice shop so yeah that's going to be it for this video guys if you found value in this video please leave a like down below if you have any suggestions questions or anything else that you would like to ask me leave them in the comment section on my social networks or on the website if you want to support the channel you can do that uh by clicking on our patreon the link should be up any second now any help is really appreciated but you really don't have to if you don't want to that being said that's going to be it for this video guys and i'll be seeing you in the next video peace [Music]

Info

Channel: HackerSploit

Views: 110,560

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, csrf, csrf attack, csrf protection, csrf poc, csrf tutorial, csrf tutorial step by step, csrf tutorial php, dvwa csrf tutorial, csrf attack tutorial, csrf attack tutorial in hindi, csrf attack tutorial in mvc, csrf token tutorial, burp suite, burp suite pro, burp suite crack, burp suite intruder, burpsuite kali linux tutorial, burp suite hack, burp suite windows, hacker, hacking

Id: TwG0Rd0hr18

Channel Id: undefined

Length: 22min 51sec (1371 seconds)

Published: Fri Aug 03 2018