Alright, before I begin, I'd like start out by clearing up some common misconceptions about of CSRF (pronounced "Sea Surf" or simply C-S-R-F). Most people believe that CSRF is the same as Cross Site Scripting, also known as XSS, due to both of these types of attacks having the phrase "Cross Site" in them. This couldn't be further from the truth. CSRF and XSS are both COMPLETELY different attack vectors. With XSS, the attacker inserts some text, such as Javascript code, onto the vulnerable site by sending the victim a prepared link. An example of this would be
alert('whatevergoeshere').
With CSRF, however, the victim sends the attacker's request to the server without them even knowing about it. I'll explain this in a bit.
Cross-Site Request Forgery
Alright, before I begin, I'd like start out by clearing up some common misconceptions about of CSRF (pronounced "Sea Surf" or simply C-S-R-F). Most people believe that CSRF is the same as Cross Site Scripting, also known as XSS, due to both of these types of attacks having the phrase "Cross Site" in them. This couldn't be further from the truth. CSRF and XSS are both COMPLETELY different attack vectors. With XSS, the attacker inserts some text, such as Javascript code, onto the vulnerable site by sending the victim a prepared link. An example of this would be
alert('whatevergoeshere').
With CSRF, however, the victim sends the attacker's request to the server without them even knowing about it. I'll explain this in a bit.
What is cross site request forgery?
Cross-site request forgery is also known as CSRF works by exploiting the trust that a site has for the user. Site tasks are usually linked to specific urls allowing specific actions to be executed when it’s requested. If a user is logged into the site and an attacker will be able to trick their browser into making a request to one of these task urls, then the task is performed and logged as the logged in user. The CSRF vulnerability lies in most every Website, but it has remained mostly under the radar for nearly a decade — it’s not even included in the Web Security Threat Classification, OWASP Top 10 or Mitre Corp.’s . One of indonesian security expert, zoiz , even says that CSRF ’s able to cause DOS attack against webserver by manipulating the amounts of GET request. well , it’s really horrible
How does it works?
One possible way of using CSRF to attack a website would be to lure your victim to your website with a simple image tag that will log your victim out of a site. You could do this using;
<*img src="http://websiteyouwantthemlogge
This of course will simply log them out of the site they are logged into that you have chosen. You, of course, would need to know which site that you want them logged out of to use this. Of course, this is a pointless task, but it's simply to show the basic logic behind a CSRF attack. You can use this basic concept for other things, such as removing funds out of your victims financial account and transferring it into yours, deleting users from a specific site, etc.
So know we want to use this vulnerability for our own advantage.
How about changing the user’s password?
Ok so to change the user’s password you need first to create an account in the vulnerable website.
Then, go to the change the password page.
Consider that the webpage url is
http://websiteyouwantthemloggedoutof.c
And when you change your password it will be
http://wwebsiteyouwantthemloggedoutof.
(we consider that we have changed the password to gtfobc)
After that we go to our avatar to change it
Usually they will ask you two things:
1-upload an image (you don’t need it or maybe you can use it to upload your shell but chances of making this attack work are low but worth a try)
2-image from a url (here we will use it)
So we will put “/reset.php?pass=gtfobc”(without the quotation marks) in the url for the avatar.
(We didn’t use http://websiteyouwantthemloggedoutof.com
And press ok.
Now if the user wants to check you avatar he wont see a thing (a blank page or an error).
But what the victim doesn’t know is that his password was changed to “gtfobc”.
The rest is easy.
That's it for this tutorial, I'm not going to spoon feed you information, this information is MORE than enough to help you on your way to, do whatever you want. :)
Posts
No comments:
Post a Comment