CSRF - Lab #3 CSRF where token validation depends on token being present | Long Version

Rana Khalil

19 Sept 202115:36

Summary

TLDRIn this video, the presenter walks through exploiting a CSRF vulnerability in a web application, specifically targeting the email change functionality. The tutorial demonstrates how to bypass CSRF token validation, both using Burp Suite Professional and manually scripting the attack in the Community Edition. Viewers learn how to craft an exploit that allows an attacker to change a user's email address without their knowledge, highlighting the importance of secure CSRF token handling and session management in web applications. The video also covers how to host the exploit and execute the attack through a simple HTML form and Python server.

Takeaways

😀 The video explains how to exploit a CSRF vulnerability in a web application to change a user's email address.
😀 The exercise uses the Web Security Academy's lab to demonstrate how to exploit CSRF flaws.
😀 The email change functionality in the lab is vulnerable to CSRF, which is the core of the attack.
😀 A CSRF vulnerability can be exploited if certain conditions are met: relevant action, cookie-based session handling, and no unpredictable request parameters.
😀 Burp Suite Professional can be used to intercept requests and automatically generate a CSRF proof of concept (PoC).
😀 If a CSRF token is not required or is easily bypassed (e.g., by removing it), the application becomes vulnerable to CSRF attacks.
😀 For users without Burp Suite Professional, the CSRF attack can be manually scripted using HTML and hosted on a local server.
😀 When exploiting CSRF manually, the HTML form must include hidden inputs for parameters like email and a script to automatically submit the form.
😀 The attack is carried out by creating an invisible iframe that submits the form to change the victim's email address without their knowledge.
😀 After crafting the exploit, the attacker sends the victim a link, which appears harmless but results in the email address being changed.
😀 The video encourages viewers to subscribe, share, and comment on the content to improve engagement and share learning experiences.

Q & A

What is the main focus of the video in the Web Security Academy series?
-The video focuses on solving Lab Number 3 in the CSRF (Cross-Site Request Forgery) module, titled 'CSRF for token validation depends on token being present.'
How is Integrity related to the video?
-Integrity is the sponsor of the video, and it is described as Europe's leading ethical hacking and bug bounty platform. The video encourages viewers to sign up and participate in bug bounty programs.
What is the first step in accessing the Web Security Academy for this exercise?
-The first step is to visit the URL 'portswigger.net/websecurity' to sign up for an account, after which the user can log in and access the academy.
What type of vulnerability is being explored in Lab Number 3?
-The lab explores a vulnerability in the email change functionality, specifically a CSRF vulnerability that allows an attacker to change a user's email address.
What is the goal of the lab exercise?
-The goal of the lab is to exploit the CSRF vulnerability to change the victim's email address using an HTML page hosted on an exploit server.
What method is used to intercept and modify requests in the video?
-The video demonstrates the use of Burp Suite Professional to intercept, modify, and forward requests during the CSRF attack.
How does Burp Suite Professional help exploit the vulnerability?
-Burp Suite Professional's 'Generate CSRF POC' (Proof of Concept) tool automatically generates an exploit script that submits the form and changes the email address for the victim.
What happens if the CSRF token is removed from the request?
-If the CSRF token is removed from the request, the application does not validate the token and accepts the request, exploiting the vulnerability.
What alternative method is shown for exploiting the CSRF vulnerability without Burp Suite Professional?
-The alternative method involves manually creating an HTML form with a hidden input for the email change and scripting the form submission to bypass the CSRF token validation.
How is the exploit delivered to the victim in the manual method?
-The exploit is delivered by hosting the crafted HTML page on a simple server, generating a link, and sending it to the victim. When the victim clicks the link, their email address is changed in the background without their knowledge.