Account Takeover [Via Cross Site Request Forgery]
Hello Guys!
In this blog, I will explain what is CSRF? and How to exploit CSRF vulnerability to perform account takeover?.
Cross Site Request Forgery basically target all the state changing functionalities. “State Changing? What does it mean?” this is obvious question may comes in mind.
State changing means which shall make some changes on server by altering any piece of information for e.g.
- Creating information on Web server/ Web Application
- Updating existing information
- Deleting existing information so on and so forth……
In this blog, I will show you how to exploit CSRF vulnerabilities in real-world example. Before moving on let’s collect some mental notes.
- Application has self registration form so I have created 2 below users.
I) Amit{Email: amit@demo.com}
II)Tushar{Email: tushar@demo.com}
2. Black-Box Testing approach followed.
3. Our Target is to use CSRF and update any random user’s email.
4. Takeover Victim’s account by getting password reset link via updated attackers email.
So let’s jump into step by step POC to better understand this vulnerability.
- Let’s login into account amit@demo.com and navigate to Edit Profile page. Notice, on edit profile page email update functionality is given.
2. Let’s keep the same email and click on Submit button and capture the request in proxy tool like Burp Suite. Right click in the Bur Suite and Click on Engagement tools and Generate CSRF POC button. As shown below CSRF POC is generated. After observation I have seen there is no Anti-CSRF token in the request and user role is admin.
3. Not Let’s login our victim into Firefox web browser and visit edit profile page to update his email with attackers email. Our victim’s earlier email is tushar@demo.com
4. Let’s consider as an attacker we have generated CSRF-POC and hosted it on attackers domain and feed this URL (https://www.attacker.com/csrf.html)to the victim via email or any possible medium. Now, remember victim must be logged in for successful attack. If victim is not logged in already our CSRF attack will fail.
5. As everyone must be aware, In CSRF exploitation attacker does not receive any data only victim does. But the fact is an attacker can update any piece of information which he/she already aware of to take advantage of this vulnerability. As shown in below images our victim’s email (tushar@demo.com) is updated via Attacker’s email which is (mohammadmosin.shekh@redacted.com)
Now, Consider there is password reset functionality which allows attacker to enter his/her own updated email through CSRF and get the password reset link. If this is the case, then attacker can takeover victim’s complete account by changing his/her password using Forgot Password Functionality.
Next exploitation you can recollect from my earlier blog for which link is given below:
https://ms-official5878.medium.com/account-takeover-using-forgot-password-functionality-c53a58566d8e
Note: Full Account Takeover is not demonstrated because Forgot Password Functionality was un-responsive and wasn’t able to send password reset link due to some technical SMTP error.
Impact:
As demonstrated with screenshots, by executing a CSRF attack, an attacker can change account details in victim’s account like Email, FirstName, Last Name etc. without knowledge of the victim. Attacker can takeover victim’s account by visiting to Forgot Password Functionality and receiving password reset link over updated attacker’s email.
Remediation:
The following mechanisms can be used to prevent CSRF attacks:
- Implement the use of random CSRF tokens for challenge response. The server should generate a random token for all pages containing sensitive operations. When the user submits the request, the CSRF token should also be sent along. The server should verify the original token value and only then process the user request.
- The application can implement a strong CAPTCHA just before any sensitive request has to be submitted.
- Depending on the criticality of the operation, the application could ask the user to re-enter their account password.
- It is also necessary to ensure that the application does not suffer from any Cross-Site Scripting Vulnerabilities. XSS may be used to bypass the CSRF protections implemented by the application.
References:
Cross-Site Request Forgery
Hope this blog will help you understand CSRF attack, It’s Impact and Recommendation. Because of confidentiality issue I have hide some data from the screenshots.
Please do like and follow for more reads.
Thanks,