CSRF on Password Reset
Hi hackers! 👋
My name is Filipe Azevedo and in this post, I’m going to talk about a CSRF that I recently found on a private program on HackerOne. For obvious reasons let’s call it example.com.
What is CSRF?
Cross site request forgery (CSRF), is an attack that tricks a web browser into executing an unwanted action in an application to which the user is logged in.
Depending on the web application this attack can have devasting consequences. A successful CSRF attack can result in damaged client relationships, unauthorized fund transfers, changed passwords and data theft — including stolen session cookies.
So, to sum up, to make a successful CSRF attack you will need something like this:
- Create an HTML page with a form to perform the malicious actions:
<html>
<body onload=document.form.submit()>
<form method=”POST” action=”VULNERABLE_ENDPOINT”>
<input type=”text” name=”” value=”PAYLOAD”>
<input type=”text” name=”” value=”PAYLOAD”>
</form>
</body>
</html>
2. Start a server to share your malicious page with the victim. I use the following commands:
python3 -m http.server 1234 -> Start an HTTP server.ngrok http 1234 -> Create public URLs. You can install NGROK here.
If you want to know more about CSRF here are two very good videos on the topic:
PwnFunction
InsiderPhd
Now that you are familiar with CSRF let’s jump into the vulnerability…
Whenever I start testing a website the first thing I do is using it like a normal user would. During this process, I leave the burp open to have a list of all the requests and endpoints for further investigation.
After looking for the basic vulnerabilities I realized that all requests I made were protected against CSRF by using a token.
To protect websites from CSRF, the website introduce a token to every request you made to the server. If your token doesn't match with the one in the server, the request drops.
But…
If the CSRF token isn't properly checked you can bypass it by changing it with another with the same length or just remove it completely. For example, if you the following request:
POST /api/removeUser
Content-Length: 28user_id=12345&csrf=987654321
You could try the following requests to bypass the CSRF token:
POST /api/removeUser
Content-Length: 28user_id=12345&csrf=123456789.....POST /api/removeUser
Content-Length: 28user_id=12345
In my case was the first one. The server just checked the token length and if it was present.
Thank you very much for reading. If you would like me to continue to bring my found bugs, you can buy me a coffee. 😊😊😊
Follow me on Twitter!