1. Home
  2. Training Library
  3. Cross-Site Request Forgery (CSRF)




The course is part of this learning path

Start course

This course talks about Cross-Site Request Forgery (CSRF) and covers how to install a vulnerable machine called Metasploitable and how to start using it.


Hi, within this lecture we're going to talk about cookies and see some possible vulnerabilities that may lead us to pretend that we are somebody else rather than our own user. So, it's a cookie vulnerability or it's a forgery vulnerability or like a session management vulnerability, however you may want to call this. So, I'm going to show you what I'm talking about. If you right click and go to 'Inspect Element', you can see the inspector, you can see the bugger we have already covered a couple of those, but we haven't covered some of those like we have seen actually the debugger, but we're going to see them in a deeper sense later on to analyze these JavaScript files and so on. You can see the JavaScript files or sometimes the PHP files as well, but not always. If you go to memory or network, these are very important. So, in the network we can see the GET requests that we have made or some of the POST requests as well. And of course, you can get this in the Burp Suite as well. It's not very important, but sometimes it gets very handy. So, this is very important. The Storage tab. So, within the Storage tab, we can see the information about the cookies, the cache, the session and everything else. So, if you open everything in here, you can just click one of those and see the related information on the right-hand side. For example, if I click on the 'Session Storage', if I have anything about the session storage stored in here then I can see it. So, what's a session by the way? So, a session is the process when a user comes into a website wanders around and then leaves. So, it's a session for example, an e-commerce websites track this session minutes or session like an hour. So, if somebody spends 10 minutes in the website they try to increase the session time to 15 minutes so it can increase the sales. But we generally use cookies to track all of the session or store information about the session as well. So, if you come over here to cookies you can see some different values and keys over here. So, maybe it can be in a way that it's encoded. We're going to see how to decode them later on. But this time we can see all the things over here like a UID. So, UID stands for Unique ID. Unique Identification Number. So, it means that it's unique. It's different for every user and it's automatically generated in most of the cases in the SQL or S-Q-L however you may want to pronounce it. And as we can see, atil our user or your user has the UID of 17. It may be different for you by the way. It really doesn't matter what kind of value you get in here, but if we have some vulnerability, we may want to try and change this value to something else and see if we can pretend to be someone else. So, this UID is different for every user and we cannot know the UID of the other users if there is not any vulnerability for that as well. But we can try to guess and we can try to see if we guess right. So, for example in this case I can see my UID is 17. I can easily guess that the number one will be an administrator user or with an administrator privileged user or number two or number three. So, this will be the first users that has been created for this website. So, what I'm about to do, I'm going to change this to one. Hit 'Enter'. And then it's changed for me. So, now what I can do, I can just try to see if that worked or not, come over here and refresh this website and here you go. Now, I'm logged in as admin. So, I didn't know if administrator user has the UID of one, but it's generally the case. So, the first user would be the admin. Otherwise it won't make sense. Of course, they can try to just make UID is different than 1, 2, 3, 4, 5, 6. Even though it's default for SQL, and again, maybe we don't have that kind of vulnerability in cookies but it's worth a shot. So, as you can see I changed it to be one and now I'm logged in as admin, and I can try and see if I can reach someone or reach some menu as administrator user and try to reach the database or maybe try to give some admin privilege to my own account or try to delete everything or try to write everything in a different way. So, it's not safe to leave those cookies like that. So, again this is one of the easy ones, but right now if you come over here and say inspect element and change your UID back to 17, you can go back to your own user in order not to confuse things and if you come over here and just search for cookie manager Firefox, There are a lot of I don't do that in Yandex but in Google I believe, cookie manager Firefox. It allows you to gather the cookies and change its value like with it in the Inspector or like with that in the Inspect Element in the Firefox, but some people prefer a plugin or some people prefer tools over that. So, we're going to stop here and continue with this vulnerability but a different one in the next lecture.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.