Cross-Site Request Forgery
The course is part of this learning path
This course talks about Cross-Site Request Forgery (CSRF) and covers how to install a vulnerable machine called Metasploitable and how to start using it.
Hi, within this lecture, we're going to see how hackers can actually take advantage of the CSRF and make some evil stuff like changing someone's password without even them realizing. So, this is not a very sophisticated way to do it. So, what we have seen so far because user can understand their password has been changed, right? So, if we do this, if we send this link to someone, when they click on it, they will definitely go to this website and they will see that password has been changed. So, this is what they're going to see. So eventually, they maybe not realize this and they may just continue using the website as it is, but it's not a very probable scenario. So, I'm going to show you a way hackers try to exploit this in a way that they can do this in a more stuff way. So, I'm going to come over here to our 'File System', and then 'var' folder, and then 'www', and then 'html'. This is our web server folder, root folder, as you might remember. And you will see index.html in here, okay? Maybe only that. It really doesn't matter. I'm going to show you how to edit it and how to write something so that you can use it in this scenario. So, I have prepared some code. Let me show you, it's very basic. So, let me open this with 'Geany'. Of course, you can open it with whatever you want. So, this is my code. Of course, you can write it right now. Let me zoom in a little bit. As you can see, it starts with the regular old DOCTYPE html, okay? And then, html and a body. So, that's it. Html and body tags, you know this stuff. We don't even need this heading, I just put it for some tests and here we go. Now, we see that these tags are no different than we have seen before but we have an image. And this image, we haven't seen this attribute yet, it has a style attribute. And you can just change the display type. And, in this case, I'm saying, display nothing, okay? So, I'm displaying nothing in here and this alt thing is kind of a description and we don't even need it at all. So, I'm just making this empty. And in the src, in the source of this image, I'm going to just copy this and paste it in there. So, actually what this website is trying to do is to send a request to that website to change the password but we won't see any result. It will be embedded in the image itself and user will not see the image since it has the style of display none. So, make sure you copy and paste the same thing with me. So, I'm doing this 'http://10.0.2.5'. And I'm going to put it over there back like 'hacked' so that we can see something is going on, okay? Otherwise, we won't see anything in our page. So, as you can see, it starts with the heading. And over here, I'm going to change my password to 'atil' this time so you can try anything you want. But don't forget to change the new and the confirmation password as well. So, right now, I'm going to 'Save' this. And I have edited the index.html not anything else, okay? So, whenever I open this website, it will be run actually. So, in order to run my service, I'm going to say, 'service apache2 start'. It will run my web server. So, my web server is accessible at least in the net network. Of course, in real life, a real hacker would upload this index.html to any website, his website or her website, and send the link to the victim, okay? Like using something like an ngrok maybe if they can actually use the web server in the Kali Linux as well. So, let me show you what ngrok is. So, this is a tunneling service. And you can use this tunneling service to expose your own web server to the Internet. But, that's not what we're after here, okay? So, just for a general curiosity, I've talked about that. I can reach my website right now if I type my Kali Linux IP from this machine, or from any machine, on my virtual machines on the net network, okay? So, my Kali Linux IP is 10.0.2.4. If I come over that IP address from anywhere. So, let me just make sure. Yes, this is 10.0.2.4. So, you have to make sure your IP address is correct. So, 10.0.2.4. If I open this right now, I will see the hacked. So, this is what we have written in the index.html, right? So, we don't see any kind of image, we don't see any kind of thing going on in here. But, if we see the page source, now we can see there is something malicious going on in there. So, if a victim clicks on that and if it sees nothing, or if it sees a regular website, then they wouldn't check the source, right? And they wouldn't be suspicious. But, in this case now, my password has been changed. If I try to log in with test, it won't work. If I try to log in with atil, it will work because that's what my password has been changed to. So, let me try with my new password here, 'atil', and here you go. Now, I'm logged in. So far, so good. This is what CSRF. And actually, there are other implementations of the Cross-Site Request Forgery as well, obviously. But, in this case, we managed to see how we can test the stuff with repeater and how hackers might exploit this vulnerability. And most importantly, we get to see the View Source button, which is very handy if you want to make your own websites more secure. If you're a web developer, make sure you check the PHP codes from here and compare them with each other to see the most secure implementations in web development. So, we're going to stop here and continue within the next section.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.