1. Home
  2. Training Library
  3. Cross-Site Request Forgery (CSRF)

CSRF Simple Hack



The course is part of this learning path

Start course

This course talks about Cross-Site Request Forgery (CSRF) and covers how to install a vulnerable machine called Metasploitable and how to start using it.


Hi. Within this lecture, we're going to continue focusing on the Cross Site Request Forgery. We're going to see a simple hack with a simple link and then we're going to deep dive into the next lecture. But right now we are inside of our Burp Suite, so intercept is on and I'm typing a new password over here with test and test. If I say change, it should intercept in the Burp Suite but it doesn't intercept it. So, let me turn this off and on one more time and try to click over here now. Now, it's getting. So, let me just reset this and refresh this and just say test and test one more time. Turn the intercept on and here you go. Now we get it. So, over here what happens?

As you can see it's a GET request. So, we can see all the requests, details from here. And we see the parameters and everything as well.

So, most of the time you're going to have to try something in here. For example in here, we have the password_new and we have the password_conf. So, maybe we may want to try if the passwords do not match or we may want to try if we just delete the password_new what happens? Something like that. So, I want to try something and see the response. Of course, I can do it over here without Burp Suite at all. But then I cannot see the requests being made or some of the response details as well. So, we are working with the Burp Suite and we're going to work with something called Repeater this time so that we can learn about the Repeater option, Repeater functionality of the Burp Suite as well. So, all you have to do is just double click, right-click over here, and say 'Send to Repeater'. And as you can see there is a 'Send to Intruder' as well.

We're going to cover that later on but right now we're just going to send it to Repeater. Repeater is one of the most popular functionality of the Burp Suite. So, you're going to need this a lot. And we're going to use that a lot from now on as well. But right now we have to see what it does. So, let me say Send, it will send it to the server and we get back to response but it won't lose the request. It won't just forward the request, we will see the request and response here all the time. For example, if I say sent I can see the response, I can see the headers and the hacks, and maybe it Render sometimes. It tries to render the page like a browser here but for some reason, it doesn't work. Maybe it doesn't work very well in the free version but we can see the row of HTML over here. It doesn't matter we learned about the HTML.

So, if I scroll down a little bit we can see password has been changed and it's good. So, what if I want to test something like this? If I make password_new=test 2 but don't change password_conf. If I say 'Send' then I can immediately see the result back here like passwords did not match. First of all, it says that Passwords did not match which is a good thing in terms of security. So, it's working good. So, if I don't give the same password then it will complain about it. But see how easy it was for me to change the parameter and test it. So, right now we have only two inputs, two parameters over here. But maybe like in the feature I can have 15 parameters then if I change one then it will take me like minutes to fill out all the forms. So, I can come over here to param section as well and I can change whatever I want from here and just say 'Send' and test it.

So, that's what the Repeater is for. You don't lose the request. You have it every time on the left-hand side and you can actually work with it. So, we have this PHPSESSID which is our cookie ID. And we know that it is making a GET request. Sometimes if you have a proper configuration, if you don't have this PHPSSID, it won't work because it's tracking the user. So, just be aware that you don't want to delete this PHPSSID. And sometimes it changes tokens or something like that. But in this case, we can just change the password and we can try to see what happens with it. So, for example, if I copy this URL and send this link to any user. Let's see if we can make them change their password so we can just change their password. So, this is like CSFR or across CSRF Vulnerability.

So, even though we have this PHPSSID, maybe it will work if they are logged in, when they click on this link. And we are administrator by the way we are logged in as admin. I don't know if we can create a new user here so that we can test the link. And let's test this with some other user but I don't know if it's possible. So, let me just copy this and try to see if we can create a new user. Let me log out and there is no registry here. So, I'm going to log in back with admin and password. But I cannot log in as admin and password because we changed it to be test. And I don't see any kind of registration over here. Maybe we can do it with sequel injection or something like that but we don't know it yet. However, it really doesn't matter because if it works on admin then it will work on the other users as well.

And we're going to see the source code to understand if it works on every user, maybe they configured it in a way that it works with only one user. I don't know. So, if it works, let me just come over here and say view source. By the way, this view source is one of the greatest things about DVWA. If you're a web pan tester or if you're a web developer, you can actually compare the security levels and you can see the PHP codes from here. We don't get that generally with inside of the CTFs or vulnerable machines. So, this is one of the greatest features of DVWA. We'll get to see the PHP code over here. So, we can see how it's handling this request. And actually, if you look over here we can see that you don't know the sequel light or sequel injection yet. But maybe you're familiar with this stuff as you can see it's aesthetically doing this very user is admitting.

So, it's not the proper way to do this obviously, but it's the way they configured it. So, even though we try with other user, even though we create another user, it won't work. So, it only works for the administrator user. If you click on the compare here, you can see the high-level security, medium level security source codes as well. So, that's what I was talking about. If you're a web developer, definitely you may want to come over here and check your security against these PHP codes over there. So, anyway in the high and in other configurations as well it always filters out the user as admin. Again it's not realistic. It doesn't happen in real life but we're going to try it eventually. If it works for administrator user then it's definitely going to work for other users as well in real-life scenarios.

So, I'm going to find that link that we have copied. Let me come over here. I believe that was it. Yep, this is the one so Vulnerability CSRF and password_new=test password_conf=test. So, I'm going to change this test like test2 and test2. Just pretend that we got sent this link by someone and we clicked on it. And here you go. It says that password has been changed. In this current situation, we don't even know what the password is if we cannot see it on the URL. Let's see if that's has been really changed for us. Yep, we cannot log in with test. We can log in with test2. Here we go. Now we managed to change it. So, you can just send this link to someone if they are logged in. They can actually change their password without realizing it. I'm going to change this back to password because I don't want to forget about it. And here you go.

Now, we have seen the most basic implementation of this one. But we're going to go into a little bit more deeper stuff within the next lecture. Because this CSRF thing is actually important as well and you may come across this in real Bug Bounty Hunting when you try to collect some rewards. So, we're going to stop here and continue with the subject within the next lecture.

About the Author
Learning Paths

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.