Cross-Site Request Forgery
The course is part of this learning path
This course talks about Cross-Site Request Forgery (CSRF) and covers how to install a vulnerable machine called Metasploitable and how to start using it.
Hi, within this lecture, we're going to start learning about CSRF. So, this means Cross-Site Request Forgery. So, we will be performing some forgery in the requests. But, as you can see, we are logged in as admin. Again, because we have changed the cookies. Now, I'm going to undo this. So, I'm going to come over here to 'Storage'. Not here, up here. And in the Cookies, we have changed uid. So, change it back. So, I don't believe it was one. It was 17, I believe. So, let me come over here and 'Refresh' this. And see, here you go. It's 17 for me. So, whatever works for you. And we're logged in as atil. And I'm going to try and find if there is CSRF here. Let's see, 'OWASP Top 10' and here you go. For the A5, we have the Cross-Site Request Forgery. We have others as well. So, as you can see, it's a little bit less than what we have seen in bWAPP. It again has different kinds of popular vulnerabilities but with less examples, okay? So, you can see some kind of other vulnerabilities here as well. So, there are other choices. But, I believe, we had much more in bWAPP. So, let's come back to here. The Broken Authentication? We're not interested in that yet. We're interested in this one. So, A5 - Cross-Site Request Forgery. So, we have Add to your blog and Registered User. Let's see the Add to your blog and let's see the Registered User. So, this is for registering an account. And we generally see CSRF in that kind of stuff, like changing the password or registering for a user. So, we generally do forgery in the request in operations like this. But, I really wonder what kind of CSRF we have in a blog post so we can actually look into that. And, I believe, DVWA has a better explanation for that. And we're going to see the DVWA CSRF as well. Right now, since we are in the Mutillidae, I want to test and see if something's interesting in here. So, I'm going to go back to 'Add to your blog'. So apparently, this is a blog page for us. I haven't seen this one before, by the way, I've skipped it for some reason. Let's try to find some vulnerability together like a real life live example, okay? So apparently, we can use some kind of HTML encoding in here. It's already given to us. Not exactly HTML, but maybe their syntax. So, let me just try 'test'. And we can see the atil has a commented test in this date. So, very good. So, let's try to see if we can make this right in the Burp Suite. We can understand what's going on in the Burp Suite. So, open your 'Burp Suite' as usual, okay. Open a 'Temporary project' and 'Use Burp defaults'. And it's going to open a project for us. And of course, don't forget to come over here and check if the 'Intercept is on' and turn your 'FoxyProxy' on as well. Now, I'm going to create another blog entry. So, let's just write something like 'test2' and say, 'Save'. And it should be intercepted in here. So, here you go. Now, it's a POST request and it has a token here and a blog entry as a parameter, which is the thing that we have written. And, I believe, there's a button here as well. And this is the page. So, here you go. We have a Cookie in here as well. If I go to 'Params', I can see this is the user, this is the user ID. And this is the body of the things. So, I believe, the only way that we can make this work, like only way that we can change this and pretend to be someone else is to change the cookie uid one more time to be one and forward it like this. If we come back, here you go. Now, it's written like an admin user, okay? Even though you are not logged in as admin user, we changed it to be and it saved the test2 as the admin user. So, it's kind of cheating, right? Because we already knew that we have some cookie issue in here and we made it change that and it worked. So, this is not what a regular CSRF looks like, okay? In order to understand it better, we're going to go back to DVWA and just work our way up there. But again, this can be a real life example as well. So, I wanted to show you this even though I didn't know how this works but it looked certainly interesting. So, let me turn the 'Intercept off' and go back to 'DVWA'. So, I believe, we have a CSRF in here as well, okay? So, here you go. Let me just zoom in a little bit so you can see it in a better way. And let me go to 'Security' first and make the security level to 'low'. It starts in high and it's pretty much exploitable. So, let me come back to 'CSRF' in here. As you can see, it's a change password link. So, this is generally where we find the CSRF vulnerabilities, okay? So, it lets us change the password. And also, we can see or we can get some CSRF in the register or login pages as well. But, this is the most common one. So, if I change my password to test, we can see how it sends the request, okay? So, it sends two parameters: password_new, password_conf. Of course, the third parameter like a change button. So, here you go. Now, actually, I want to see if this works or not. So, I'm going to 'Forward' this, but we're not going to forward this in the next lecture. We're going to see either Repeater functionality of the Burp Suite. And here you go, it says that password has been changed. So, I believe, this is working, right? So, I know this is working but we're going to see how to look for vulnerabilities, how to look for CSRF in this case and we're going to use Burp Suite for that. So, I'm going to stop here and continue within the next one.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.