Updated: Dec 30, 2022
Welcome back, my aspiring cyber warriors!
In this series on Web App Hacking, we continue to explore ways to hack web applications (apps). In this tutorial, we will explore Cross Site Request Forgeries or CSRF. CSRF is an attack where the attacker inherits the credentials and privileges of the legitimate user to redirect the browser to another website or an action on another website. For many sites, the user's browser requests contain the credentials for that site in the form of a cookie or IP address. For instance, if the user has already authenticated against their banking website, the attacker may direct a funds transfer from that account without the user directing it or even knowing. You might imagine the CSRF attack as being similar to someone hacking your ATM card and then after you have authenticated and logged into the ATM, forcing an action that you have not initiated or authorized.
In this tutorial, we will be using the DVWA to redirect the user's browser to change their password. You can only imagine what headaches such an attack would create in the real world and give the attacker access to a confidential site or account.
Step #1: Fire Up Kali and Metasploitable and Login to DVWA
When you connect to the DVWA app on Metasploitable, you should see a screen like that below. The login is "admin" and "password".
Make certain you set the security level to 'low".
Step #2: Select CSRF in DVWA
Next, click on the CSRF tab to the left of the DVWA app.
You should be greeted by a screen like that above asking you to "change your admin password". We will be using CSRF to change the admin user's password without their being aware.
To understand the process that this site uses to change passwords, we will use a proxy such as BurpSuite. Make certain to enable the proxy in your browser and then start Burp Suite.
When you enter your new password in DVWA and click "Change", it will send the request to change the admin password (we are changing it to "hackersarise"). We can intercept that request with Burp Suite as you see below.
The command to change the password in this app is;
Our goal is to get the user's browser to execute that command unbeknownst to the user and change their password.
Step #3: Build a Malicious Website and Embed Change Password Command
Now that we understand how the app changes passwords, we can use that information to manipulate the user's browser to do it unbeknownst to the them.
Let's create a web site that integrates that change password command. In a text editor, open /var/www/html/index.html and create the following page.
Note that we have integrated the URL/command into an image tag with the setting "display:none". This keeps the URL/command hidden from the end user when they open this page. There does not appear to be anything malicious about the site as viewed by the victim.
Step #4: Entice the user to visit the web page
Now, we need to entice the user to visit our web site . This could be through a link sent via email or other social engineering technique. In some cases, the attacker may simply be looking for random users to victimize and rely simply on normal web traffic to control their browser.
This is how our web page appears to the victim.
When the end user clicks on the link, they see the web page above. Note that the URL/command to change the password is not visible to the victim.
If the victim right clicks on the page and selects "view source code", the malicious command is visible. Few people know enough to do so and those who do would unlikely understand what they are viewing.
Step #5: Try to log back in to DVWA
Now, we when the victim attempts to log back into the DVWA app with their old credentials (admin, password), the app rejects their credentials because their credentials were changed when they visited the "Nigerian Prince" website!
Now, when the attacker attempts to login in to the app with the new password (hackersarise)...Success!
Cross Site Request Forgery (CSRF) is among the most serious web app attacks. It forces the user's browser to take actions not initiated or authorized by the user. This can lead to actions such as logging into confidential accounts, transferring funds or changing passwords.