CSRF Account TakeOver on Live Website


 

CSRF Account TakeOver on Live Website




What is CSRF


CSRF is stand for cross site request forgery and is a malicious exploit of a website basically attacker use for this to exploit and account takeover where unauthorized commands are submitted from a user that the web application trusts. CSRF Account TakeOver on Live Website
 


 


How CSRF Works?


Attacker sends a link with email and password to the client(as a victim of attacker) and lets say by phishing

Attacker sends a link which contains the request of a email & password of attacker. lets suppose that link is for www.hackingtruthbank.in then as soon as client which means the victim or user clicks on that links his details will get updated to the hackingtruthbank.in by the server. Server accept the new credentails which is given by client but the client unknowlingly clicked that specific links which contains is that two things so the first thing is a new email and new password which got automatically updated.

 

 

CSRF Account TakeOver on Live Website

 



Now, the attacker logins with new credentials and successfully does ATO (account takeover) of client. so this how CSRF works. CSRF is a very dangerous vulnerability and can leak to successfully ATO and sometimes in this case the client is unable to login to his own account because you know very well what happend with his account But why because his account is now accessable by the new creds by the attacker.



How are we going to test for CSRF?

 

As you can see how are we going to test for csrf vulnerability in any website whenever you doing hunting for penetration testing.

He need to make two accounts the first account lets say a victim account and the second one is attacker account now what the attacker is going to do is?

The attacker is going to generate a link let's say the email and password for change then he is going to send that malicious link with updated a email and password account details to the victim to the first account now is the victim interact with thats links and click on that links then he have to check the data it has been updated into the profile or not so let's say the attackers link which contans the first new change functionality which means the name should change to the attacker.

 

 

CSRF Account TakeOver on Live Website



 

When the victims click on that links and his profile his name first name changes is true from victim to attacker that's means we have successfully achive CSRF or in another dangerous case If the attacker send the links with email attacker@gmail.com and password attacker 12345 and if that gets change them it has account takeover vulnerability.


we will do an ATO either changing email or password or both getting the complete access of the account and making a parmanent log out of the user is consider a vulnerability of extreme savirity so in this case your bug can go to PON savirity.

 

 

How can we achieve CSRF to Account Takeover?

 

Now i am going to quickly signup on this website first.



CSRF Account TakeOver on Live Website


I have created a account onto this platform and i have got an email we have registered successfully and then we clicked on links whereas we can see that RESET YOUR PASSWORD (on your mail). After clicking on that link we redirect on azafashion.com.



CSRF Account TakeOver on Live Website



CSRF Account TakeOver on Live Website



As you can see in this user section there are lot of options available but we will be use a profile section.

When i have clicked on account details here are accounts details as can be seen. This is temporary generated name and at all then i am going to change name of this account and the name is victim account.



CSRF Account TakeOver on Live Website


Now what i am going to do is. I am going to make attacker account also. So i open a new private window with azafashion.com and create a new account of attacker whereas i change a name like attacker.




CSRF Account TakeOver on Live Website



But in this let me just capture the request before saving a username.



CSRF Account TakeOver on Live Website



This is the POST request which is going to the server for changing the profile detail as you can see the user first name is return attacker so the attacker comes to know the website is vulnerable to CSRF we a making a POC (proof of concept) through which he is going to change the details of victims.


Then we generate a CSRF poc with enangement tools in burp suite. so you can see POC has been generated and leave the previous request because our work is done.



CSRF Account TakeOver on Live Website



 

Then we just copy this all and paste it with a new file called azafashioncsrf.html



CSRF Account TakeOver on Live Website

 

so there is name attacker then let me just change or modify the name attacker to attackerCSRF and as you can see this mail ID is belong to attacker account (see the above section i told you in private window i am creating another new account by attacking with MAIL ID).

 

 

CSRF Account TakeOver on Live Website

 

 

So after open it in our browser as you can see there's only submit button appear here.



CSRF Account TakeOver on Live Website

 

 

So as you can see this is a victim browser and not a private window and we click on this button as you can see the status is 200.



CSRF Account TakeOver on Live Website



then when(victim) we try to reload to his account and the details over will be changed here. So the name field has been changed there is attacker CSRF take over as well as email address has been changed. which means that through the attackers request of edit profile the details of the victim got changed and this is the successful CSRF.



CSRF Account TakeOver on Live Website





Mitigation


CSRF vulnerabilities can still occur on login forms where the user is not authenticated, but the impact and risk is different. ... Login CSRF can be mitigated by creating pre-sessions (sessions before a user is authenticated) and including tokens in login form.


Use captchas and CSRF-tokens for be sure that the victim is changing the datas knowing that.


Report



Provided by CSRF Account Takeover Report



Provided by CSRF Account Takeover Report



Disclaimer

 

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



  - Hacking Truth by Kumar Atul Jaiswal




Post a Comment

Previous Post Next Post

Contact Form