DISCOVERY

WITHOUT ANTI-CSRF TOKEN

#access webpages with form fields that can be updated
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username: {arbitraryValue}
 password: {arbitraryValue}
 
 * submit the expected user input

BURP > BROWSER > {targetSite:port}/profile > Update/Save
 ...

BURP > Proxy > Intercept > Raw
 Request
  ...
  POST /api/update-profile HTTP/1.1
  Host: xss.htb.net
  Content-Length: 75
  Cache-Control: max-age=0
  Upgrade-Insecure-Requests: 1
  Origin: http://xss.htb.net
  Content-Type: application/x-www-form-urlencoded
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://xss.htb.net/app/
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Cookie: auth-session=s%3AglF5tcXx8jmj5wB6Q0NiSQWsnkwDOcAy.Ew%2BCH6ulNwCjZK081SVCQIRMKoW4Kk3OPEYNC%2Bbh6xA
  Connection: close

  email=ela.stienen%40example.com&telephone=%28402%29-455-9682&country=France
  
  * notice that there is no "anti-csrf token" on the request
     - sample anti-csrf token "&user_token=974df40068b52bd0d34d38cdf85ba17a"
        - email=ela.stienen%40example.com&telephone=%28402%29-455-9682&country=France&user_token=974df40068b52bd0d34d38cdf85ba17a

WITH ANTI-CSRF TOKEN

exploiting this specific technique requires attackers to be able to sniff traffic within the local network through MitM attack.

#sniff unencrypted HTTP traffic
root@oco:~$ wireshark &
 ...

#access webpages with form fields that can be updated
root@oco:~$ burpsuite
root@oco:~$ BROWSER > FoxyProxy > Burp
root@oco:~$ BURP SUITE > Proxy > Intercept is on
root@oco:~$ BROWSER > {targetSite:port}
 username: {arbitraryValue}
 password: {arbitraryValue}
 
 * submit the expected user input

BURP > BROWSER > {targetSite:port}/profile > Update/Save
 ...

BURP > Proxy > Intercept > Raw
 Request
  ...
  GET /app/save/julie.rogers@example.com?telephone=%28834%29-609-2003&country=United+States&csrf=711b9fe423ed79fe101b124f262716211122c6f5&email=julie.rogers%40example.com&action=save HTTP/1.1
  Host: csrf.htb.net
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.6312.122 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
  Referer: http://csrf.htb.net/app/save/julie.rogers@example.com
  Accept-Encoding: gzip, deflate, br
  Accept-Language: en-US,en;q=0.9
  Cookie: auth-session=s%3AbtlrUv054Op8g20HwxYUigQC076jIl8e.tOKm8NJeC6%2BJIGGyBAJzTdJviiUUuRcpVPXLmc1aCcs
  Connection: close
  
  * notice that the "anti-csrf token" is part of the get request
     - GET /app/save/julie.rogers@example.com?telephone=%28834%29-609-2003&country=United+States&csrf=711b9fe423ed79fe101b124f262716211122c6f5&email=julie.rogers%40example.com&action=save HTTP/1.1

PreviousCROSS-SITE REQUEST FORGERY (CSRF/XSRF)NextCSRF BYPASS

Last updated 1 month ago