LabEx
Log In Join For Free

🚧 Cross-Site Request Forgery (CSRF)

Beginner

Introduction

In this lab, you will learn about Cross-Site Request Forgery (CSRF), a type of web application vulnerability that allows an attacker to perform unauthorized actions on behalf of an authenticated user. The goal of this lab is to understand the concept of CSRF, perform a CSRF attack, and learn how to mitigate CSRF vulnerabilities.

Understanding CSRF

In this step, you will learn about the basics of CSRF and how it differs from other vulnerabilities like Cross-Site Scripting (XSS).

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a web application fails to properly validate the source of a request. It allows an attacker to perform unauthorized actions on behalf of an authenticated user by exploiting the trust the web application has in the user's session.

Unlike XSS attacks, which involve injecting malicious scripts into a website, CSRF attacks rely on the web application's trust in the user's session and take advantage of the fact that the application cannot distinguish between legitimate and forged requests.

Here's an example to illustrate how a CSRF attack can occur:

  1. Alice, an authenticated user of a web application, visits an attacker's website while still logged in to the web application.
  2. The attacker's website contains a malicious link or form that triggers a request to the vulnerable web application.
  3. Since Alice is still authenticated with the web application, the malicious request is processed as if it came from Alice herself, potentially performing unauthorized actions such as transferring funds, modifying account settings, or posting content on her behalf.

CSRF attacks can have serious consequences, as they can lead to data theft, account hijacking, and other types of unauthorized actions. It's important for web applications to implement proper CSRF protection mechanisms to prevent such attacks.

Performing a CSRF Attack

In this step, you will perform a CSRF attack on the Damn Vulnerable Web Application (DVWA) to understand how it works in practice.

  1. Start the DVWA virtual machine and access the DVWA web interface.
  2. Log in to DVWA with the default credentials (username: admin, password: password).
  3. Change the security level to "low" by navigating to the "DVWA Security" page and selecting "Low" from the dropdown menu.
  4. Navigate to the "CSRF" vulnerability page.
  5. Observe the "Change Password" form, which allows you to change the password without knowing the current password.
  6. Open a new tab or window and navigate to the same CSRF vulnerability page, ensuring that you are still logged in.
  7. Copy the URL containing the new password and password confirmation parameters, e.g., http://192.168.122.102/dvwa/vulnerabilities/csrf/?password_new=newpassword&password_conf=newpassword&Change=Change#.
  8. Paste the copied URL into the address bar and press Enter.
  9. You should see a message indicating that the password has been changed successfully.
  10. Log out of DVWA and try to log in with the new password to verify that the CSRF attack was successful.

Here's an example code snippet:

<!-- csrf-attack.html -->
<html>
  <body>
    <a
      href="http://192.168.122.102/dvwa/vulnerabilities/csrf/?password_new=newpassword&password_conf=newpassword&Change=Change#"
      target="_blank"
      >Click me to change your password</a
    >
  </body>
</html>

By clicking the link in the csrf-attack.html file, you can trigger a CSRF attack and change the password of an authenticated user without their knowledge.

Mitigating CSRF Vulnerabilities

In this step, you will learn techniques to mitigate CSRF vulnerabilities and prevent unauthorized actions.

One common technique to prevent CSRF attacks is to use a synchronizer token pattern, also known as a CSRF token. This involves generating a unique, unpredictable token for each user session and including it as a hidden field in forms or as a parameter in requests. The server then validates the presence and correctness of the token for any state-changing requests.

Here's an example of how to implement CSRF protection using a token in a PHP web application:

<?php
// Start the session
session_start();

// Generate a CSRF token if it doesn't exist
if (!isset($_SESSION['csrf_token'])) {
    $_SESSION['csrf_token'] = bin2hex(random_bytes(32));
}

// Function to generate a CSRF token form field
function csrf_token_field() {
    return '<input type="hidden" name="csrf_token" value="' . $_SESSION['csrf_token'] . '">';
}

// Function to verify the CSRF token
function verify_csrf_token() {
    if (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== $_SESSION['csrf_token']) {
        die('CSRF token validation failed.');
    }
}

// Example usage
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // Verify the CSRF token
    verify_csrf_token();

    // Process the form data
    // ...
}
?>

<!-- example-form.php -->
<form method="post" action="example-form.php">
    <?php echo csrf_token_field(); ?>
    <!-- Other form fields -->
    <input type="submit" value="Submit">
</form>

In this example, a CSRF token is generated and stored in the session when the user first visits the site. The csrf_token_field() function generates an HTML input field with the CSRF token value, which is included in the form. On the server-side, the verify_csrf_token() function is called to validate the CSRF token for any state-changing requests (e.g., POST requests).

By implementing CSRF protection mechanisms, web applications can significantly reduce the risk of CSRF attacks and ensure the integrity of user actions.

Summary

In this lab, you learned about Cross-Site Request Forgery (CSRF), a web application vulnerability that allows an attacker to perform unauthorized actions on behalf of an authenticated user. You performed a CSRF attack on the Damn Vulnerable Web Application (DVWA) and witnessed how an attacker can change a user's password without their knowledge. Additionally, you explored techniques to mitigate CSRF vulnerabilities, such as implementing a synchronizer token pattern or CSRF token. By understanding and practicing CSRF attacks and mitigation techniques, you gained practical knowledge to secure web applications against this type of attack.

Other Tutorials you may like

We use cookies for a number of reasons, such as keeping the website reliable and secure, to improve your experience on our website and to see how you interact with it. By accepting, you agree to our use of such cookies. Privacy Policy