Skip to main content

Cross Site Request Forgery 




Cross site Request forgery leverages trust a website has in the user(or at least the user’s browser)


CSRF takes advantage of active session a browser has with the target site:


  • The attack is possible due to predictable parameters on the sensitive transactions
  • An example money transaction user case might have two predictable parameters : Dest account & and Amount


CSRF is similar to XSS , but it doesn’t require that the attacker inject code into a web application. CSRF simply leverages the fact that web servers trust the authenticated users, and is possible to pass un-authorized commands from client to there sever without users knowledge.These commands are then executed on server with clients authenticated privileges.


Walkthrough 

——————


  • Attacker determines a link to initiate a transaction that uses predictable parameters
  • Attacker posts the link on a site he controls :
    • The site could even be a Facebook page or similar 
    • Or attacker to force the users to the site through DNS poisoning.
  • User logs into the application normally
  • While users are still logged in, they browse the link from the attacker
  • The link could be 
    • Image tag
    • An iframe
    • Css or Javascript import
    • XMLHTTP
  • This initiates transaction as the victim
  • The application isn’t aware that user didn’t mean to submit the transaction



CSRF covers scripting requests in general, but most concerning types could easily be called the script-based web session hijacking. Take the CiscoWorks example.


Imagine that a Cisco works admin, bob, is logged in to a Cisco works web console while doing other work. Attacker inserts a malicious link into a comment section on a popular IT website. When bob visits the website and clicks the link, his browser is directed to request the link, which executes functions within the Cisco works server. At this time attacker could be requesting changes to the network, potentially opening up holes for a later attacks.



Detecting CSRF

————————


  • Find pages that have sensitive actions & have predictable parameters
  • Then create a HTML document that contains a tag referring to the sensitive page.
  • After log in , acmes the created document.
  • Verify if the functionality actually ran.






https://twitter.com/YourNextBugTip/status/1233956268072521728/photo/1


https://twitter.com/Manojkhd/status/1231175934285271041



Bypassing GitHub's OAuth flow



https://blog.teddykatz.com/2019/11/05/github-oauth-bypass.html

Comments

Post a Comment

Popular posts from this blog

WordPress Common Issue Notes

  WordPress: /wp-content/plugins/sfwd-lms/wpml-config.xml /wp-content/plugins/omni-secure-files/plupload/examples/upload.php /wp-content/plugins/contus-hd-flv-player/uploadVideo.php wp-json/th/v1/user_generation /wp-admin/admin-ajax.php?do_reset_wordpress=1 Wordpress xmlrpc.php -common vulnerabilites & how to exploit them https://medium.com/@the.bilal.rizwan/wordpress-xmlrpc-php-common-vulnerabilites-how-to-exploit-them-d8d3c8600b32
Post a Comment
Read more

Electron JS Security Checklist

Electron Js Security Checklist Disable nodeIntegration for untrusted origins/Do-not Enable Node-Integration Risk  If enabled, nodeIntegration allows JavaScript to leverage Node.js primitives and modules. This could lead to full remote system compromise if you are rendering untrusted content. Auditing nodeIntegration and nodeIntegrationInWorker are boolean options that can be used to determine whether node integration is enabled.  Auditing For BrowserWindow, default is true. If the option is not present, or is set to true/1, nodeIntegration is enabled as in the following examples:  mainWindow = new BrowserWindow({ "webPreferences": { "nodeIntegration": true, “nodeIntegrationInWorker": 1 } });  Or simply:  mainWindow = new BrowserWindow() For webview tag, default is false.  When this attribute is present, the guest page in webview will have node integration: When sanbox is enabled (see below), nodeintegration is disabled. Please note that it is also possible to u
Post a Comment
Read more

Threat Intelligence in Sagan Using Bro Intelligence Framework

Introduction Monitoring Network Traffic for malicious activities is one of the priorities for an network IDS, what if the network IDS can take in threat intelligence data to look out for malicious domains, Ip addresses, emails,file-hashes and so on, sagan has one such feature called Bro intelligence framework this write up  will give you an insight on how to install configure and use bro intel framework in sagan. I have been working with sagan for few months now, it has been really hard to put all the pieces together and you don't really find any perfect documentation or tutorials regarding sagan and its features at one place. Sagan is an open source real time log analysis and correlation engine that runs on Unix Operating Systems, sagan's rules are quite similar to SNORT. Sagan can record events to the snort unified 2 output format which allows it to be compatible with user interfaces such as Squil,Snorby,Graylog. Sagan has lot more capabilities than being a Log Anal
Post a Comment
Read more