- Joined
- 11 yrs. 6 mth. 27 days
- Messages
- 5,381
- Reaction score
- 18,380
- Age
- 45
- Wallet
- 11,590$
- [email protected]
Today, I'm going to explain you about WEB vulnerability that not everyone knows...but it very popular.
This vulnerability is very dangerous and effective.
Usually, the vulnerability exploiting never leave evidences.
This vulnerability called: Cross Site Request Forgery(CSRF)
CSRF and the way to exploit it is extremely easy; Much easier then all the complicated injections.
How does it works?
It works by forcing the victim's browser to run HTTP requests in order to implement a range of actions, for example
ermission faking\stealing.Transfer of funds from the BankDisruption of the normal sequence of the site
And much more.
Requirements to exploiting CSRF.Make sure that the victim have SESSION \ COOKIE on the target site.Victim must be identified by the network protocol verification (HTTP Authentication)
Actually, In order to cause the victim to perform unwanted actions he is not aware of, the victim must be logged to the target site with cookies and verified by the browser \ server.
Common uses CSRF attacks.
Common attack is using the image tag (img src) in the HTML document. I mean, in the SRC of the image tag must be inserted malicious link should send HTTP requests to the target, such as a GET request can be excellent. The benefits of using an image tag on the normal link tag (a href) are :Image tag does not require clicking the link compared Tag-A requires clicking on the link to activate the HTTP request.Nature of browsers is to send HTTP requests to visual objects such as picture or remote files (CSS, JS, etc.) even while loading the page without the user's permissions. This means the user does not need to perform any action in order to see the image on the page, all he has to do is go to a certain site specific browser sends HTTP requests have to load the image. In this case, since the browser recognizes the HTML code of the image tag, it sends HTTP requests to load the image even if the SRC of the image is not really a picture, but a malicious link ...
For those of you that uses Fire-Bug(Firefox add-on) can see in the next snapshot example of sending an HTTP request from the browser to the server to load an image during the login of the user:
Also, CSRF attacks can be implemented not only through websites but through email messages. Since the mail boxes allow sending data to HTML format, the attached image perfectly legal. In this case I can send a malicious email message to huge amount of recipients, put a photo tag email body when the SRC contain a malicious link, when the victim opens the email, the desired action done.
Exploiting code examples:
Using img tag:
<img style="display:none;" src="http://targetsite.co...ssword=123456">
Using iframe tag:
<iframe src=" "></iframe>
Java Script
using image object.
<script>var poniz = new Image();test.poniz = "http://targetsite.co...ssword=123456";</script>
Exploiting sequence
Here a cool example that actually belong to Black-SEO.
Since almost all peoples define home page\favourite web address in their profile(Like this one: ). What I want to check in my user control panel is the parameters are sent as a request to HTTP server when I'm updating my home page via the user control panel.
There are a variety of fields that can be updated, such as address, phone, email, name, content, and most importantly for this example: The favorite website\home page address.
These parameters are sent to the server when updating my website address. So it seems to Firebug:
These parameters are sent to the server using POST method. So we do not see the parameters in the URL address. But, if the parameters will be written via GET method, the data will sent? Let's see.
It works! (Actually...in the server-side code(php), the variable was in REQUEST method...but it's not matter)
Now ... Imagine that I create Dork like this one:
Quotesite:targetsite.com & intext:"Homepage" & intext:"email: "
Now, I've got all the emails of users and I can send them an emails with img tag, and when they will open it, their home page\website address field in their profile will change(To )
How to prevent?
There are not many hermetical familiar solutions to prevent CSRF attacks.
Except from one: Tokens.
What are actually tokens? This is a hidden random ID responsible for sending structured data, such as logging into forms, forms that allow registered users to update data or home page(in our case )
<input type="hidden" name="8pssf18ssdmf8s7p80fodi" value='1' id="token" />
Since the tokens are defined, the attacker can not know what is the token of the victim, because every loading of the page the token will change to other random number\string.
Tipson't forget to delete your cookies.Use tokens(Captcha is safer).When you built your php site, don't use GET \ REQUEST super-global variables.
Spoiler
Bypassing the tokens is easy(At least for me)... but I just gave you the most used solution.
My solution is to build a captcha system that based on sessions... :3
Well...I'm done
Check out my others threads:
Thanks viewing my thread and I hope you learned something !
Note: When some site is XSSable, it's pretty good injection point to do there CSRF...buy that's not matter because you can create CSRF attack on target site even from your own localhost...it's all about the HTTP requets.
This vulnerability is very dangerous and effective.
Usually, the vulnerability exploiting never leave evidences.
This vulnerability called: Cross Site Request Forgery(CSRF)
CSRF and the way to exploit it is extremely easy; Much easier then all the complicated injections.
How does it works?
It works by forcing the victim's browser to run HTTP requests in order to implement a range of actions, for example
ermission faking\stealing.Transfer of funds from the BankDisruption of the normal sequence of the siteAnd much more.
Requirements to exploiting CSRF.Make sure that the victim have SESSION \ COOKIE on the target site.Victim must be identified by the network protocol verification (HTTP Authentication)
Actually, In order to cause the victim to perform unwanted actions he is not aware of, the victim must be logged to the target site with cookies and verified by the browser \ server.
Common uses CSRF attacks.
Common attack is using the image tag (img src) in the HTML document. I mean, in the SRC of the image tag must be inserted malicious link should send HTTP requests to the target, such as a GET request can be excellent. The benefits of using an image tag on the normal link tag (a href) are :Image tag does not require clicking the link compared Tag-A requires clicking on the link to activate the HTTP request.Nature of browsers is to send HTTP requests to visual objects such as picture or remote files (CSS, JS, etc.) even while loading the page without the user's permissions. This means the user does not need to perform any action in order to see the image on the page, all he has to do is go to a certain site specific browser sends HTTP requests have to load the image. In this case, since the browser recognizes the HTML code of the image tag, it sends HTTP requests to load the image even if the SRC of the image is not really a picture, but a malicious link ...
For those of you that uses Fire-Bug(Firefox add-on) can see in the next snapshot example of sending an HTTP request from the browser to the server to load an image during the login of the user:
Also, CSRF attacks can be implemented not only through websites but through email messages. Since the mail boxes allow sending data to HTML format, the attached image perfectly legal. In this case I can send a malicious email message to huge amount of recipients, put a photo tag email body when the SRC contain a malicious link, when the victim opens the email, the desired action done.
Exploiting code examples:
Using img tag:
<img style="display:none;" src="http://targetsite.co...ssword=123456">
Using iframe tag:
<iframe src=" "></iframe>
Java Script
using image object.
<script>var poniz = new Image();test.poniz = "http://targetsite.co...ssword=123456";</script>
Exploiting sequence
Here a cool example that actually belong to Black-SEO.
Since almost all peoples define home page\favourite web address in their profile(Like this one: ). What I want to check in my user control panel is the parameters are sent as a request to HTTP server when I'm updating my home page via the user control panel.
There are a variety of fields that can be updated, such as address, phone, email, name, content, and most importantly for this example: The favorite website\home page address.
These parameters are sent to the server when updating my website address. So it seems to Firebug:
These parameters are sent to the server using POST method. So we do not see the parameters in the URL address. But, if the parameters will be written via GET method, the data will sent? Let's see.
It works! (Actually...in the server-side code(php), the variable was in REQUEST method...but it's not matter)
Now ... Imagine that I create Dork like this one:
Quotesite:targetsite.com & intext:"Homepage" & intext:"email: "
Now, I've got all the emails of users and I can send them an emails with img tag, and when they will open it, their home page\website address field in their profile will change(To )
How to prevent?
There are not many hermetical familiar solutions to prevent CSRF attacks.
Except from one: Tokens.
What are actually tokens? This is a hidden random ID responsible for sending structured data, such as logging into forms, forms that allow registered users to update data or home page(in our case )
<input type="hidden" name="8pssf18ssdmf8s7p80fodi" value='1' id="token" />
Since the tokens are defined, the attacker can not know what is the token of the victim, because every loading of the page the token will change to other random number\string.
Tips
on't forget to delete your cookies.Use tokens(Captcha is safer).When you built your php site, don't use GET \ REQUEST super-global variables.Spoiler
Bypassing the tokens is easy(At least for me)... but I just gave you the most used solution.
My solution is to build a captcha system that based on sessions... :3
Well...I'm done
Check out my others threads:
Thanks viewing my thread and I hope you learned something !
Note: When some site is XSSable, it's pretty good injection point to do there CSRF...buy that's not matter because you can create CSRF attack on target site even from your own localhost...it's all about the HTTP requets.
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding