CSRF - APPRENTICE
tags: Portswigger Web Security Academy Web
Lab: CSRF vulnerability with no defenses
- Description: This lab’s email change functionality is vulnerable to CSRF.
- Goal: To solve the lab, craft some HTML that uses a CSRF attack to change the viewer’s email address and upload it to your exploit server.
You can log in to your own account using the following credentials:
wiener:peter - Hint: You cannot register an email address that is already taken by another user. If you change your own email address while testing your exploit, make sure you use a different email address for the final exploit you deliver to the victim.
Background
- CSRF 攻擊原理
- [Day25]- 新手的Web系列CSRF
- 使用者登入網站
- 使用者透過身份驗證在本機形成cookie
- 使用者點擊含有惡意程式的連結,或是直接連結了第三方網站,並瀏覽了帶有以下html程式碼的網頁:
<img src=http://www.***.com/transfer.php?id=5&money=22> - 惡意程式碼利用使用者的身份發請求,即執行CSRF
- 使用者的帳號少錢錢勒QQ
常見的CSRF方法
- HTML標籤
<img>標籤屬性1
<img src="惡意連結">以GET方式請求第三方網站,瀏覽器會帶上使用者的cookie發出GET請求
<script>標籤屬性1
`<script src="惡意連結">`<iframe>標籤屬性1
`<iframe src="惡意連結">`
Recon
- According to the description
It said the email change function has some CSRF exploitation. So, maybe I can login by username and password they provided.
-
Find where has CSRF Then I tried to change my email and trace the package
- Then we can forge a website and let our victim to access In this lab, PortSwigger provided an exploited server that can simulate a victim to access.
Exp
Directly create CSRF PoC by Burp Suit
Exploit Payload:
1 | |
